alteon itm training
Post on 23-Feb-2015
60 views
TRANSCRIPT
1
Alteon Intelligent Traffic Management
2Application Availability, Performance and Security
Nortel Application Switch
> A high performance intelligent LAN Switch
> Performs Layer 4-7 switching to balance, accelerate and secure traffic
> Delivers application Availability, Performance and Security> Give IT Managers control over network usage
> Intelligent, versatile feature set
> Choice of five platforms• Integrated SSL acceleration
and IPSec/SSL VPN option
2000 and 3000 Series
PerformancePerformanceAvailabilityAvailability
SecuritySecurity
3
Application Switching Capabilities
Persistence Persistence SupportSupport
Source IPCookies
SSL Identifier
Advanced Advanced FilteringFiltering
Layer 2-7 AttributesVLAN Filtering, Accept, Deny, NAT, Redirect
Content Content IntelligenceIntelligence
Layer 7 InspectCookie, URL, HTTP Header, User Agent
(PDA, Browser)
Network Network ServicesServices
NAT, VLAN TaggingTrunking, Layer 2/3
Compression/ Pooling
Application Application OptimisationOptimisationConnection Pooling
CacheApp IntelligenceStreaming Media
Embedded Embedded Security Security SvcsSvcsDoS Attack Prevention
Application Abuse ProtectionSSL Acceleration & VPN
Server Load Server Load BalancingBalancingApplication LB
Application Health Checks, High Availability
Global Load Global Load BalancingBalancing
Disaster RecoverWAN Links
Site Health Checks
Application Availability, Performance and Security
4
> Inspects, classifies, controls and reports application traffic
> Ability to analyse each flow at Layer 2 to Layer 7 to identify the application
> Licenced Feature
> Benefits• Improves network efficiency• Enables QoS for different traffic types• Reduces costs by conserving bandwidth• Controls un-wanted application traffic e.g. P2P• Protects against DoS and Application-layer attacks• Enables effective management, monitoring and
detailed network planning
Intelligent Traffic Management Network Optimisation for Application Performance
InspectInspect
ReportReport EnforceEnforce
Gives the Operator FULL control over their network traffic
5
ITM Features
6
Hardware and Software Requirements
7
How the Intelligent Traffic Management feature works
8
Processing Module: Alteon Application Switch
The Alteon Application Switch has a distributed processing architecture, based onnetwork processors. There are multiple processors per switch and processing load isdistributed between them. It can classify, limit, balance, etc. up to 2,000,000simultaneous sessions.
1 – The basic unit of traffic classification is the Filter. Up to 2,048 filters (layer 2 to layer7) can be created on a single Alteon Application Switch. In the case of Layer 7 filters, these filters make reference to a series of strings or “signatures” used to identify traffic at an application level. Up to 512 different strings can be configured.
2 – A Contract identifies and classifies a given application. For this purpose, a filter isusually not enough, especially for complex Peer to Peer applications. Therefore aContract consists of a series of filters (one or more) that univocally identifies a particularapplication (or group of applications) - more precisely, a “traffic class”. Up to 256different Contracts can be created.
3 – A Policy (or action) is a Bandwidth Management profile, or any other action (drop, prioritize,etc). A Policy can be applied to one or more Contracts simultaneously. Up to 64 Policies can be active at the same time.
9
Processing Module: Alteon Application Switch
Rate Limit: Limits available bandwidth for a complete aggregate “traffic class” (as identified by the Contract). For each Contract, a maximum rate is defined in Kbps or Mbps, called Hard Limit. These actions can be applied independently for inbound and outbound traffic.
Reserve: To guarantee the service level of a particular application, a specified amount ofbandwidth can be reserved for the exclusive use of a traffic class. This policy is setby configuring the Reserved Limit parameter.
Shaping: By using buffering techniques, it is also possible to shape (smooth) traffic of agiven traffic class.
Prioritize: It is possible to mark a traffic class with a particular DCSP code, to apply acertain level of QoS to the class.
Block: A traffic class can also be dropped. This is achieved by using a Rate Limit policywith a Hard Limit of 0 (zero).
Ignore: A traffic class can simply be ignored, i.e. No action will be taken for that trafficclass. This is achieved by using a Rate Limit policy with a Hard Limit equal to the speedof the port. (e.g. 1Gbps)
Monitor A traffic class can be monitored. Instead, the switch will only gather statistics on the traffic class, allowing the operator to analyze traffic and generate reports.
10
Management Module: ASEMThe ASEM is a software application for configuring Alteon Application Switches through a simple and intuitive GUI. It also provides monitoring of several operational variables (balanced sessions, throughput, CPU% use, memory, etc).
To further simplify configuration, ASEM includes a series of Wizards to configure certain common tasks, For Intelligent Traffic Management, ASEM includes a Bandwidth Management Wizard, and the other like server load balancing, WAN link load balancing, etc.
Before launching ASEM Client, the first thing that needs to be done in order to use the Nortel ASEM and ITM is establish connectivity between the client PC and the application switch.
1. Configure and enable the Out-of-Band Management Port IP address.2. Set SNMP access mode to read-write3. Installing the license4. Verify if the license is installed
11
Configuring ITM
Configuring ITM involves:1. Launching ASEM Client2. Selecting the Physical Ports3. Configuring ITM to Prevent DoSAttacks4. Configuring ITM to Deny Bogon-based IP ranges5. Selecting Applications to Classify6. Configuring Bandwidth Management Contracts7. Defining Traffic Policies8. Creating Contract Groups9. Configuring Time Policies10. Applying and Saving Your Configuration
12
Launching ASEM Client
1. Launch ASEM Client by clicking on the ASEM Client icon.
2. Select the switch to manage traffic.
3. Select Nortel ASEM > Wizards > Traffic Management Wizard menu option.
4. Continue with configuring ITM by proceeding to the next step,
13
Selecting the Physical PortsIf you are configuring Nortel ITM for the first time and if trunks are notconfigured on the switch, then the screen shown in "ITM Wizard" is displayed.
14
ITM Wizard Configuration Steps
1 From this screen, select the ports for the inbound and outbound traffic.Click the browse button to display the list of port.
2 From this screen, you can configure ITM to prevent Denial of Service(DoS) attacks by selecting the check box and browsing through the list of DoS attacks.
3 You can also select the check box to prevent Bogus Network (Bogon) attacks.
4 Specify the Reporting Server IP Address and indicate by selecting from the drop-down menu whether the connection is through the Data Port or the Management Port.
5 A check box at the bottom on the screen indicates if a new bogon file is available. This checkbox is located to the left of the Bogon button and will be enabled if a new bogon file is available for use or be disabled if the bogon file is current. Select this checkbox to use the new bogon if one is available.
15
Configuring ITM to Prevent DoS AttacksTo turn on the DoS attack prevention feature, enable Denial of Service Attackon the ports as shown in "ITM Wizard" . This enables the switch todeny common predefined attacks, such as Smurf, Fraggle and so on.
Here are some details on the embedded DoS attacks supported on theswitch:
16
Configuring ITM to Deny Bogon-based IP ranges
The Bogon feature ("Bogon Settings" ) checks for newer bogon (bogus network) data and if found, will download it from the website and store it in the database. It will check the removed data to see if it can be transferred to the new bogon data. It will also check to see if any switches have been configured to receive bogon information and send the informationto those switches.
The Modify Bogon Data in Database button ("Modify Bogon" )allows the user to view the bogon data and select rows that the user does not want downloaded to the switches. It also allows the user to save thedata back to the database or to a local file.The Load Bogon File to Database button allows the user to load a local bogon file, modify it and either send it to the database or store it back to a local file.
17
Selecting Applications to ClassifyThe available list shown in "Selecting Applications to Classify" is populated with all the applications specified in the Nortel supplied and user-defined (if it exists) XML files.
Right-click on an application to display a description of the application.Applications that require an explanation are provided with a description. Thedescription is retrieved from the XML files.
Applications that were previously selected are populated in the selected list.Layer 2 through 4 filters are the mostefficient while Layer 7 filters are the most taxing on the switch.
18
Configuring Bandwidth Management Contracts"Pre-defined Bandwidth Management Contracts and Policies" shows the Bandwidth management contract relationship with the Applications (rules) in a hierarchical tree form. Applications can be dragged and dropped from one contract to another.
Click on the Expand All button to see the applications sharing the contract.
When the same application is displayed under different contracts, it shows that different parts of the applications are affected in different contracts.
To reassign applications to a different contract simply select one or more applications (use the CTRL or SHIFT key to select multiple applications) and then drag those applications over top of the destination contract nameor any applications within that contract.
19
Defining Traffic PoliciesDefine traffic policies for the BWM contracts. Click on the Action column in "Pre-defined Bandwidth Management Contracts and Policies" and select one of the policies.
For more information on these policies, see "Traffic Policies". To customize your Rate Limit, Traffic Shaping, and User Limit policies, select the policy and modify the parameters.
"Customizing Rate Limit Policy", "Customizing Traffic Shaping Policy", and "Customizing User Rate Limit Policy" show the basic and advanced dialog boxes to customize Rate Limit, Traffic Shaping, and User Limit policies.
20
Creating Contract Groups
You create a contract group to share the bandwidth among contracts. A contract group can hold up to 8 contracts. A contract group is always created in pairs, an IN_bound contract group and an OUT_bound contract group. The in-bound contracts are added to the IN_bound contract group and the out-bound contracts are added to the OUT_bound contract group.You can create up to 16 pairs of contract groups.
This step is optional. Select the Contract Group icon to consolidate multiple contracts into a single group.
Enter the Contract Group name and click OK. The newly created Contract Group is displayed along with the other contracts and applications with theicon denoting that it is a contract group in the Actions screen.
21
Configuring Time PoliciesThis step is optional. To configure a time policy for a contract you must first specify the time window to define when the policy should apply.
Select a contract and click the Add Time Policies icon to add one or two time policies to the selected contract.
22
Applying and Saving Your Configuration
Once all GUI changes have been made, the Wizard issues SNMP commands to configure the switch to the new configuration. Then, the wizard remembers the changes it has made on the switch. It contains an XML representation of what is currently configured on that switch.
Everytime you go through the screens of the ITM wizard, the wizard removes all the current information and issues the SNMP commands to configure the switch to the "new" configuration. Then, the wizard saves the new configuration .
23
ITM Job SchedulesSchedule Nortel Rule Updates
This dialog is used is to schedule updates to the ITM signatures. When enabled, this job will run daily at the specified time to check for newer ITM signatures. This dialog is accessible from the second window of the Traffic Management Wizard by clicking the Nortel Rule Schedule button.
24
ITM Job Schedules
Schedule Bogon Settings
This dialog is used to schedule the update of Bogon lists on the switch.
When enabled, this job will run daily at the specified time to check for newer Bogon lists. This dialog is accessible from the first window of the Traffic Management Wizard by clicking the Bogon button.
25
ITM Job SchedulesScheduling TFTP/FTP Jobs
1 Select Configure > Switch from the menu and select the TFTP/FTP tab.
2 In the Action drop down list, select the TFTP or FTP job to schedule.Only the following job types can be scheduled:• get-image• put-configuration• put-tsdump
3 Click the Schedule TFTP/FTP Jobs button at the bottom of the screen.
The Put Configuration dialog is used to schedule the backup of the switch configuration to a TFTP or FTP server.
26
ITM Reporting ModuleThe Traffic Reporting system allows you to generate reports based on:
• ApplicationsYou can run a report on individual or multiple application usage for total traffic or discarded traffic.
• Multiple switchesYou can run a report of the same elements across multiple switches. For example, you can generate a report to see how Application A’s usage compares across these three switches during the defined time period.
• UsersYou can run a report that includes individual or multiple user usage for one or more applications (total or discarded traffic). You can also find the top 10 users for a specific application.
• Aggregate of protocolsApplication Ranking reports and graphs can be generated based on total traffic and discarded traffic for each of the following categories:• Top 5 applications, inbound• Top 5 applications, outbound• Top 5 users, inbound• Top 5 users, outbound
27
Starting the Reporting ToolYou can run the Reporting Server using the following link:http://<server name (or) ip Address>/ReportServer/The ITM Main menu or the Reporting Menu is displayed
28
Sample 1: Selecting Individual ApplicationThe data for Sample report 1 is all inbound and outbound traffic at all times for Applications KaZa over a 1 day period.Sample report 1 shows three different ways of displaying the same information. The information can be displayed in the following three views:• Graph format• Excel/HTML format• Table format
29
Sample 2: Selecting Traffic GroupsThis sample report shows a graph for the top 5 inbound traffic groups. In this sample, the top five inbound applications are Applications 1, 2, 3, 5 and 6. The summary data shows a statistical summary for the top 5 inbound traffic groups.
30
Sample 3: Aggregating TrafficIn this sample report, all outbound traffic is averaged to a single line of data (sum) as shown in "Traffic Aggregates" . The traffic aggregates for inbound traffic over 6 days.
31
Sample 4: Selecting Multiple ApplicationsThis sample compares three selections: inbound and outbound traffic for Application 3 and aggregated traffic for all inbound traffic.
32
Sample 5: Percent of Inbound TrafficThis is a sample of a relative graph that shows how much an application is being used compared to the total traffic.
33
Sample 6: Graphing Discarded TrafficThis sample lets you generate a report for outbound traffic for Application 3 and its discarded traffic.
34
Sample 7: Stacking Area and Bar GraphsThese samples demonstrate the benefits of generating reports that stack applications. Stacked graphs are graph generation options selected in the Chart Type drop down list as the STACKING AREA and STACKING BAR options.
35
Sample 8: Measuring Discarded TrafficA relative report showing an application’s discards as a percentage of the application traffic is very informative. "Measuring Discards" shows the percentage of outgoing Application 1 traffic and its discards.
36
Sample 9: Selecting TimeThis sample shows the time selection for inbound traffic on Application 1. To provide more granularity for the graphs, ITM allows you to select the unit of time to the minute.
"Selecting Time" shows a graph isolated to a single 24 hour period, as opposed to the other samples in this chapter which show a 6 day period. The graph size is always the same across the x-axis, but scales accordingly to the time parameters selected.
37
Sample 10: Generating User ReportsYou can generate user reports to see:• Top users for a specific applicationIf you want to know the top users using the Web browser, then run a top user report and select the specific application.
• Top users for a group of applicationsIf you want to know the top users for a few applications, then create a group with the selected applications and run a top user report on that group.
• Application usage for a specific userIf you want to know the application usage for specific users, then enterthe IP addresses of users and run the User Report.
38
Sample 11: Typical ReportsTypical reports are used to illustrate typical data values for an applicationacross a given time period. Reports can be generated for a typical hour,day, or week based on the time period selected in the Time Selection area.
39
Sample 12: Averaging DataThis sample uses two graphs to illustrate the advantages of use the AverageData option during graph generation. "Graph With No Averaging" illustrates a graph that plots data for the top 5 inbound applications over a six day period using the Average Data option.