ipanema system user manual 8.1

Ipanema System

User Manual

8.1

Issue: October 2014

Headquarters, FranceIpanema Technologies, 28 rue de la Redoute, 92260 Fontenay-aux-Rosesemail: [email protected]: +33 (0)1 55 52 15 00Technical supportemail: [email protected]: +33 (0)1 55 52 15 22

BelgiumIpanema Technologies, Av. du Bourg. Etienne Demunter 3, 1090 Bruxellestel: +32 498 17 95 09

GermanyIpanema Technologies GmbH, Gustav-Stresemann-Ring 1, 65189 Wiesbadentel: +49 611 97774 285

ItalyIpanema Technologies, Piazzale Biancamano 8, 20121 Milanotel: +39 02 6203 2185

SingaporeIpanema Technologies APAC, 105 Cecil Street, Level 11 The Octagon, Singapore 069534tel: +65 68201235

SpainIpanema Technologies, Av. de Europa 19, Parque Empresarial La Moraleja, Alcobendas, 28108 Madridtel: +34 91 793 21 30

SwitzerlandIpanema Technologies, Zollikerstrasse 153, CH-8008 Zurichtel: +41 (0)43 488 45 06

The NetherlandsIpanema Technologies, Vaartserijnstraat 16, 3523 Utrechttel: +31 30 890 6680

United KingdomIpanema Technologies Ltd, The Podium, One Eversholt Street London NW1 2DNtel: +44 (0)207 554 0822

USAIpanema Technologies Corp., 200 Fifth Avenue, Waltham, MA 02451tel: +1 781 890 8008Technical supportemail: [email protected]: +1 617 862 0033toll free number: 888 485 4884

The information contained in this document is subject to change without notice.

The information and specifications contained in this document are not contractual. The informationcontained in this document is sincerely considered by Ipanema Technologies to be accurate andreliable, but implies no warranty, either explicit or implicit. Users are responsible for their personal useof the information and specifications. Ipanema Technologies shall not be liable for any errors which mayappear in this document.

Reproduction in any form whatsoever, without the written authorization of Ipanema Technologies, isstrictly forbidden.

Ipanema, the Ipanema logo, Ipanema System, SALSA, ip|uniboss, ip|boss, ip|dashboard,ip|reporter, ip|engine, nano|engine, virtual|engine, tele|engine, IMA, ip|agent, ip|sync, ip|true,ip|fast, ip|coop, ip|xcomp, ip|xtcp, ip|xapp, DWS, ip|export and smart|plan are trademarks ofIpanema Technologies.

Any trademarks and trade names which may be used in this document refer to the entities which ownthese trademarks and these trade names, or to their products.

Ipanema Technologies renounces all proprietary interest in trademarks and trade names other than itsown.

Copyright 2001/2014, Ipanema Technologies

All rights reserved

Contents

CONTENTSINTRODUCTION ......................................................................... .......... 11. REVISIONS ......................................................................... .......... 12. LIST OF ASSOCIATED DOCUMENTS ............................... .......... 43. DOCUMENT ORGANIZATION ........................................... .......... 44. TERMS USED ..................................................................... .......... 5

CHAPTER 1 IPANEMA SYSTEM ............................................ .......... 1-11. OVERVIEW ......................................................................... .......... 1-11. 1. Autonomic Networking System ................................... .......... 1-11. 2. Ipanema features ........................................................ .......... 1-31. 3. Ipanema appliances, VMs and software agents ......... .......... 1-81. 4. Features availability .................................................... .......... 1-91. 5. Functional architecture ................................................ .......... 1-10

2. GENERAL PRINCIPLES ..................................................... .......... 1-122. 1. System deployment .................................................... .......... 1-122. 2. Communication between system elements ................ .......... 1-142. 3. Security ....................................................................... .......... 1-17

3. FEATURES DESCRIPTION ................................................ .......... 1-183. 1. Application Visibility (ip|true) ....................................... .......... 1-183. 2. Application Control (ip|fast) ......................................... .......... 1-233. 3. WAN Optimization (ip|xcomp, ip|xtcp, ip|xapp) ........... .......... 1-253. 4. Dynamic WAN Selection (smart|path) ......................... .......... 1-273. 5. Network Rightsizing (smart|plan) ................................ .......... 1-283. 6. Tele-managed sites ..................................................... .......... 1-29

CHAPTER 2 UNIFIED ACCESS TO THE IPANEMA SYSTEM(SALSA CLIENT) ................................................................... .......... 2-11. SALSA WEB PORTAL ......................................................... .......... 2-12. UNIFIED USER MANAGEMENT ........................................ .......... 2-33. SALSA URLs ....................................................................... .......... 2-44. LDAP AUTHENTICATION ................................................... .......... 2-45. VISTAPORTAL AND VPSE CONSIDERATIONS ................ .......... 2-55. 1. VistaPortal considerations ........................................... .......... 2-55. 2. VistaPortal SE considerations ..................................... .......... 2-5

CHAPTER 3 MANAGING DOMAINS, USERS AND LICENSES(IP|UNIBOSS) ........................................................................ .......... 3-11. DOMAINS OVERVIEW ....................................................... .......... 3-12. ip|uniboss CLIENT .............................................................. .......... 3-22. 1. Connection to ip|uniboss ............................................. .......... 3-22. 2. ip|uniboss main window .............................................. .......... 3-3

3. IMPORTING A LICENSE .................................................... .......... 3-84. SYSTEM PROVISIONING .................................................. .......... 3-94. 1. Declare ip|boss servers ............................................... .......... 3-94. 2. Domains ...................................................................... .......... 3-114. 3. Radius ......................................................................... .......... 3-19

5. REPORTING PROVISIONING ............................................ .......... 3-215. 1. ip|reporter web portals (VF0 and VF4) ........................ .......... 3-225. 2. VistaMart (VF4 only) ................................................... .......... 3-245. 3. Server Group (VF4 only) ............................................. .......... 3-265. 4. IV Server ..................................................................... .......... 3-27

6. MANAGING USERS ........................................................... .......... 3-296. 1. System administration: Users ..................................... .......... 3-306. 2. System administration: User Groups .......................... .......... 3-356. 3. User credentials supplied in the URL .......................... .......... 3-386. 4. User name as an HTTP header .................................. .......... 3-39

Ipanema Technologies iOctober 2014

Contents

6. 5. External LDAP authentication ..................................... .......... 3-406. 6. External SAML authentication ..................................... .......... 3-42

7. SUPERVISION .................................................................... .......... 3-447. 1. Inventory ..................................................................... .......... 3-447. 2. Logs ............................................................................ .......... 3-477. 3. Issues .......................................................................... .......... 3-48

CHAPTER 4 CONFIGURING SERVICES (IP|BOSS) ............. .......... 4-11. CONFIGURATION OVERVIEW .......................................... .......... 4-12. ip|boss WEB CLIENT .......................................................... .......... 4-22. 1. Connection to ip|boss .................................................. .......... 4-22. 2. ip|boss main window ................................................... .......... 4-32. 3. ip|boss tool bar ............................................................ .......... 4-42. 4. ip|boss status zone ..................................................... .......... 4-72. 5. ip|boss table view ........................................................ .......... 4-112. 6. ip|boss creation form ................................................... .......... 4-16

3. ip|boss CLI CLIENT ............................................................. .......... 4-173. 1. CLI architecture ........................................................... .......... 4-173. 2. CLI language ............................................................... .......... 4-173. 3. Tabular input and output ............................................. .......... 4-18

4. OPERATING PROCEDURE ............................................... .......... 4-195. CREATE, OPEN, SAVE, UNDO A CONFIGURATION ........ .......... 4-285. 1. Create a new configuration ......................................... .......... 4-285. 2. Open a configuration ................................................... .......... 4-285. 3. Save a configuration ................................................... .......... 4-285. 4. Undo a configuration modification ............................... .......... 4-29

6. EXPORTING AND IMPORTING OBJECTS ........................ .......... 4-306. 1. Exporting objects ........................................................ .......... 4-306. 2. Importing objects ......................................................... .......... 4-31

7. SYSTEM PROVISIONING .................................................. .......... 4-337. 1. Configuring Coloring ................................................... .......... 4-337. 2. Configuring WAN Accesses ........................................ .......... 4-367. 3. Configuring ip|engines and tele|engines ..................... .......... 4-407. 4. Configuring Topology subnets ..................................... .......... 4-527. 5. Configuring ip|sync (time synchronization) ................. .......... 4-547. 6. Scripts ......................................................................... .......... 4-567. 7. Tools ............................................................................ .......... 4-567. 8. Configuring DWS (Tools / Advanced conf.) ................. .......... 4-57

8. APPLICATION PROVISIONING ......................................... .......... 4-598. 1. Configuring User subnets ........................................... .......... 4-598. 2. Configuring Types of service (TOS) ............................ .......... 4-608. 3. Configuring Applications ............................................. .......... 4-618. 4. Configuring QoS Profiles ............................................ .......... 4-748. 5. Configuring Application Groups (AGs) ........................ .......... 4-778. 6. Configuring LTL (Local Traffic Limiting) ....................... .......... 4-84

9. REPORTING ....................................................................... .......... 4-869. 1. Configuring MetaViews ............................................... .......... 4-869. 2. Configuring Reports .................................................... .......... 4-939. 3. Configuring Alarming .................................................. .......... 4-93

10. SUPERVISION OPTIONS ................................................. .......... 4-9910. 1. Configuring Fault Management ................................. .......... 4-99

11. SYSTEM ADMINISTRATION ............................................ .......... 4-10411. 1. Configuring Automatic reporting ................................ .......... 4-10411. 2. Configuring Security .................................................. .......... 4-104

CHAPTER 5 IPANEMA SYSTEM SUPERVISION (IP|BOSS) . .......... 5-11. ip|boss MAIN WINDOW ...................................................... .......... 5-12. SUPERVISION .................................................................... .......... 5-22. 1. ip|engine status (monitoring ip|engines activity) ......... .......... 5-22. 2. Status Maps (monitoring ip|engines activity) ............... .......... 5-122. 3. Scripts ......................................................................... .......... 5-142. 4. Security (monitoring security certificate) ..................... .......... 5-16

Ipanema Technologies iiOctober 2014

Ipanema System

3. SYSTEM PROVISIONING: TOOLS .................................... .......... 5-173. 1. Rebooting .................................................................... .......... 5-173. 2. ip|engine software upgrade ......................................... .......... 5-18

4. ip|boss LOGS ...................................................................... .......... 5-215. CONFIGURATION HISTORY .............................................. .......... 5-22

CHAPTER 6 USING IPANEMA SERVICES (IP|BOSS) .......... .......... 6-11. STARTING AND STOPPING A SESSION .......................... .......... 6-11. 1. Starting a session ....................................................... .......... 6-11. 2. Stopping a session ...................................................... .......... 6-2

2. DYNAMICALLY MODIFYING A SESSION ........................ .......... 6-32. 1. Update procedure ....................................................... .......... 6-52. 2. Transition .................................................................... .......... 6-5

3. SERVICE ACTIVATION ....................................................... .......... 6-63. 1. ip|true (measurement) ................................................. .......... 6-63. 2. ip|fast (Application Control) ......................................... .......... 6-83. 3. ip|coop (tele-cooperation) ........................................... .......... 6-103. 4. ip|xcomp (redundancy elimination) ............................. .......... 6-123. 5. ip|xtcp (TCP acceleration) ........................................... .......... 6-143. 6. ip|xapp (CIFS acceleration) ......................................... .......... 6-163. 7. smart|plan ................................................................... .......... 6-173. 8. IMA .............................................................................. .......... 6-18

4. HELP ................................................................................... .......... 6-19

CHAPTER 7 MONITORING (IP|DASHBOARD) ...................... .......... 7-11. CONNECTION .................................................................... .......... 7-12. GRAPHICAL USER INTERFACE ....................................... .......... 7-32. 1. ip|dashboard window, menus and views ..................... .......... 7-32. 2. Frames and timing ...................................................... .......... 7-52. 3. Reading ip|dashboard contents .................................. .......... 7-72. 4. Access to the reports .................................................. .......... 7-9

3. DOMAIN VIEW .................................................................... .......... 7-103. 1. Quality Summary ........................................................ .......... 7-103. 2. Activity Summary ........................................................ .......... 7-12

4. SITES VIEW ........................................................................ .......... 7-134. 1. Overview ..................................................................... .......... 7-134. 2. Sites ............................................................................ .......... 7-144. 3. Searching for Sites / Filtering the Sites ....................... .......... 7-154. 4. Downloading the data ................................................. .......... 7-15

5. FLOWS VIEW ..................................................................... .......... 7-165. 1. Overview ..................................................................... .......... 7-165. 2. Application flows ......................................................... .......... 7-175. 3. Real Time Graphs ....................................................... .......... 7-355. 4. Discovery .................................................................... .......... 7-39

6. SINGLE SITE VIEW ............................................................ .......... 7-406. 1. Quality Summary ........................................................ .......... 7-406. 2. Activity Summary ........................................................ .......... 7-416. 3. Throughput Summary per NAP ................................... .......... 7-426. 4. Application flows ......................................................... .......... 7-436. 5. Discovery .................................................................... .......... 7-45

CHAPTER 8 OPTIMIZING SSL (IP|DASHBOARD) ................ .......... 8-11. OVERVIEW ......................................................................... .......... 8-11. 1. Deployment ................................................................. .......... 8-11. 2. Applications ................................................................. .......... 8-11. 3. Principles .................................................................... .......... 8-2

2. CONFIGURATION .............................................................. .......... 8-32. 1. Configure domain-wise trusted proxy CA credentials . .......... 8-32. 2. Select SSL proxy enabled sites .................................. .......... 8-52. 3. Select optimization enabled SSL servers ................... .......... 8-7

iii Ipanema TechnologiesOctober 2014

Contents

2. 4. Customize the SSL Proxy Certificate Trust Store ....... .......... 8-83. SECURITY AND LEGALS ................................................... .......... 8-93. 1. Security ....................................................................... .......... 8-93. 2. Legals ......................................................................... .......... 8-9

CHAPTER 9 REPORTING (IP|REPORTER) ........................... .......... 9-11. MIB ACCESS ...................................................................... .......... 9-11. 1. MIB .............................................................................. .......... 9-11. 2. SNMP .......................................................................... .......... 9-1

2. ip|reporter ............................................................................ .......... 9-22. 1. Ipanema Architecture .................................................. .......... 9-22. 2. Ipanemas ip|reporter architecture .............................. .......... 9-32. 3. Terms .......................................................................... .......... 9-52. 4. Starting the system ..................................................... .......... 9-72. 5. Reports Management ................................................. .......... 9-17

3. HOW TO READ THE REPORTS ........................................ .......... 9-253. 1. IVreport (VF0) ............................................................. .......... 9-253. 2. Web client (VF0) ......................................................... .......... 9-263. 3. Web client (VF4) ......................................................... .......... 9-283. 4. Dynamic reading of the reports ................................... .......... 9-333. 5. Definitions ................................................................... .......... 9-34

4. IPANEMA SYSTEM VISTAVIEWS ...................................... .......... 9-365. SLM (SERVICE LEVEL MONITORING) REPORTS ........... .......... 9-435. 1. is - slm - service level evolution .................................. .......... 9-435. 2. is - slm - site summary ................................................ .......... 9-455. 3. is - slm - application group summary .......................... .......... 9-475. 4. is - slm - application group summary per direction ...... .......... 9-495. 5. is - slm - application synthesis .................................... .......... 9-515. 6. is - slm - site synthesis ................................................ .......... 9-55

6. SLA (SERVICE LEVEL AGREEMENT) REPORTS ............ .......... 9-586. 1. is - sla - domain overview - graph ............................... .......... 9-586. 2. is - sla - domain overview - table ................................ .......... 9-606. 3. is - sla - domain - aqs summary .................................. .......... 9-626. 4. is - sla - domain - ag aqs summary ............................. .......... 9-636. 5. is - sla - domain - site aqs summary ........................... .......... 9-636. 6. is - sla - domain - mos summary ................................. .......... 9-646. 7. is - sla - site summary ................................................. .......... 9-666. 8. is - sla - site aqs summary .......................................... .......... 9-676. 9. is - sla - site mos summary ......................................... .......... 9-676. 10. is - sla - site exploitation ............................................ .......... 9-686. 11. is - sla - site customer ............................................... .......... 9-70

7. CAM (CLOUD APPLICATION MONITORING) REPORTS . .......... 9-727. 1. is - cam - clients overview ........................................... .......... 9-727. 2. is - cam - time evolution .............................................. .......... 9-76

8. AM (APPLICATION MONITORING) REPORTS ................. .......... 9-788. 1. is - am - site summary - tcp ......................................... .......... 9-788. 2. is - am - application group summary - tcp ................... .......... 9-808. 3. is - am - application group summary - per dir. - tcp ..... .......... 9-828. 4. is - am - application summary - tcp ............................. .......... 9-848. 5. is - am - application summary - per direction - tcp ...... .......... 9-868. 6. is - am - time evolution - tcp ........................................ .......... 9-88

9. PM (PERFORMANCE MONITORING) REPORTS ............. .......... 9-909. 1. is - pm - site summary ................................................. .......... 9-909. 2. is - pm - application group summary ........................... .......... 9-929. 3. is - pm - application group summary per direction ...... .......... 9-949. 4. is - pm - application summary ..................................... .......... 9-969. 5. is - pm - application summary per direction ................ .......... 9-989. 6. is - pm - traffic topology ............................................... .......... 9-1009. 7. is - pm - time evolution ................................................ .......... 9-1039. 8. is - pm - detailed per application, per app. group ........ .......... 9-1059. 9. is - pm - top host application on volume ..................... .......... 9-107

Ipanema Technologies ivOctober 2014

Ipanema System

10. PM COMPRESSION REPORTS ....................................... .......... 9-10910. 1. is - pm - compression evolution ................................ .......... 9-10910. 2. is - pm - application group compression synthesis ... .......... 9-11110. 3. is - pm - application compression synthesis .............. .......... 9-114

11. SSL OPTIMIZATION REPORT .......................................... .......... 9-11711. 1. is - ssl optimization - time evolution ........................... .......... 9-117

12. ACC (ACCELERATION) REPORT .................................... .......... 9-11912. 1. is - acc - acceleration evolution ................................. .......... 9-119

13. CIFS REPORT .................................................................. .......... 9-12113. 1. is - cifs - time evolution ............................................. .......... 9-121

14. SAM (SERVICES ACTIVITY MONITORING) REPORTS . .......... 9-12314. 1. is - sam - site summary ............................................. .......... 9-12314. 2. is - sam - time evolution ............................................ .......... 9-125

15. VOIP REPORTS ............................................................... .......... 9-12815. 1. is - voip - synthesis ................................................... .......... 9-12915. 2. is - voip - time evolution ............................................ .......... 9-131

16. SA (SITE ANALYSIS) REPORTS ...................................... .......... 9-13316. 1. is - sa - site summary ingress ................................... .......... 9-13316. 2. is - sa - site summary egress .................................... .......... 9-13516. 3. is - sa - site throughput ............................................. .......... 9-137

17. FI (FAULT ISOLATION) REPORTS ................................... .......... 9-13917. 1. is - fi - availability - evolution ..................................... .......... 9-13917. 2. is - fi - availability - overview ..................................... .......... 9-142

18. SP (SMART PLANNING) REPORTS ................................ .......... 9-14418. 1. is - sp - profile ........................................................... .......... 9-14418. 2. is - sp - synthesis ...................................................... .......... 9-146

19. EXPORTING THE REPORTS DATA WITH ip|export ....... .......... 9-14819. 1. ip|export output files and directory ............................ .......... 9-14819. 2. ip|export log file ......................................................... .......... 9-14919. 3. ip|export command usage ......................................... .......... 9-14919. 4. ip|export output file formats ....................................... .......... 9-150

CHAPTER 10 SOFTWARE LICENSE AGREEMENT ............... .......... 10-11. IPANEMA SOFTWARE LICENSE AGREEMENT ............... .......... 10-11. 1. Grant Right of Use ................................................... .......... 10-11. 2. Intellectual Property .................................................... .......... 10-11. 3. Term and Termination ................................................. .......... 10-21. 4. Warranty ...................................................................... .......... 10-21. 5. Liability ........................................................................ .......... 10-21. 6. Miscellaneous ............................................................. .......... 10-3

2. LICENCE DUTILISATION DU LOGICIEL IPANEMA(FRENCH) ........................................................................... .......... 10-32. 1. Etendue des Droits Concds .................................... .......... 10-32. 2. Proprit Intellectuelle ................................................ .......... 10-42. 3. Dure .......................................................................... .......... 10-42. 4. Garantie ...................................................................... .......... 10-42. 5. Responsabilit ............................................................ .......... 10-42. 6. Dispositions Gnrales ............................................... .......... 10-5

CHAPTER 11 TECHNICAL SUPPORT ..................................... .......... 11-1

v Ipanema TechnologiesOctober 2014

INTRODUCTION

1. REVISIONS

Date of issue Index Chapter/section

concerned

Subject

Jan. 2001 A All Original

April 2001 B All in accordance with the V2.4 software version

Sep. 2001 C All in accordance with the V2.5 software version

Jan. 2002 D All in accordance with the V2.5.11 software version

March 2002 E All in accordance with the V2.6.1 software version

Aug. 2002 F All in accordance with the V2.7.5 software version

Oct. 2002 G All in accordance with the V2.7.6 software version

Jan. 2003 H Chapters 2,3, 4 and 8

in accordance with the V2.8 software version

Feb. 2003 I Chapter 2 ip|reporter settings

April 2003 J Chapter 2 About window

Oct. 2003 K All in accordance with the V3.0 software version

July 2004 L All in accordance with the V3.2 software version

April 2005 M All in accordance with the V3.4 software version

Nov. 2005 N All in accordance with the V4.0 software version

Nov. 2005 O Chapter 2 ip|boss Solaris installation

April 2006 P All in accordance with the V4.2 software version

Aug. 2006 Q All in accordance with the V4.3 software version

Oct. 2006 R Chapter 2 Domain creation, ip|reporter Solaris installation,ip|reporter web 2.2

Nov. 2006 S Chapter 3 Alarming function

Feb. 2007 T All manual organization; ip|reporters portmapper port;ip|reporter multi network interfaces server; Apacheweb server configuration for ip|reporter web edition;BW tracking principles; configuring ip|engines;ip|engine alarms description; removal of a report

Nov. 2007 U All in accordance with the V4.4 software version

Jan. 2008 V Chapters 2and 7

ip|reporter web (no license key; user rightsdefinition); 7.3.2. How to read the reports; periodicityof some reports (minor corrections)

April 2008 W All in accordance with the v5.0.0r8 software version

July 2008 X Chapters 2and 3

Solaris installation removed from this manual;radius configuration

Ipanema Technologies 1October 2014

Ipanema System

Oct. 2008 Y All in accordance with the v5.0.0r12 software version

Dec. 2008 Z All in accordance with the v5.1 software version

Jan. 2009 AA Chapter 2 2.5.4. Install/Uninstall ip|reporter on Windows, 2.6.1.Install ip|reporter web on Windows

March 2009 AB All in accordance with the v5.2 software version

May 2009 AC All Minor corrections: 1. 2. 3. 5, 3. 6. 1 and 7.1.2:SNMP port; 2.5.6.1: InfoVista license key; 2.6.1.8:Customizing VistaPortal SE; 4.5.3: ip|boss Javaclient menu bar; 6.5.3: Helpdesk maps colorsNew: 2.3.3 install ip|boss using the CLI; 3.9:note on Inventory printing; 4.9.7. Tools; 4.9.8.smart|path advanced parameters; 4.10.5.4: Userclass sensitivity; 4.11.3.1: Alarm severity; 6.5.1: Linksupervision

June 2009 AD Chapters 2, 9 2.1 JDK is not required any longer;9.1 Technical Support contact information

Nov. 2009 AE Chapters 2,4, 7

2.8.2 software upgrade (FTP)4.9.3 and 4.10.5.4 RAM-based and Disk-basedcompression are replaced by Zero Delay andStandard Redundancy Elimination (ZRE, SRE)4.10.3.2 applications list7. several report updates in version 5.2 had notbeen reflected in the manual

Nov. 2009 AF Chapters 2,4, 6, 7

2.2.3 and 2.3.3 minor corrections4.9 Export / Import objects4.10.8 and 4.11.5.4 new smart|path parameter inv5.2.26.5.2 freeze the view in the real time flows list7.6.3, 7.6.4 and 7.6.5 three new SLA reports

March 2010 AG All in accordance with the v6.0 software version

May 2010 AH Chapter 1 A bug in the documentation system, which replacedchapter 1 by chapter 10, has been fixed.

Aug. 2010 AI Chapters 1,2, 4, 5 and 8

1.2.3.2 minor correction2.7 and 8.16 (mainly) ip|export has been completelyredesigned

Dec. 2010 AJ Chapter 8 8.8.11.1 minor correction

Aug. 2011 AK All

Chapter 2

Virtual ip|engines are now called tele|engines.The optimization feature is now called QoS &control.2.5 reports_desc.impsys and VistaViews are nowautomatically installed with ipreporter_setup.exe;Solaris 9 is not supported any longer; Windows2008 is supported

Nov. 2011 AL All in accordance with the v7.0 software versioninstallation is now described in a separate manual

Dec. 2011 AM All Chapter 1 - Ipanema System was missing in rev. AL

March 2012 AN All in accordance with the v7.0.2 software versionmajor changes: User Classes are renamedApplication Groups; report pm top host applicationon volume is restored

July 2012 AO All in accordance with the v7.1 software version

Sep. 2012 AP All suppression of the Undo button

2 Ipanema TechnologiesOctober 2014

Dec. 2012 AQ All1.1.24.2.34.8.38.13

in accordance with the v7.1.4 software versionSALSA architecture updatedthe Undo button has been put back inapplications list updated; description of the commonname (https attribute) improvedSEM reports are renamed SAM

Jan. 2013 AR 3.4.2.14.6.14.8.3.34.8.48.4

A Timezone is added to the Domain configurationExport function updatedRTP/RTCP plugin configuration updatedImplicit max bandwidth = 500 x objectiveminor corrections (reports availability ontele-managed sites with IMA)

March 2013 AS 3.4.2.1, 7.2.1Chapter 7-Chapter 8

More details on the time zoneMore details on the throughput displayed inip|dashboardSLA, CIFS and PM-compression reports updated

April 2013 AT 3.6.14.7.2-4.9.3.1-

More details on User rights on the reportsDefinition of the WAN access Network Report keyfor DWSMore details on the syntax of the alarm rules inip|bosss Alarming function

June 2013 AU 4.8.3.2 List of recognized applications updated

July 2013 AV all In accordance with the v8.0 RC software version

Aug. 2013 AW Chapter 1 The Introduction has been completely revised.

Sept. 2013 AX Chapter 7 In accordance with the v8.0 GA software version

Oct. 2013 AY 5.2.1.2 ip|engine supervision details: minor correction xxxIpanema Software License Agreement

Oct. 2013 AZ 10 New Ipanema Software License Agreement

March 2014 BA All4.7.3

QoS & control is renamed Application Control.New names for the WAN access attributes andnew fields for the multipath mode in the ip|engineconfiguration window.

April 2014 BB 9.11 SSL optimization report added

June 2014 BC All In accordance with v8.1 RC software version

July 2014 BD All9.18

Minor correction on the Sites terminologySP reports: monitored resources

Oct. 2014 BE In accordance with v8.1 GA software version


Ipanema System

2. LIST OF ASSOCIATED DOCUMENTSThe system installation on Windows is described in a separate document:

Ipanema System Installation Manual

For each range of ip|engine (nano, 10, 100 and 1000), there are two manuals:

Directives and Regulations Manualip|engine Directives, Regulations and Certificates.Read the safety instructions before connecting an ip|engine to the sypply.

Configuration manualTechnical characteristics and ip|engines installation, configuration and set-up procedures;troubleshooting. This manual is intended for ip|engines integrators, administrators and users.

3. DOCUMENT ORGANIZATIONThis document contains 10 chapters:

Chapter 1 - Ipanema System: system overview. Chapter 2 - Unified access to the Ipanema System (SALSA client): how to access a Domainwith the various components of the system.

Chapter 3 - Managing Domains, Users and Licenses (ip|uniboss): Domains and Userscreation and modification procedures, Licenses management.

Chapter 4 - Configuring Services (ip|boss): the different set-up and configuration procedures. Chapter 5 - Ipanema System Supervision (ip|boss): system supervision procedures. Chapter 6 - Using Ipanema Services (ip|boss): system exploitation procedures. Chapter 7 - Monitoring (ip|dashboard): application monitoring. Chapter 8 - Optimizing SSL (ip|dashboard): optimization service to the SSL encrypted flows. Chapter 9 - Reporting (ip|reporter): description of the Ipanema reporting. Chapter 10 - Software license agreement. Chapter 11 - Technical support: description of the Ipanema Support.


4. TERMS USED

AG: Application Group.

Aggregated flow: an aggregated flow groups together IP micro-flows sharinggiven common characteristics. It is specified by a sourcesubnet, a destination subnet and, where appropriate, aprotocol, an application and a client/server direction and a TOS.

ANS: Autonomic Networking System.

Applications Dictionary: the Applications Dictionary contains a list of the applicationsrecognized by the system. The applications are identified byprotocol, a TCP or UDP port number, a type of Codec, a URLfor HTTP, a published application for Citrix...

Applications Group: Group of Applications with a certain Criticality level anda certain QoS Profile; contains key parameters for AQSmeasurement and Application Control.

Application Quality Score: Ipanema notation for the traffic Quality. From 0 (very bad) to10 (very good). The notation is calculated according to theexpected behavior.

AQS: Application Quality Score (see description above).

ASL: Application Service Level.

BDP: Bandwidth Delay Product.

Byte counting: the system indicates the number of bytes in the IP packet,including IP headers.

CIFS: Common Internet File System, aka SMB (Server MessageBlock).

CLI: Command Line Interface.

Congestion: state of a network resource in which the traffic incident on theresource exceeds its output capacity over an interval of time.

CoS: Class of Service.

CPE: Customers Premises Equipment (network access equipmentlocated on the customers site. In the case of an IP network thisis usually an access router).

Delay variation: Standard deviation of the delay on a given period.

DPI: Deep Packet Inspection, the application recognition mechanismused by Ipanema, based on the layer 7 syntax.

DSCP: DiffServ Code Point.

DstPort: Destination Port.

Datagram: block of data transmitted on the packet switched network.

D/J/L: Delay/Jitter/Loss.

Domain: a Domain is composed of a set of ip|engines making andexchanging observations and making measurements based onthese. ip|engines are configured and operated via the ip|bosscentral software. All elements in a Domain must be connectedin the IP sense (each element must have an IP address thatcan be routed on the network).

DWS: Dynamic WAN Selection (feature provided by the smart|pathservice).


Ipanema System

Elementary observation: measure of time, length, etc., performed by the ip|engine oneach measured packet.

Equipped site: site with an ip|engine, a nano|engine or a virtual|engine.

Flow: in the Ipanema system, we call a flow all the sessions of agiven application, from a given source to a given destination.

Fragmentation: the process of division of a datagram into several fragments (IPpackets), to facilitate traffic flow on low-speed links for example.

GLASS: GlobaL Autonomic Support System: ip|engine metrics aimedat accelerating technical escalations.

GPS: Global Positioning System (a positioning and synchronizationsystem based on a satellite constellation (~ 24) in mediumaltitude orbit, covering practically the entire surface of the earthand is highly accurate. It used to be used in early versions ofthe Ipanema system).

Goodput: Number of received bits per second above layer 4 (i.e., TCPor UDP payload).

GUI: Graphic User Interface.

HSRP: Hot Standby Router Protocol (Cisco).

ICMP: Internet Control Message Protocol.

IMA: Ipanema Mobile Agent.

IP: Internet Protocol.

IP micro-flow: an IP micro-flow is specified by all packets identified by thesame IP source and destination address, the same protocoland, where appropriate, the same TCP/UDP ports.

ip|agent: Ipanema software running on Ipanema appliances (ip|enginesand nano|engines) and virtual appliances (virtual|engines);by extension, we call ip|agent the software running onIpanema Mobile Agents (IMAs), although the latter do not runall ip|agent services.ip|agent services are ip|true, ip|fast, ip|xcomp, ip|xtcp,ip|xapp, smart|path and smart|plan.

ip|boss: component of the SALSA suite used to configure the Domains.

ip|coop: tele|engines cooperative control (part of ip|fast).

ip|dashboard: component of the SALSA suite allowing to monitor the traffic(in reality the server is part of ip|boss server).

ip|engine: Ipanema appliance that performs measurement, control,compression, acceleration, etc., to provide Visibility, ApplicationControl and WAN Optimization.

ip|fast: ip|agent providing Application Control.

ip|reporter: component of the SALSA suite that generates the reports; it ispowered by InfoVista.

ip|true: ip|agents measurement service, behind the ApplicationVisibility feature.

ip|uniboss: component of the SALSA suite used to manage the Domains,Users and Licenses.

ip|xapp: ip|agent providing CIFS acceleration (part of the WANoptimization feature).

ip|xcomp: ip|agent providing Compression (SRE and ZRE part of theWAN optimization feature).


ip|xtcp: ip|agent providing TCP acceleration (part of the WANoptimization feature).

IPDR: IP Data Records.

ISU: Ipanema Software Unit.

ITP: Ipanema Time Protocol.

Jitter: standard deviation of the delay on a given period.

JRE: Java Runtime Environment.

LAN: Local Area Network (the same geographical site may haveseveral LANs interconnected by a router).

LAN-to-LAN: used for the measurement from the LAN port of the sourceip|engine to the LAN port of the destination ip|engine;applies to the throughput, Delay, Jitter and packet Loss. Alsoabbreviated LAN (e.g. LAN-to-LAN Delay = LAN Delay).

LDAP: Lightweight Directory Access Protocol, used for authenticationand authorization in SALSA.

LTL: Local Traffic Limiting.

Measurement interface: interface on the ip|engine giving access to the point ofmeasure.

Measurement ticket: the measurement ticket groups together the elementaryobservations made on an IP packet by an ip|engine.

MetaView: Object we report on (Domain, Site, group of Sites, ApplicationGroup, etc.), created in ip|boss. The reports aggregate dataon MetaViews, in ip|reporter.

MOS: Mean Opinion Score (standard Measure of the Quality of aVoice Call (notation between 0 (very bad) to 5 (very good),normalized by the ITU-T (G.107)).

MRE: Multi Redundancy Elimination (= SRE + ZRE; synonymouswith Compression).

nano|engine: Ultra compact Ipanema appliance that performs measurementand control, to provide Visibility and Application Control in smallBranch offices (no WAN Optimization, unlike ip|engines).

NAP: Network Access Point.

OWD: One Way Delay.

Packets: series of binary elements organized in a predefined formatand transferred as a whole.

Packet counting: the system indicates the number of datagrams observed.It is insensitive to fragmentation by routers, whether thisfragmentation occurred in the Domain of Measure (betweenip|engines) or outside the Domain (before the first ip|engine).

Packet loss: the system indicates the number of datagrams lost. It istherefore insensitive to fragmentation by routers, whether thisfragmentation occurred in the Domain of Measure (betweenip|engines) or outside the Domain (before the first ip|engine).

PBR: Policy Base Routing.

Physical site: (Obsolete) old name for an Equipped site.

Point of measure: place of traffic acquisition where measures are made.

QoE: Quality of Experience (measured by the AQS).


Ipanema System

QoS: Quality of Service.

QoS Profile: Set of parameters in ip|boss, which applies to an ApplicationGroup. The parameters are: the traffic type (real time,transactional or background), the bandwidth objective andthe maximum bandwidth (per session), followed by 6 qualitymetrics (delay, jitter, loss, RTT, SRT and TCP retransmission)with two thresholds each (objective maximum).

RADIUS: Remote Authentication Dial-In User Service.

Router: interconnection gateway between two IP networks.

Routing: operation of determining the route to be taken through anetwork by a data packet.

RTT: Round Trip Time.

SALSA: Scalable Application Level Service Architecture.

SAML: Security Assertion Markup Language.

Sensitivity: Application Group parameter, used for DWS.

SLA: Service Level Agreement.

smart|path ip|agent providing Dynamic WAN Selection.

smart|plan ip|agents Network Rightsizing service

SNMP: Simple Network Management Protocol.

SrcPort: Source port.

SRE: Standard Redundancy Elimination (AKA Disk-basedcompression).

SRT: Server Response Time.

SSL: Secure Socket Layer.

TCP: Transmission Control Protocol.

tele|engine: Allows traffic on unequipped Sites to be measured andcontrolled by the ip|engines of the remote Sites, thus providingApplication Visibility and Control without any appliance onthe local Site (branch office). tele|engines are configured inip|boss as physicalip|engines, checking a specific box. ASite with a tele|engine is called a tele-managed Site.

Tele-managed Site: Site with a tele|engine.

Ticket Record: groups measurement tickets together for transmission betweenip|engines.

TOS: Type Of Service.

TOS Dictionary: the TOS Dictionary contains a list of TOS recognized by thesystem. The TOS are identified by the field Type Of Servicein IP packet.

Traffic profile: a description of the temporal properties of a traffic stream suchas rate and burst size.

Transfer delay: the transfer delay of a packet between ip|engines is measuredwhen the last bit of the packet passes the measure points.In the event of fragmentation of the datagram into several IPpackets, the measure is made when the last bit of the lastfragment passes.

Throughput: Number of bits per second at the IP level.


UC: Unified Communications.

UDP: User Data Protocol.

VF0 / VF4: Vista Foundation 0 / 4 (InfoVista platforms provided withip|reporter).

Virtual ip|engine: (Obsolete) old name for a tele|engine (< SALSA v6).

Virtual site: (Obsolete) old name for a tele-managed Site.

virtual|engine: Software image of an ip|engine, to be deployed on VMwareESXi.

VoIP: Voice over IP.

VPN: Virtual Private Network.

VRF: Virtual Routing and Forwarding.

WAN: Wide Area Network (long distance network that allows dataexchange between remote sites).

WAN-to-WAN: used for the measurement from the WAN port of the sourceip|engine to the WAN port of the destination ip|engine.Applies to the throughput, Delay, Jitter and packet Loss. Alsoabbreviated WAN (e.g. WAN-to-WAN Delay = WAN Delay).LAN-to-LAN Delay = Delay generated by the source ip|engine,if any + WAN-to-WAN Delay + Delay generated by thedestination ip|engine, so the LAN-to-LAN Delay includes (andis higher than or equal to) the WAN-to-WAN Delay.

WFQ: Weighted Fairness Queuing.

Wizard: Way to create combinations of MetaViews and reports inip|boss Reports menu.

ZRE: Zero delay Redundancy Elimination (AKA RAM-basedcompression).


CHAPTER 1. IPANEMA SYSTEM

Document organization

1. 1. OVERVIEW

1. 1. 1. Autonomic Networking SystemIpanemas self-learning and self-optimizing Autonomic Networking System (ANS) tightlyintegrates all the features to guarantee the best application performance: Application Visibility,Application Control, WAN Optimization, Dynamic WAN Selection and Network Rightsizing.

Easy to use and highly scalable, ANS addresses mid-size and thousands-sites companies. It alsoaddresses Service Providers with thousands of customers.

Based on the SALSA central management platform and on a family of appliances and softwareagents, ANS fits from the smallest Branch Office to the largest Datacenter.

SALSAs centrally managed cooperative architecture

Ipanema Technologies 1-1October 2014

Ipanema System

Ipanemas ANS is:

Autonomic:

It guarantees applications performances through global and distributed coordinationbetween Ipanema appliances and software agents,

it dynamically adapts to traffic and network changes thanks to a Sense and Respond"mechanism (Sense: Real-time view of the network performances and users demand;Respond: Dynamic and distributed computation with second-by-second optimal policiesenforcement),

full control is provided, in most cases (depending on the network architecture), with asfew as 10-20% of the sites equipped with physical appliances.

All-in-one:

All features are tightly coupled, it optimizes all application flows: data transfers (FTP, CIFS...), interactive flows (ERPs,Citrix...), real-time flows (VoIP, Videoconference...), etc.

Service Framework:

A unified management GUI is provided for all features, the multi-tenant SALSA platform scales up to 10Ms users and 100Ks sites, objective-based control enables Application SLAs and global WAN Governance.

1-2 Ipanema TechnologiesOctober 2014

Ipanema System

1. 1. 2. Ipanema featuresThis section quickly describes Ipanema features (for more details see 1.3. Features description).

Application Visibility

Goal: understand application usage and performance over the entire network. How: providing clear application performance KPIs (Application Quality Score or AQSandMOS), high level consolidated reports, and very detailed information at the flow level.

Application Visibility


Ipanema System

Application Control

Goal: guarantee users experience by controlling each application flow in real-time, dependingon the network resources.

How: dynamically enforcing Application SLAs for each user thanks to a global and dynamicapproach, where the whole traffic matrix is taken into account in real time. Application Controlmanages the application flows in the most efficient way, even in full-mesh and very largenetworks.

Application Control


Ipanema System

WAN Optimization

Goal: accelerate delay sensitive applications and reduce bandwidth consumption. How: eliminating redundancy in the application flows (both at the packet level and data streamlevel), and accelerating TCP segments, CIFS application, SSL flows, etc.

WAN Optimization

These features are tightly coupled to address all situations.

Tightly coupled features


Ipanema System

Network Rightsizing:

Goal: align network sizing to budget and business requirements. How: combining Application Visibility and Application Control data to determine sizingoptions and their consequences; the results are displayed in easy-to-use reports.

Network Rightsizing


Ipanema System

Dynamic WAN Selection:

Goal: guarantee application performance across hybrid [MPLS + Internet] networks, improvebusiness communication continuity, exploit large network capacity at low cost, benefit fromInternet immediacy and ubiquity, turn back-up lines into business lines, eliminate complex policybased routing and unify the management of hybrid networks.

How: automatically and dynamically selecting the best path for each application flow across thevarious networks.

DWS


Ipanema System

1. 1. 3. Ipanema appliances, VMs and software agentsIpanema features are performed by Ipanema appliances, virtual machines and software agents,generally located at the interface between the enterprise network (LAN) and the access router tothe operator network (WAN).

There are two families of appliances: ip|engines and nano|engines, and two families of softwareagents: virtual|engines and Ipanema Mobile Agents (IMAs).

Application Visibility and Application Control features are also available on sites that arenot equipped (no ip|engine, no nano|engine and no virtual|engine on the site), declaringtele|engines on these sites.

ip|engines: hardware devices; various models are available, with different capacities

nano|engines: hardware ultra compact devices, for small Branch Offices

tele|engines: logical service delivered through the remote collaborating ip|agents

virtual|engines: virtual machines in .vmdk format

IMAs: software agents for Windows desktops

ip|agent is the software running on ip|engines, nano|engines and virtual|engines. IMAs runsome of ip|agents services (but we also call them ip|agents, by extension).

To provide the features described above, ip|agents run the following services:

for Application Visibility:

ip|true: measurement, ip|sync: time synchronization,

for Application Control:

ip|fast: the Application Control service, ip|coop: tele|engines cooperative control,

for WAN Optimization:

ip|xtcp: TCP acceleration, ip|xcomp: compression (SRE and ZRE) + TCP acceleration, ip|xapp: CIFS acceleration,

for Network Rightsizing:

smart|plan

for Dynamic WAN Selection:

smart|path.


Ipanema System

1. 1. 5. Functional architectureSALSA (Scalable Application Level Service Architecture) is the Central Management Software; itis composed of:

ip|uniboss software (one server): it ensures the creation and management of the Domains,Unified User Management and Licenses management.

ip|boss software (one or several servers, depending on the number of Domains and their sizes;it can be installed on the same server as ip|uniboss): it ensures system administration, systemconfiguration (system provisioning, application provisioning and reports provisioning), serviceactivation, real time monitoring (ip|dashboard), supervision, collect of the Correlation Recordsgenerated by ip|agents every minute (according to the parameters), interface with ip|reporterto create or delete reports (the main reports are automatically created).

ip|reporter software (one or several servers, depending on the number of Domains, the volumeof traffic and the number of reports; on very small networks less than 10 sites it can beinstalled on the same server as ip|boss/ip|uniboss): it ensures the reporting function, pollingip|boss to collect the raw data that it then consolidates it in many different dimensions, withabout 40 pre-defined report templates.ip|reporter is powered by InfoVista and embeds an InfoVista run time licence; this run timeprovides all user functions in local, remote or client/server mode or with an HTML interface withVistaPortalSE.

InfoVista can be provided with two different VistaFoundation platforms: VF0(provided to most Ipanema customers) and VF4 (provided for MSPs/NSPs orcustomers with very large networks only). Only VF0 platform is described in thisdocument. For VF4 information, please refer to the relevant Technical notes.

ip|export, an optional module of ip|reporter, allows automatic and dynamic export of any datafrom any reports in text, CSV or Excel formats. It is designed for seamless inter-operabilitybetween network measurement systems and Business Support Services.

SALSA architecture


Ipanema System

A SALSA unified portal gives access to ip|uniboss, ip|boss, ip|dashboard and ip|reporter web.A Domain selector (drop-down list) allows selecting the Domain to be configured (with ip|boss) ormonitored (with ip|dashboard) prior to connecting.

SALSA unified portal

It can be accessed with a web browser at https:///salsa/.


Ipanema System

1. 2. GENERAL PRINCIPLES

1. 2. 1. System deploymentA Domain is made up of a set of Ipanema appliances and virtual machines positioned at themeasurement or control points of a network, in the same LANs as the CPE routers.

Their ip|agent software measure, control, compress and accelerate the network traffic on the entirenetwork.

One Domain has to be created by logical entity, using ip|uniboss software. Once created, it ismanaged by a dedicated ip|boss instance.

System deployment

ip|agents belonging to the same Domain cooperate (distributed intelligence), but do not interactwith other ip|agents belonging to other Domains.

To measure, control and accelerate flows on a site with no ip|agent (no appliance nor virtualmachine), the user can declare a tele|engine on that site (in the same way as they would declarea real ip|engine, in ip|boss). To make this possible, ip|agents must be present at the other endsof the flows (measurement, control and acceleration will be performed by the remote ip|agentsindeed reason why such a site is also called a tele-managed site).


Ipanema System

ip|agents cooperation in a Domain (with tele-managed sites)

The system performs measurement, control, redundancy elimination and acceleration on the basisof the observed traffic in the users private IP addressing plan.

Each ip|agent recognizes the local network (LAN) traffic transmitted to and received from thelong-distance network (WAN).

LANs have an IP address range expressed in the form a.b.c.d and a prefix, the length of which isexpressed by /p.

For correct system operation:

each ip|engine, nano|engine, and virtual|engine must have a fixed IP address, the server running ip|boss must be accessible by all ip|engines, nano|engines andvirtual|engines (it is not necessary for IMAs). It must therefore have an IP address, but thelatter is not necessarily a fixed address, in theory (except if ip|reporter server is installed onanother station, which should be the case in most cases). The server is not necessarily on thecustomer part of the network.


Ipanema System

1. 2. 2. Communication between system elementsA Technical note, TN-0300164-02_Flow_matrix_SALSA_v, shows all ports usedbetween all components of the Ipanema system.

1. 2. 2. 1. Communication between ip|agentsip|agents exchange measurement and control information, among others.

To accomplish this, each ip|agent hosts a specific server reachable by all other ip|agents onpredetermined TCP and UDP ports.

An ip|agent also hosts a specific client that transmits measurement and control signals andcompressed data to the remote ip|agent servers. The source ports are dynamically selected bythe transmitting ip|agents.

Service L4 Port

ip|true TCP 19999

ip|fast UDP 19999

ip|agent capacity advertising TCP 19996

ip|xcomp SRE

ip|xcomp ZRE dictionary and control TCP 19988

ip|xcomp ZRE compression tunnel UDP 19988

ip|xcomp ZRE keep alive UDP 19987

ip|xtcp

ip|xapp

ip|sync (ITP) UDP 19995

Clustering UDP 19997Ports used between ip|agents


Ipanema System

1. 2. 2. 2. Communication between ip|boss and ip|agentsThere are three types of communication channels between ip|agents and ip|boss:

configuration and supervision, polling of the measurement records (Correlation Records), polling of the real-time graphs data.

Service L4 Port Usage

HTTPS TCP 443 Configuration, supervision, collect of the CorrelationRecords.

FTP TCP 2021 Download ip|agent software (the FTP server is notnecessarily on ip|boss).

SSH TCP 22 Remote connection on Ipanema appliances and virtualmachines (enabled by default). (The remote access isnot necessarily granted from ip|boss.)

Telnet TCP 23 Remote connection on Ipanema appliances and virtualmachines (disabled by default). (The remote access isnot necessarily granted from ip|boss.)

Real-timegraphs

TCP 1999019993 Additional polling to provide a real-time view inip|dahsboard.

Ports used between ip|agents

Configuration and supervision channel

Each ip|engine, nano|engine and virtual|engine hosts an HTTPS server accessible by ip|bossfor configuration and supervision. This server is reached on TCP/443 destination port (default value;another value can be configured on request).

If remote connections (SSH and/or Telnet) are to be established from ip|boss (not mandatory, butvery helpful), then ports 22 (SSH) and/or 23 (Telnet) are also used. (By default, SSH is enabled onall ip|agents, and Telnet is disabled.)

If ip|boss is used as an FTP server to download ip|agent software, then ports TCP/20 and 21 arealso used (they are not otherwise; the FTP server can be on other devices, such as an externalserver or even an ip|engine, for instance).

Periodic measurement collection channel

The HTTPS server embedded in ip|agents is also used by ip|boss to retrieve the measures (pull)(same port and remark as above).

Real-time measurement polling channel

Real-time measures are sent by the ip|agents on a unidirectional TCP connection to a predefineddestination port (in the 1999019993 range by default; other ranges can be configured).

The TCP source port is dynamically selected (a fixed port can be configured) by the transmittingip|agent.


Ipanema System

1. 2. 2. 3. Communication between ip|boss client and ip|boss serverCommunications between ip|boss web client and ip|boss server use HTTPS (port TCP/443).

1. 2. 2. 4. Communication between ip|boss and ip|reporterTwo kinds of communication channels exist between ip|boss and ip|reporter:

configuration and supervision channel:ip|boss supervises and configures the reporting system via the InfoVista interfaces. The usedTCP ports are dynamic by default, but they can be fixed by configuration. This channel allowsthe reports creation and deletion according to the configuration and ip|reporters supervisionstatus.

collect channel (SNMP):ip|boss houses an SNMP agent used by ip|reporter (InfoVista) in order to collect themeasurement data (pull mode). This SNMP agent is reachable via a UDP port configured foreach Domain in ip|uniboss.


Ipanema System

1. 2. 3. SecurityThe Ipanema System provides robust security features (SSL, SSH, tools for key generationand distribution, etc.) to protect the system against break-in and hostility threats. Authenticationmechanisms to access the different system elements, and between them, protect the systemagainst unauthorized accesses. Communication encryption between the system elementsprotects the system against sniffing of configuration information or measurement resultsexchanged between them.

1. 2. 3. 1. Appliances Access Control (Console and SSH)Many security features regarding the access to Ipanema appliances, through the console or throughthe network, are implemented. They are listed below (however access to a particular appliance islimited to a very small number of cases):

console access is secured with full password management; remote access is secured with the use of the SSH protocol (Telnet is also available, but forsecurity reasons it is disabled by default);

commands limitation: when remotely accessing an Ipanema appliance (or virtual machine), theset of available user commands is carefully restricted to theminimum (device basic configurationand troubleshooting, namely).

1. 2. 3. 2. Secured ip|boss ip|agents communicationsSSL protocol is used to download the configuration file from ip|boss to all ip|agents, to monitor allappliances and to collect the measurement data. Both authentication and encryption are used.

The Ipanema System allows three security levels:

First level (default mode):The customer uses the default factory certificate. Communications are secured. Nevertheless,as the certificate is not unique to the customer, the security level is not at its maximum.

Second level:The customer defines their own certificate. This can be achieved either in ip|boss or using acertificate generator. Certificate installation on ip|agents is managed from ip|boss and doesnot require local access to the Ipanema appliances or virtual machines.Communications are secured. Unauthorized people will not be able to enter the system nor toread or interpret configuration or measurement data.

Third level:The customer defines their own certificate and an SSL passphrase. This requires not only anip|boss certificate installation, but also to have local access to all ip|agents in order to setupthe passphrase configuration.Communications are secured. Combination of certificate and local passphrase provides thehighest level of security.

Important reminder 80% of the security breaches are internal to companies.


Ipanema System

1. 3. FEATURES DESCRIPTION

1. 3. 1. Application Visibility (ip|true)The primary goal of Application Visibility is to understand application usage and performanceover the entire network.

To reach that goal, applications are classified in Application Groups (AGs), and each AGhas specific QoS performance objectives (nominal bandwidth per session and two thresholds objective and maximum for one-way-delay, jitter, packets loss, RTT, SRT and TCPretransmission ratio), thus allowing to check whether performance objectives are met or not, andto calculate an Application Quality Score (AQS) accordingly.

Ipanema Application Visibility is: comprehensive (see the list of metrics below), highly accurate, relying on time synchronization from the network (thanks to ITP, Ipanema TimeProtocol),

very precise and non-intrusive: measurements are made on the actual data packets and not ontest packets nor simulated flows,

exhaustive: all IP packets are measured, independent from the operator network access and core technology (measurements are madeat the IP layer),

confidential: the contents of user packets are not, at any time, stored, saved or even transmittedbetween the different system components.

ip|true provides the following metrics: the number of packets and bytes transmitted and received, the number of sessions, the following one-way metrics:

Delay, Jitter, packet Loss,

all three (called D/J/L) both:

ingress (from the LAN to the WAN) and egress (from the WAN to the LAN),

and both:

between the LAN interfaces of the appliances (LAN-to-LANmetrics, simply called LAN)and

between their WAN interfaces (WAN-to-WAN metrics, simply called WAN):

the following TCP metrics:

RTT (Round Trip Time), SRT (Server Response Time), TCP retransmission ratio,


Ipanema System

the following composite metrics:

Voices MOS (Mean Opinion Score), all flows AQS (Application Quality Score).

AQS

Individual measurements are aggregated and analyzed according to multiple criteria (source anddestination sites, source and destination subnets, Application Groups, applications, etc.). Theresults are presented in the form of detailed flows lists, real-time graphs, charts, etc., and archivedwith periodic aggregation (in hourly, daily, weekly and monthly reports). They are made availablefor subsequent processing or reference, and can be used to generate alarms, analyze long-termtrends, forecast future traffic increase to estimate optimum network sizing, etc.

Users can specify their own aggregation criteria, thus taking into account their enterpriseorganization (e.g. the different countries, departments, services, etc.).

The following system elements are involved:

ip|agents (ip|true): elementary observations, correlation, traffic classification, ip|boss: configuration, polling of the Correlation Records (HTTPS), MIB update, ip|reporter: polling of ip|boss MIB (SNMP), reports publishing and reports databasemanagement.

1. 3. 1. 1. ip|agents elementary observations, correlation and classificationEach IP packet observed by an ip|agent undergoes a series of operations:

filtering of IP v4 packets, classification and filtering of packets according to their types:

local traffic on the LAN, ingress traffic (LAN to WAN traffic), egress traffic (WAN to LAN traffic), transit traffic.

correlation, to calculate the one-way metrics (Delay, Jitter and packet Loss), when both thesource and the destination of the flow are equipped with Ipanema appliances or virtual machines(this condition is necessary); this operation is achieved in four steps:

1. when the packet is sent and crosses the upstream ip|agent, the latter calculates asignature (hash) and stores it locally,

2. when the packet is received and crosses the downstream ip|agent, the lattercalculates a signature (the same one),

3. once a second, the downstream ip|agent sends its signatures back to the upstreamone, in a compact Ticket Record.Ticket Records have an average length of 300 bytes and the overload they generateis approximately 2% of the measured traffic (

Ipanema System

Thanks to this correlation mechanism, the upstream ip|agent knows how many packets havebeen received and when they were received, thus allowing it to calculate the flows D/J/L.

Correlation mechanism

traffic classification according to the multiple criteria:

by application: applications are recognized thanks to a syntax engine allowing layer 7attributes to be taken into account, thus allowing to identify the vast majority of the userapplications,

by source and destination sites, by source and destination subnets (according to the User subnets directory), by TOS value (the "TOS" field of the IP header identifies the Type of Service; they canbe configured in the TOS dictionary),

etc. (the classification level can be determined by configuration),

Then ip|agents output measurement tickets (Correlation Records), when polled by ip|bossCollector, every minute (or every 5 minutes on very large networks; this parameter Collect is set at the Domain level in ip|uniboss).

(ip|boss will store the information in a MIB, depending on the created MetaViews (see the reportsconfiguration in ip|boss) and in ip|dashboards database, and ip|reporter will poll ip|bosss MIBusing SNMP to aggregate the information and generate the reports; see below.)


Ipanema System

1. 3. 1. 2. Considerations on fragmentationTransmitting large packets on the network can degrade the quality of service for applications,particularly if access speed is low. IP protocol allows datagrams to be fragmented into severalpackets (fragments). Fragmentation can be performed at different points, but is generallyperformed:

by the access router (CPE) connected to a low-speed interface, by an access or transit router in certain cases of congestion.

Fragments are not reassembled on the network or in the router, but by the end station.

To keep measures consistent without making assumptions on whether and where fragmentationoccurred (before or after the first ip|agent), the Ipanema system performs measurements on thedatagrams. This choice allows the classification mechanisms to operate correctly, even though portnumbers of the TCP/UDP protocol are present only in the first fragment of a datagram.

This choice is also consistent with applications behaviors. Indeed, the user application must waitfor the datagram to be reassembled before it is able to use the data it contains. It is therefore thereception of the last fragment that is important.

A datagram is considered to be lost as soon as one or more of its fragments is lost. In this case,the datagram is not delivered to the transport layer by the destination terminal.

1. 3. 1. 3. Time synchronizationip|engines, nano|engines and virtual|engines synchronization on the Domain is used forcorrelation (see above), hence for Delay/Jitter/Loss measurement (and measurement only:control, redundancy elimination, etc., do not require synchronization).

There are two synchronization layers:

Time servers

they can be either ip|engines, virtual|engines, ip|boss or External NTP servers, one is enough, if several are used, they MUST deliver a consistent time between each other, if an ip|engine is a Time Server, it will use its local ITP configuration.

Synchronization servers

they must be ip|engines or virtual|engines of the Domain, they will not use their local reference, except in case of Time servers failure, they share their clocks with their peers (all other synchronization servers).

The Synchronization servers take their timing from the Time server and issue it to the rest of theDomains appliances and virtual machines.

Synchronization two-layer model


Ipanema System

This two-layer model allows GPS-less yet precise synchronization across the whole Domain, outof Domain synchronization and short term no time function (a Domain can be disconnected fromits Time server, thus improving resiliency).

1. 3. 1. 4. ip|boss: monitoring and SNMP Agentip|boss monitoring function and ip|dashboard client provide a real-time view of the performanceand activity of the observed traffic in the form of graphs.

Measures collected in the Correlation Records are stored in ip|dashboards database, thusallowing real time monitoring of the traffic, and in ip|boss MIB, where they can be polled byip|reporter (or other devices), thus allowing any view (local, global, etc.), aggregating the dataaccording to multiple criteria (by sites, by countries, by applications, etc.).


Ipanema System

1. 3. 2. Application Control (ip|fast)End-to-end QoS depends on both network infrastructures (transmission lines, access lines, trafficengineering policies) and user traffic.

Network bottlenecks result in congestions and, at times, limit optimum bandwidth to well below itsrated value. Transmitting more traffic will only result in increased transfer time and losses, therebydegrading QoS and application "goodput".

The goal of the Application Control feature is to anticipate and avoid congestions, and toguarantee the users experience by adjusting each application flow in real-time.

To reach that goal, Application Groups attributes include: the business criticality of the application flow (top, high, medium or low), the bandwidth objective (bandwidth requirements of the application flow, necessary andsufficient to provide it with good quality),

the traffic type (real time, transactional or background), compression and acceleration capabilities,

thus allowing to the controlling agent (ip|fast) to protect the business critical flows dynamically andefficiently, also taking into account the demand in real time (measured by ip|true).

There is no need to set low-level, network or device-specific policy rules.

The utilization of these parameters by ip|fast can be summarized as follows: business criticality: the higher the criticality of the flow, the more ip|fast will protect it; bandwidth objective: bandwidth that ip|fast will try to provide to the application flow, evenwhen the available bandwidth is scarce; the higher the criticality of the flow, the more likely itsbandwidth objective will be met at all times;

traffic type: ip|fast will manage the priorities between the different queues depending on thesensitivities of the flows to avoid Delay and Jitter on the sensitive ones, knowing that:

real time flows are sensitive to Delay and Jitter; examples: VoIP and Video conference, transactional flows are sensitive to Delay (but not to Jitter); examples: Telnet, Citrix, background flows are not sensitive at all; examples: file transfer, e-mail.

compression and acceleration capabilities: to know whether the flow can be compressed (withip|xcomp, see below) and/or accelerated (with ip|xtcp, see below).

Congestion anticipation and avoidance is performed by comparing the available bandwidth (ornetwork capacity) and the bandwidth used by all flows currently running (network usage).

The comparison is performed on the access links, ingress and egress, and possibly end-to-end(namely if the available bandwidth between any pair of sites is not fix and guaranteed).

If the network usage reaches about 95% of the network capacity, then ip|fast triggers and startscontrolling the bandwidth allocation. The network usage is known very precisely, thanks to ip|true who measures each and everypacket crossing the Ipanema appliance or virtual machine.

The network capacity is:

either fix (and defined in ip|boss, in the WAN access parameter), or (if it varies) automatically and dynamically estimated by the Tracking function.The Tracking function itself is activated in the WAN access window, where a maximumand a minimum bandwidths can be defined:

if the minimum is set at a lower value than the maximum (min < max), thenthe Tracking function will estimate the instantaneous bandwidth, at any moment,between these two thresholds;

if the minimum is set at the same value as the maximum (min = max), thenthe Tracking function is disabled, and the available bandwidth is considered asconstant.

It is also the Tracking function that anticipates and avoids end-to-end congestions.


Ipanema System

ip|fast principles

ip|fast is completely transparent to the network (the CPE only performs IP routingfunctions for network access) except when the Coloring function is used, in whichcase the ToS field can be marked (see below).

ip|fast and CoS

If an operator offers different Classes of Service, assigning a CoS to the traffic becomes difficult. Toadapt to this constraint and allow full compatibility between Ipanemas traffic protection and theoperators policy, the Ipanema System can automatically color (or mark) the packets accordingto the traffic Criticality and Type, using the ToS/DSCP field. The mode is Color-Blind (all packetsare treated as if they were uncolored: they are marked according to the selected coloring ruleregardless their initial color, if any).

Topology: how to control flows end-to-end, even in a full-mesh environment

From a topological point of view, as several access points may send data to the same destination(and an access point may send data to several others), it can result in One-to-N or N-to-One typecongestions.

To solve the issue, ip|fast dynamically shares the global network available bandwidth to all activesources, taking into account the traffic demand, network bottlenecks and N-to-N congestions.

This is made possible thanks to the permanent communication between ip|agents.

Summary

ip|fast can be summarized as follows:

it globally and dynamically controls bandwidth allocation between all access points, it adapts QoS policies to current network performance and real user demand, it selects, for each traffic flow, the right Class of Service in terms of performance,

based on:

the traffic requirements (criticality, bandwidth objectives), the bandwidth demand, the network performance.


Ipanema System

1. 3. 3. WAN Optimization (ip|xcomp, ip|xtcp, ip|xapp)End-to-end quality of application flows vastly depends on the capacity of the links, and onthe end-to-end delays. WAN Optimization, that leverages the Application Control feature,helps improving quality by accelerating delay sensitive applications and by reducing bandwidthconsumption.

To reach that goal, three services are used:

ip|xtcp: one-side TCP acceleration, ip|xcomp: compression (or redundancy elimination) and TCP acceleration, ip|xapp: CIFS acceleration.

1. 3. 3. 1. ip|xtcpTCP was not designed for networks with a large BDP (Bandwidth-Delay Product, i.e. large RTTand/or high available bandwidth) or with a significant Bit Error Rate:

the slow-start mechanism increases the latency of short transfers, due to the BDP limitation, the TCP sessions cannot fully utilize the available bandwidth, anderror recovery is slow.

TCP acceleration (ip|xtcp service) overcomes these two limitations, using an ip|agent on thesender side (single-side technology). To achieve that goal, it is tightly coupled with ip|fast:

ip|fast knows the available bandwidth precisely, so we do not need the (old) TCP mechanismto discover it,

thanks to ip|fast, ip|xtcp is able to provide the flows with just the right amount of acceleration(accelerating flows too much could create congestion!), still guarantying critical applicationsprotection.

It uses two mechanisms, independent from each other:

speed-up the slow start (fast start), overcome the BDP limitation (over-bdp).

The key idea is, for each connection, to proactively enslave the TCP source rate to the ip|fastcomputed rate for this connection.

1. 3. 3. 2. ip|xcompFor many reasons, it can be difficult to increase the bandwidth of a link (cost, operator delay, etc.).ip|xcomp overcomes this problem, by increasing the volume of traffic that can be sent on thenetwork. To achieve that goal, two different mechanisms are used:

SRE (Standard Redundancy Elimination):Transparent mechanism that uses a TCP proxy and stores the redundant patterns, at the streamlevel, on the ip|engines, virtual|engines or device hosting IMAs hard disks, and exchangessmall signatures instead, thus reducing bandwidth consumption.SRE is particularly efficient to compress big flows such as large file transfers, for instance.

ZRE (Zero-delay Redundancy Elimination):Mechanism that compresses the data, at the IP packet level, without buffering them (henceits name, zero delay) and encapsulates the compressed data in UDP tunnels before sendingthem (tunnels are automatically created).ZRE is particularly efficient with delay-sensitive flows, and with flows that do not have largeredundant patterns (typically transactional applications).

The best mechanism is automatically selected for each flow, but it can also be forced byconfiguration (in ip|boss), site by site and Application Group by Application Group.

ip|xcomp SRE also accelerates TCP, by using window scaling (RFC 1323) between the twoproxies.

ip|xcomp and ip|xtcp are mutually exclusive: when both are available, it is ip|xcomp that prevails(ip|xcomp SRE also accelerates TCP anyway).


Ipanema System

1. 3. 3. 3. ip|xappThe ip|xapp service allows accelerating CIFS traffic.

CIFS stands for Common Internet File System, also known as SMB (Server Message Block). It isa proprietary Network protocol, the most common use of which is sharing files on a LAN, but also,due to Data Server Consolidation, over the WAN.

ip|xapp accelerates CIFS version (or Dialect) NT LM 0.12 (SMB1).

Deployment

CIFS Acceleration is a Client-side technology. So the typical deployment case uses ip|enginesinstalled near the CIFS clients, or IMAs on the hosts running them, therefore mainly in BranchOffices.

CIFS acceleration and Redundancy elimination

ip|xapp and ip|xcomp are compatible. It is possible to compress accelerated CIFS traffic, bothwith ZRE and SRE, in one, the other or both directions, depending on the Application Group CIFSis matching, and on the local and remote sites compression/decompression capacities.


Ipanema System

1. 3. 4. Dynamic WAN Selection (smart|path)The goal of Dynamic WAN Selection (DWS) is to combine multiple physical networks (hybridnetworks, e.g. MPLS and Internet) into one unified logical network, maximizing both Quality ofExperience & business continuity.

To achieve that goal, smart|path:

automatically and dynamically selects the best traffic path, according to Application Groups andWAN accesses configuration,

the Ipanema appliance handles the dynamic traffic conditioning according to the destination ofthe flows.

This maximizes application performance, security and network usage based on:

network quality and availability, application Performance SLAs, sensitivity level of the information.

It maximizes combined networks efficiency:

network capacity, network availability, network performance.

Typical deployment cases:

single router with multiple interfaces, several routers with one interface (for example HSRP clustering).

These cases can be combined in a same site or in a same network.


Ipanema System

1. 3. 5. Network Rightsizing (smart|plan)The bandwidth usage at a site does not reflect the actual users needs. Moreover, TCP uses asmuch bandwidth as it can (TCP elasticity), and TCP does not make any difference between a noncritical FTP transfer and an ERP critical flow, for instance: although less critical, FTP will use morebandwidth than the ERP.

As a consequence, usage based provisioning is always over-estimated:

usage based provisioning = over-provisioning

There is also a drawback in increasing the bandwidth at a site (apart from the cost): the moreavailable bandwidth, the less its usage matches the business needs of the company:

more bandwidth attracts useless traffic!

The Network Rightsizing feature, provided by an optional module of ip|reporter, allows aligningnetwork sizing to budget and business requirements, thus allowing companies to size theirnetworks at the best rather than over-provisioning them:

by taking the actual needs of the flows into account, by eliminating security margins (tempest of the century syndrome), by being insensitive to the topology.

It is based on the smart|plan service, that leverages ip|fast and provides ip|reporter with furthermetrics, allowing it to produce very high added value yet easy-to-use reports, enabling a completeanalysis of the relationship between bandwidth (resource) and delivered service level (results) foreach network access.

Using this information, it is possible to immediately decide if the access link is under-provisionedor over-provisioned in regard of the expected service level per applications business criticality.

The data generated by the smart|plan service is available throughout the Ipanema Systemcomponents. ip|boss makes them available through the SNMP interface, ip|reporter uses themto generate the appropriate easy-to-use reports and ip|export can export them in text or Excelformat for post-processing.

Network Rightsizing report

To enable this feature on a site:

there must be an Ipanema appliance or virtual machine on the site, ip|fast must be enabled, the smart|plan option must be enabled.

Thanks to the smart planning feature, the Ipanema system allows the best usage of

ipanema system user manual 8.1

Documents