Ipanema System User Manual 8.1
Issue: October 2014
Headquarters, France Ipanema Technologies, 28 rue de la Redoute, 92260 Fontenay-aux-Roses email:
[email protected] tel: +33 (0)1 55 52 15 00 Technical support email:
[email protected] tel: +33 (0)1 55 52 15 22 Belgium Ipanema Technologies, Av. du Bourg. Etienne Demunter 3, 1090 Bruxelles tel: +32 498 17 95 09 Germany Ipanema Technologies GmbH, Gustav-Stresemann-Ring 1, 65189 Wiesbaden tel: +49 611 97774 285 Italy Ipanema Technologies, Piazzale Biancamano 8, 20121 Milano tel: +39 02 6203 2185 Singapore Ipanema Technologies APAC, 105 Cecil Street, Level 11 The Octagon, Singapore 069534 tel: +65 68201235 Spain Ipanema Technologies, Av. de Europa 19, Parque Empresarial La Moraleja, Alcobendas, 28108 Madrid tel: +34 91 793 21 30 Switzerland Ipanema Technologies, Zollikerstrasse 153, CH-8008 Zurich tel: +41 (0)43 488 45 06 The Netherlands Ipanema Technologies, Vaartserijnstraat 16, 3523 Utrecht tel: +31 30 890 6680 United Kingdom Ipanema Technologies Ltd, The Podium, One Eversholt Street London NW1 2DN tel: +44 (0)207 554 0822 USA Ipanema Technologies Corp., 200 Fifth Avenue, Waltham, MA 02451 tel: +1 781 890 8008 Technical support email:
[email protected] tel: +1 617 862 0033 toll free number: 888 485 4884
The information contained in this document is subject to change without notice. The information and specifications contained in this document are not contractual. The information contained in this document is sincerely considered by Ipanema Technologies to be accurate and reliable, but implies no warranty, either explicit or implicit. Users are responsible for their personal use of the information and specifications. Ipanema Technologies shall not be liable for any errors which may appear in this document. Reproduction in any form whatsoever, without the written authorization of Ipanema Technologies, is strictly forbidden. Ipanema, the Ipanema logo, Ipanema System, SALSA, ip|uniboss, ip|boss, ip|dashboard, ip|reporter, ip|engine, nano|engine, virtual|engine, tele|engine, IMA, ip|agent, ip|sync, ip|true, ip|fast, ip|coop, ip|xcomp, ip|xtcp, ip|xapp, DWS, ip|export and smart|plan are trademarks of Ipanema Technologies. Any trademarks and trade names which may be used in this document refer to the entities which own these trademarks and these trade names, or to their products. Ipanema Technologies renounces all proprietary interest in trademarks and trade names other than its own. © Copyright 2001/2014, Ipanema Technologies All rights reserved
Contents
CONTENTS INTRODUCTION ......................................................................... .......... 1. REVISIONS ......................................................................... .......... 2. LIST OF ASSOCIATED DOCUMENTS ............................... .......... 3. DOCUMENT ORGANIZATION ........................................... .......... 4. TERMS USED ..................................................................... ..........
1 1 4 4 5
CHAPTER 1 IPANEMA SYSTEM ............................................ .......... 1. OVERVIEW ......................................................................... .......... 1. 1. Autonomic Networking System ................................... .......... 1. 2. Ipanema features ........................................................ .......... 1. 3. Ipanema appliances, VMs and software agents ......... .......... 1. 4. Features availability .................................................... .......... 1. 5. Functional architecture ................................................ .......... 2. GENERAL PRINCIPLES ..................................................... .......... 2. 1. System deployment .................................................... .......... 2. 2. Communication between system elements ................ .......... 2. 3. Security ....................................................................... .......... 3. FEATURES DESCRIPTION ................................................ .......... 3. 1. Application Visibility (ip|true) ....................................... .......... 3. 2. Application Control (ip|fast) ......................................... .......... 3. 3. WAN Optimization (ip|xcomp, ip|xtcp, ip|xapp) ........... .......... 3. 4. Dynamic WAN Selection (smart|path) ......................... .......... 3. 5. Network Rightsizing (smart|plan) ................................ .......... 3. 6. Tele-managed sites ..................................................... ..........
1-1 1-1 1-1 1-3 1-8 1-9 1-10 1-12 1-12 1-14 1-17 1-18 1-18 1-23 1-25 1-27 1-28 1-29
CHAPTER 2 UNIFIED ACCESS TO THE IPANEMA SYSTEM (SALSA CLIENT) ................................................................... .......... 1. SALSA WEB PORTAL ......................................................... .......... 2. UNIFIED USER MANAGEMENT ........................................ .......... 3. SALSA URLs ....................................................................... .......... 4. LDAP AUTHENTICATION ................................................... .......... 5. VISTAPORTAL AND VPSE CONSIDERATIONS ................ .......... 5. 1. VistaPortal considerations ........................................... .......... 5. 2. VistaPortal SE considerations ..................................... ..........
2-1 2-1 2-3 2-4 2-4 2-5 2-5 2-5
CHAPTER 3 MANAGING DOMAINS, USERS AND LICENSES (IP|UNIBOSS) ........................................................................ .......... 1. DOMAINS OVERVIEW ....................................................... .......... 2. ip|uniboss CLIENT .............................................................. .......... 2. 1. Connection to ip|uniboss ............................................. .......... 2. 2. ip|uniboss main window .............................................. .......... 3. IMPORTING A LICENSE .................................................... .......... 4. SYSTEM PROVISIONING .................................................. .......... 4. 1. Declare ip|boss servers ............................................... .......... 4. 2. Domains ...................................................................... .......... 4. 3. Radius ......................................................................... .......... 5. REPORTING PROVISIONING ............................................ .......... 5. 1. ip|reporter web portals (VF0 and VF4) ........................ .......... 5. 2. VistaMart (VF4 only) ................................................... .......... 5. 3. Server Group (VF4 only) ............................................. .......... 5. 4. IV Server ..................................................................... .......... 6. MANAGING USERS ........................................................... .......... 6. 1. System administration: Users ..................................... .......... 6. 2. System administration: User Groups .......................... .......... 6. 3. User credentials supplied in the URL .......................... .......... 6. 4. User name as an HTTP header .................................. ..........
3-1 3-1 3-2 3-2 3-3 3-8 3-9 3-9 3-11 3-19 3-21 3-22 3-24 3-26 3-27 3-29 3-30 3-35 3-38 3-39
October 2014
Ipanema Technologies
i
Contents
6. 5. External LDAP authentication ..................................... .......... 6. 6. External SAML authentication ..................................... .......... 7. SUPERVISION .................................................................... .......... 7. 1. Inventory ..................................................................... .......... 7. 2. Logs ............................................................................ .......... 7. 3. Issues .......................................................................... ..........
3-40 3-42 3-44 3-44 3-47 3-48
CHAPTER 4 CONFIGURING SERVICES (IP|BOSS) ............. .......... 1. CONFIGURATION OVERVIEW .......................................... .......... 2. ip|boss WEB CLIENT .......................................................... .......... 2. 1. Connection to ip|boss .................................................. .......... 2. 2. ip|boss main window ................................................... .......... 2. 3. ip|boss tool bar ............................................................ .......... 2. 4. ip|boss status zone ..................................................... .......... 2. 5. ip|boss table view ........................................................ .......... 2. 6. ip|boss creation form ................................................... .......... 3. ip|boss CLI CLIENT ............................................................. .......... 3. 1. CLI architecture ........................................................... .......... 3. 2. CLI language ............................................................... .......... 3. 3. Tabular input and output ............................................. .......... 4. OPERATING PROCEDURE ............................................... .......... 5. CREATE, OPEN, SAVE, UNDO A CONFIGURATION ........ .......... 5. 1. Create a new configuration ......................................... .......... 5. 2. Open a configuration ................................................... .......... 5. 3. Save a configuration ................................................... .......... 5. 4. Undo a configuration modification ............................... .......... 6. EXPORTING AND IMPORTING OBJECTS ........................ .......... 6. 1. Exporting objects ........................................................ .......... 6. 2. Importing objects ......................................................... .......... 7. SYSTEM PROVISIONING .................................................. .......... 7. 1. Configuring Coloring ................................................... .......... 7. 2. Configuring WAN Accesses ........................................ .......... 7. 3. Configuring ip|engines and tele|engines ..................... .......... 7. 4. Configuring Topology subnets ..................................... .......... 7. 5. Configuring ip|sync (time synchronization) ................. .......... 7. 6. Scripts ......................................................................... .......... 7. 7. Tools ............................................................................ .......... 7. 8. Configuring DWS (Tools / Advanced conf.) ................. .......... 8. APPLICATION PROVISIONING ......................................... .......... 8. 1. Configuring User subnets ........................................... .......... 8. 2. Configuring Types of service (TOS) ............................ .......... 8. 3. Configuring Applications ............................................. .......... 8. 4. Configuring QoS Profiles ............................................ .......... 8. 5. Configuring Application Groups (AGs) ........................ .......... 8. 6. Configuring LTL (Local Traffic Limiting) ....................... .......... 9. REPORTING ....................................................................... .......... 9. 1. Configuring MetaViews ............................................... .......... 9. 2. Configuring Reports .................................................... .......... 9. 3. Configuring Alarming .................................................. .......... 10. SUPERVISION OPTIONS ................................................. .......... 10. 1. Configuring Fault Management ................................. .......... 11. SYSTEM ADMINISTRATION ............................................ .......... 11. 1. Configuring Automatic reporting ................................ .......... 11. 2. Configuring Security .................................................. ..........
4-1 4-1 4-2 4-2 4-3 4-4 4-7 4-11 4-16 4-17 4-17 4-17 4-18 4-19 4-28 4-28 4-28 4-28 4-29 4-30 4-30 4-31 4-33 4-33 4-36 4-40 4-52 4-54 4-56 4-56 4-57 4-59 4-59 4-60 4-61 4-74 4-77 4-84 4-86 4-86 4-93 4-93 4-99 4-99 4-104 4-104 4-104
CHAPTER 5 IPANEMA SYSTEM SUPERVISION (IP|BOSS) . .......... 1. ip|boss MAIN WINDOW ...................................................... .......... 2. SUPERVISION .................................................................... .......... 2. 1. ip|engine status (monitoring ip|engines activity) ......... .......... 2. 2. Status Maps (monitoring ip|engines activity) ............... .......... 2. 3. Scripts ......................................................................... .......... 2. 4. Security (monitoring security certificate) ..................... ..........
5-1 5-1 5-2 5-2 5-12 5-14 5-16
October 2014
Ipanema Technologies
ii
Ipanema System
iii
3. SYSTEM PROVISIONING: TOOLS .................................... .......... 3. 1. Rebooting .................................................................... .......... 3. 2. ip|engine software upgrade ......................................... .......... 4. ip|boss LOGS ...................................................................... .......... 5. CONFIGURATION HISTORY .............................................. ..........
5-17 5-17 5-18 5-21 5-22
CHAPTER 6 USING IPANEMA SERVICES (IP|BOSS) .......... .......... 1. STARTING AND STOPPING A SESSION .......................... .......... 1. 1. Starting a session ....................................................... .......... 1. 2. Stopping a session ...................................................... .......... 2. DYNAMICALLY MODIFYING A SESSION ........................ .......... 2. 1. Update procedure ....................................................... .......... 2. 2. Transition .................................................................... .......... 3. SERVICE ACTIVATION ....................................................... .......... 3. 1. ip|true (measurement) ................................................. .......... 3. 2. ip|fast (Application Control) ......................................... .......... 3. 3. ip|coop (tele-cooperation) ........................................... .......... 3. 4. ip|xcomp (redundancy elimination) ............................. .......... 3. 5. ip|xtcp (TCP acceleration) ........................................... .......... 3. 6. ip|xapp (CIFS acceleration) ......................................... .......... 3. 7. smart|plan ................................................................... .......... 3. 8. IMA .............................................................................. .......... 4. HELP ................................................................................... ..........
6-1 6-1 6-1 6-2 6-3 6-5 6-5 6-6 6-6 6-8 6-10 6-12 6-14 6-16 6-17 6-18 6-19
CHAPTER 7 MONITORING (IP|DASHBOARD) ...................... .......... 1. CONNECTION .................................................................... .......... 2. GRAPHICAL USER INTERFACE ....................................... .......... 2. 1. ip|dashboard window, menus and views ..................... .......... 2. 2. Frames and timing ...................................................... .......... 2. 3. Reading ip|dashboard contents .................................. .......... 2. 4. Access to the reports .................................................. .......... 3. DOMAIN VIEW .................................................................... .......... 3. 1. Quality Summary ........................................................ .......... 3. 2. Activity Summary ........................................................ .......... 4. SITES VIEW ........................................................................ .......... 4. 1. Overview ..................................................................... .......... 4. 2. Sites ............................................................................ .......... 4. 3. Searching for Sites / Filtering the Sites ....................... .......... 4. 4. Downloading the data ................................................. .......... 5. FLOWS VIEW ..................................................................... .......... 5. 1. Overview ..................................................................... .......... 5. 2. Application flows ......................................................... .......... 5. 3. Real Time Graphs ....................................................... .......... 5. 4. Discovery .................................................................... .......... 6. SINGLE SITE VIEW ............................................................ .......... 6. 1. Quality Summary ........................................................ .......... 6. 2. Activity Summary ........................................................ .......... 6. 3. Throughput Summary per NAP ................................... .......... 6. 4. Application flows ......................................................... .......... 6. 5. Discovery .................................................................... ..........
7-1 7-1 7-3 7-3 7-5 7-7 7-9 7-10 7-10 7-12 7-13 7-13 7-14 7-15 7-15 7-16 7-16 7-17 7-35 7-39 7-40 7-40 7-41 7-42 7-43 7-45
CHAPTER 8 OPTIMIZING SSL (IP|DASHBOARD) ................ .......... 1. OVERVIEW ......................................................................... .......... 1. 1. Deployment ................................................................. .......... 1. 2. Applications ................................................................. .......... 1. 3. Principles .................................................................... .......... 2. CONFIGURATION .............................................................. .......... 2. 1. Configure domain-wise trusted proxy CA credentials . .......... 2. 2. Select SSL proxy enabled sites .................................. .......... 2. 3. Select optimization enabled SSL servers ................... ..........
8-1 8-1 8-1 8-1 8-2 8-3 8-3 8-5 8-7
Ipanema Technologies
October 2014
Contents
2. 4. Customize the SSL Proxy Certificate Trust Store ....... .......... 3. SECURITY AND LEGALS ................................................... .......... 3. 1. Security ....................................................................... .......... 3. 2. Legals ......................................................................... ..........
8-8 8-9 8-9 8-9
CHAPTER 9 REPORTING (IP|REPORTER) ........................... .......... 1. MIB ACCESS ...................................................................... .......... 1. 1. MIB .............................................................................. .......... 1. 2. SNMP .......................................................................... .......... 2. ip|reporter ............................................................................ .......... 2. 1. Ipanema Architecture .................................................. .......... 2. 2. Ipanema’s ip|reporter architecture .............................. .......... 2. 3. Terms .......................................................................... .......... 2. 4. Starting the system ..................................................... .......... 2. 5. Reports Management ................................................. .......... 3. HOW TO READ THE REPORTS ........................................ .......... 3. 1. IVreport (VF0) ............................................................. .......... 3. 2. Web client (VF0) ......................................................... .......... 3. 3. Web client (VF4) ......................................................... .......... 3. 4. Dynamic reading of the reports ................................... .......... 3. 5. Definitions ................................................................... .......... 4. IPANEMA SYSTEM VISTAVIEWS ...................................... .......... 5. SLM (SERVICE LEVEL MONITORING) REPORTS ........... .......... 5. 1. is - slm - service level evolution .................................. .......... 5. 2. is - slm - site summary ................................................ .......... 5. 3. is - slm - application group summary .......................... .......... 5. 4. is - slm - application group summary per direction ...... .......... 5. 5. is - slm - application synthesis .................................... .......... 5. 6. is - slm - site synthesis ................................................ .......... 6. SLA (SERVICE LEVEL AGREEMENT) REPORTS ............ .......... 6. 1. is - sla - domain overview - graph ............................... .......... 6. 2. is - sla - domain overview - table ................................ .......... 6. 3. is - sla - domain - aqs summary .................................. .......... 6. 4. is - sla - domain - ag aqs summary ............................. .......... 6. 5. is - sla - domain - site aqs summary ........................... .......... 6. 6. is - sla - domain - mos summary ................................. .......... 6. 7. is - sla - site summary ................................................. .......... 6. 8. is - sla - site aqs summary .......................................... .......... 6. 9. is - sla - site mos summary ......................................... .......... 6. 10. is - sla - site exploitation ............................................ .......... 6. 11. is - sla - site customer ............................................... .......... 7. CAM (CLOUD APPLICATION MONITORING) REPORTS . .......... 7. 1. is - cam - clients overview ........................................... .......... 7. 2. is - cam - time evolution .............................................. .......... 8. AM (APPLICATION MONITORING) REPORTS ................. .......... 8. 1. is - am - site summary - tcp ......................................... .......... 8. 2. is - am - application group summary - tcp ................... .......... 8. 3. is - am - application group summary - per dir. - tcp ..... .......... 8. 4. is - am - application summary - tcp ............................. .......... 8. 5. is - am - application summary - per direction - tcp ...... .......... 8. 6. is - am - time evolution - tcp ........................................ .......... 9. PM (PERFORMANCE MONITORING) REPORTS ............. .......... 9. 1. is - pm - site summary ................................................. .......... 9. 2. is - pm - application group summary ........................... .......... 9. 3. is - pm - application group summary per direction ...... .......... 9. 4. is - pm - application summary ..................................... .......... 9. 5. is - pm - application summary per direction ................ .......... 9. 6. is - pm - traffic topology ............................................... .......... 9. 7. is - pm - time evolution ................................................ .......... 9. 8. is - pm - detailed per application, per app. group ........ .......... 9. 9. is - pm - top host application on volume ..................... ..........
9-1 9-1 9-1 9-1 9-2 9-2 9-3 9-5 9-7 9-17 9-25 9-25 9-26 9-28 9-33 9-34 9-36 9-43 9-43 9-45 9-47 9-49 9-51 9-55 9-58 9-58 9-60 9-62 9-63 9-63 9-64 9-66 9-67 9-67 9-68 9-70 9-72 9-72 9-76 9-78 9-78 9-80 9-82 9-84 9-86 9-88 9-90 9-90 9-92 9-94 9-96 9-98 9-100 9-103 9-105 9-107
October 2014
Ipanema Technologies
iv
Ipanema System
10. PM COMPRESSION REPORTS ....................................... .......... 10. 1. is - pm - compression evolution ................................ .......... 10. 2. is - pm - application group compression synthesis ... .......... 10. 3. is - pm - application compression synthesis .............. .......... 11. SSL OPTIMIZATION REPORT .......................................... .......... 11. 1. is - ssl optimization - time evolution ........................... .......... 12. ACC (ACCELERATION) REPORT .................................... .......... 12. 1. is - acc - acceleration evolution ................................. .......... 13. CIFS REPORT .................................................................. .......... 13. 1. is - cifs - time evolution ............................................. .......... 14. SAM (SERVICES ACTIVITY MONITORING) REPORTS . .......... 14. 1. is - sam - site summary ............................................. .......... 14. 2. is - sam - time evolution ............................................ .......... 15. VOIP REPORTS ............................................................... .......... 15. 1. is - voip - synthesis ................................................... .......... 15. 2. is - voip - time evolution ............................................ .......... 16. SA (SITE ANALYSIS) REPORTS ...................................... .......... 16. 1. is - sa - site summary ingress ................................... .......... 16. 2. is - sa - site summary egress .................................... .......... 16. 3. is - sa - site throughput ............................................. .......... 17. FI (FAULT ISOLATION) REPORTS ................................... .......... 17. 1. is - fi - availability - evolution ..................................... .......... 17. 2. is - fi - availability - overview ..................................... .......... 18. SP (SMART PLANNING) REPORTS ................................ .......... 18. 1. is - sp - profile ........................................................... .......... 18. 2. is - sp - synthesis ...................................................... .......... 19. EXPORTING THE REPORTS’ DATA WITH ip|export ....... .......... 19. 1. ip|export output files and directory ............................ .......... 19. 2. ip|export log file ......................................................... .......... 19. 3. ip|export command usage ......................................... .......... 19. 4. ip|export output file formats ....................................... ..........
9-109 9-109 9-111 9-114 9-117 9-117 9-119 9-119 9-121 9-121 9-123 9-123 9-125 9-128 9-129 9-131 9-133 9-133 9-135 9-137 9-139 9-139 9-142 9-144 9-144 9-146 9-148 9-148 9-149 9-149 9-150
CHAPTER 10 SOFTWARE LICENSE AGREEMENT ............... .......... 1. IPANEMA SOFTWARE LICENSE AGREEMENT ............... .......... 1. 1. Grant – Right of Use ................................................... .......... 1. 2. Intellectual Property .................................................... .......... 1. 3. Term and Termination ................................................. .......... 1. 4. Warranty ...................................................................... .......... 1. 5. Liability ........................................................................ .......... 1. 6. Miscellaneous ............................................................. .......... 2. LICENCE D’UTILISATION DU LOGICIEL IPANEMA (FRENCH) ........................................................................... .......... 2. 1. Etendue des Droits Concédés .................................... .......... 2. 2. Propriété Intellectuelle ................................................ .......... 2. 3. Durée .......................................................................... .......... 2. 4. Garantie ...................................................................... .......... 2. 5. Responsabilité ............................................................ .......... 2. 6. Dispositions Générales ............................................... ..........
10-1 10-1 10-1 10-1 10-2 10-2 10-2 10-3
CHAPTER 11 TECHNICAL SUPPORT
v
..................................... ..........
Ipanema Technologies
10-3 10-3 10-4 10-4 10-4 10-4 10-5 11-
1
October 2014
INTRODUCTION 1. REVISIONS Index
Date of issue
Chapter/ section concerned
Subject
Jan. 2001
A
All
Original
April 2001
B
All
in accordance with the V2.4 software version
Sep. 2001
C
All
in accordance with the V2.5 software version
Jan. 2002
D
All
in accordance with the V2.5.11 software version
March 2002
E
All
in accordance with the V2.6.1 software version
Aug. 2002
F
All
in accordance with the V2.7.5 software version
Oct. 2002
G
All
in accordance with the V2.7.6 software version
Jan. 2003
H
Chapters 2, 3, 4 and 8
in accordance with the V2.8 software version
Feb. 2003
I
Chapter 2
ip|reporter settings
April 2003
J
Chapter 2
About window
Oct. 2003
K
All
in accordance with the V3.0 software version
July 2004
L
All
in accordance with the V3.2 software version
April 2005
M
All
in accordance with the V3.4 software version
Nov. 2005
N
All
in accordance with the V4.0 software version
Nov. 2005
O
Chapter 2
ip|boss Solaris installation
April 2006
P
All
in accordance with the V4.2 software version
Aug. 2006
Q
All
in accordance with the V4.3 software version
Oct. 2006
R
Chapter 2
Domain creation, ip|reporter Solaris installation, ip|reporter web 2.2
Nov. 2006
S
Chapter 3
Alarming function
Feb. 2007
T
All
manual organization; ip|reporter’s portmapper port; ip|reporter multi network interfaces server; Apache web server configuration for ip|reporter web edition; BW tracking principles; configuring ip|engines; ip|engine alarms description; removal of a report
Nov. 2007
U
All
in accordance with the V4.4 software version
Jan. 2008
V
Chapters 2 and 7
ip|reporter web (no license key; user rights definition); 7.3.2. How to read the reports; periodicity of some reports (minor corrections)
April 2008
W
All
in accordance with the v5.0.0r8 software version
July 2008
X
Chapters 2 and 3
Solaris installation removed from this manual; radius configuration
October 2014
Ipanema Technologies
1
Ipanema System
Oct. 2008
Y
All
in accordance with the v5.0.0r12 software version
Dec. 2008
Z
All
in accordance with the v5.1 software version
Jan. 2009
AA
Chapter 2
2.5.4. Install/Uninstall ip|reporter on Windows, 2.6.1. Install ip|reporter web on Windows
March 2009
AB
All
in accordance with the v5.2 software version
May 2009
AC
All
Minor corrections: 1. 2. 3. 5, 3. 6. 1 and 7.1.2: SNMP port; 2.5.6.1: InfoVista license key; 2.6.1.8: Customizing VistaPortal SE; 4.5.3: ip|boss Java client menu bar; 6.5.3: Helpdesk maps colors New: 2.3.3 install ip|boss using the CLI; 3.9: note on Inventory printing; 4.9.7. Tools; 4.9.8. smart|path advanced parameters; 4.10.5.4: User class sensitivity; 4.11.3.1: Alarm severity; 6.5.1: Link supervision
June 2009
AD
Chapters 2, 9
2.1 JDK is not required any longer; 9.1 Technical Support contact information
Nov. 2009
AE
Chapters 2, 4, 7
2.8.2 software upgrade (FTP) 4.9.3 and 4.10.5.4 RAM-based and Disk-based compression are replaced by Zero Delay and Standard Redundancy Elimination (ZRE, SRE) 4.10.3.2 applications list 7. several report updates in version 5.2 had not been reflected in the manual
Nov. 2009
AF
Chapters 2, 4, 6, 7
2.2.3 and 2.3.3 minor corrections 4.9 Export / Import objects 4.10.8 and 4.11.5.4 new smart|path parameter in v5.2.2 6.5.2 freeze the view in the real time flows list 7.6.3, 7.6.4 and 7.6.5 three new SLA reports
March 2010
AG
All
in accordance with the v6.0 software version
May 2010
AH
Chapter 1
A bug in the documentation system, which replaced chapter 1 by chapter 10, has been fixed.
Aug. 2010
AI
Chapters 1, 2, 4, 5 and 8
1.2.3.2 minor correction 2.7 and 8.16 (mainly) ip|export has been completely redesigned
Dec. 2010
AJ
Chapter 8
8.8.11.1 minor correction
Aug. 2011
AK
All
“Virtual ip|engines” are now called “tele|engines”. The ”optimization” feature is now called “QoS & control”. 2.5 reports_desc.impsys and VistaViews are now automatically installed with ipreporter_setup.exe; Solaris 9 is not supported any longer; Windows 2008 is supported
Chapter 2
2
Nov. 2011
AL
All
in accordance with the v7.0 software version installation is now described in a separate manual
Dec. 2011
AM
All
Chapter 1 - Ipanema System was missing in rev. AL
March 2012
AN
All
in accordance with the v7.0.2 software version major changes: User Classes are renamed Application Groups; report pm – top host application on volume is restored
July 2012
AO
All
in accordance with the v7.1 software version
Sep. 2012
AP
All
suppression of the Undo button
Ipanema Technologies
October 2014
Dec. 2012
AQ
All 1.1.2 4.2.3 4.8.3 8.13
in accordance with the v7.1.4 software version SALSA architecture updated the Undo button has been put back in applications list updated; description of the common name (https attribute) improved SEM reports are renamed SAM
Jan. 2013
AR
3.4.2.1 4.6.1 4.8.3.3 4.8.4 8.4
A Timezone is added to the Domain configuration Export function updated RTP/RTCP plugin configuration updated Implicit max bandwidth = 500 x objective minor corrections (reports availability on tele-managed sites with IMA)
March 2013
AS
3.4.2.1, 7.2.1 Chapter 7 Chapter 8
More details on the time zone More details on the throughput displayed in ip|dashboard SLA, CIFS and PM-compression reports updated
April 2013
AT
3.6.1 4.7.2 4.9.3.1 -
More details on User rights on the reports Definition of the WAN access’ Network Report key for DWS More details on the syntax of the alarm rules in ip|boss’s Alarming function
June 2013
AU
4.8.3.2
List of recognized applications updated
July 2013
AV
all
In accordance with the v8.0 RC software version
Aug. 2013
AW
Chapter 1
The Introduction has been completely revised.
Sept. 2013
AX
Chapter 7
In accordance with the v8.0 GA software version
Oct. 2013
AY
5.2.1.2
ip|engine supervision details: minor correction xxx Ipanema Software License Agreement
Oct. 2013
AZ
10
New Ipanema Software License Agreement
March 2014
BA
All 4.7.3
“QoS & control” is renamed “Application Control”. New names for the WAN access attributes and new fields for the multipath mode in the ip|engine configuration window.
April 2014
BB
9.11
SSL optimization report added
June 2014
BC
All
In accordance with v8.1 RC software version
July 2014
BD
All 9.18
Minor correction on the Sites terminology SP reports: monitored resources
Oct. 2014
BE
October 2014
In accordance with v8.1 GA software version
Ipanema Technologies
3
Ipanema System
2. LIST OF ASSOCIATED DOCUMENTS The system installation on Windows is described in a separate document: ■
Ipanema System Installation Manual
For each range of ip|engine (nano, 10, 100 and 1000), there are two manuals: ■
■
Directives and Regulations Manual ip|engine Directives, Regulations and Certificates. Read the safety instructions before connecting an ip|engine to the sypply. Configuration manual Technical characteristics and ip|engines installation, configuration and set-up procedures; troubleshooting. This manual is intended for ip|engines integrators, administrators and users.
3. DOCUMENT ORGANIZATION This document contains 10 chapters: ■ ■
■
■ ■ ■ ■ ■ ■ ■ ■
4
Chapter 1 - Ipanema System: system overview. Chapter 2 - Unified access to the Ipanema System (SALSA client): how to access a Domain with the various components of the system. Chapter 3 - Managing Domains, Users and Licenses (ip|uniboss): Domains and Users creation and modification procedures, Licenses management. Chapter 4 - Configuring Services (ip|boss): the different set-up and configuration procedures. Chapter 5 - Ipanema System Supervision (ip|boss): system supervision procedures. Chapter 6 - Using Ipanema Services (ip|boss): system exploitation procedures. Chapter 7 - Monitoring (ip|dashboard): application monitoring. Chapter 8 - Optimizing SSL (ip|dashboard): optimization service to the SSL encrypted flows. Chapter 9 - Reporting (ip|reporter): description of the Ipanema reporting. Chapter 10 - Software license agreement. Chapter 11 - Technical support: description of the Ipanema Support.
Ipanema Technologies
October 2014
4. TERMS USED AG:
Application Group.
Aggregated flow:
an aggregated flow groups together IP micro-flows sharing given common characteristics. It is specified by a source subnet, a destination subnet and, where appropriate, a protocol, an application and a client/server direction and a TOS.
ANS:
Autonomic Networking System.
Applications Dictionary:
the Applications Dictionary contains a list of the applications recognized by the system. The applications are identified by protocol, a TCP or UDP port number, a type of Codec, a URL for HTTP, a published application for Citrix...
Applications Group:
Group of Applications with a certain Criticality level and a certain QoS Profile; contains key parameters for AQS measurement and Application Control.
Application Quality Score:
Ipanema notation for the traffic Quality. From 0 (very bad) to 10 (very good). The notation is calculated according to the expected behavior.
AQS:
Application Quality Score (see description above).
ASL:
Application Service Level.
BDP:
Bandwidth Delay Product.
Byte counting:
the system indicates the number of bytes in the IP packet, including IP headers.
CIFS:
Common Internet File System, aka SMB (Server Message Block).
CLI:
Command Line Interface.
Congestion:
state of a network resource in which the traffic incident on the resource exceeds its output capacity over an interval of time.
CoS:
Class of Service.
CPE:
Customer’s Premises Equipment (network access equipment located on the customer’s site. In the case of an IP network this is usually an access router).
Delay variation:
Standard deviation of the delay on a given period.
DPI:
Deep Packet Inspection, the application recognition mechanism used by Ipanema, based on the layer 7 syntax.
DSCP:
DiffServ Code Point.
DstPort:
Destination Port.
Datagram:
block of data transmitted on the packet switched network.
D/J/L:
Delay/Jitter/Loss.
Domain:
a Domain is composed of a set of ip|engines making and exchanging observations and making measurements based on these. ip|engines are configured and operated via the ip|boss central software. All elements in a Domain must be connected in the IP sense (each element must have an IP address that can be routed on the network).
DWS:
Dynamic WAN Selection (feature provided by the smart|path service).
October 2014
Ipanema Technologies
5
Ipanema System
6
Elementary observation:
measure of time, length, etc., performed by the ip|engine on each measured packet.
Equipped site:
site with an ip|engine, a nano|engine or a virtual|engine.
Flow:
in the Ipanema system, we call a flow all the sessions of a given application, from a given source to a given destination.
Fragmentation:
the process of division of a datagram into several fragments (IP packets), to facilitate traffic flow on low-speed links for example.
GLASS:
GlobaL Autonomic Support System: ip|engine metrics aimed at accelerating technical escalations.
GPS:
Global Positioning System (a positioning and synchronization system based on a satellite constellation (~ 24) in medium altitude orbit, covering practically the entire surface of the earth and is highly accurate. It used to be used in early versions of the Ipanema system).
Goodput:
Number of received bits per second above layer 4 (i.e., TCP or UDP payload).
GUI:
Graphic User Interface.
HSRP:
Hot Standby Router Protocol (Cisco).
ICMP:
Internet Control Message Protocol.
IMA:
Ipanema Mobile Agent.
IP:
Internet Protocol.
IP micro-flow:
an IP micro-flow is specified by all packets identified by the same IP source and destination address, the same protocol and, where appropriate, the same TCP/UDP ports.
ip|agent:
Ipanema software running on Ipanema appliances (ip|engines and nano|engines) and virtual appliances (virtual|engines); by extension, we call ip|agent the software running on Ipanema Mobile Agents (IMAs), although the latter do not run all ip|agent services. ip|agent services are ip|true, ip|fast, ip|xcomp, ip|xtcp, ip|xapp, smart|path and smart|plan.
ip|boss:
component of the SALSA suite used to configure the Domains.
ip|coop:
tele|engines’ cooperative control (part of ip|fast).
ip|dashboard:
component of the SALSA suite allowing to monitor the traffic (in reality the server is part of ip|boss server).
ip|engine:
Ipanema appliance that performs measurement, control, compression, acceleration, etc., to provide Visibility, Application Control and WAN Optimization.
ip|fast:
ip|agent providing Application Control.
ip|reporter:
component of the SALSA suite that generates the reports; it is powered by InfoVista.
ip|true:
ip|agent’s measurement service, behind the Application Visibility feature.
ip|uniboss:
component of the SALSA suite used to manage the Domains, Users and Licenses.
ip|xapp:
ip|agent providing CIFS acceleration (part of the WAN optimization feature).
ip|xcomp:
ip|agent providing Compression (SRE and ZRE — part of the WAN optimization feature).
Ipanema Technologies
October 2014
ip|xtcp:
ip|agent providing TCP acceleration (part of the WAN optimization feature).
IPDR:
IP Data Records.
ISU:
Ipanema Software Unit.
ITP:
Ipanema Time Protocol.
Jitter:
standard deviation of the delay on a given period.
JRE:
Java Runtime Environment.
LAN:
Local Area Network (the same geographical site may have several LANs interconnected by a router).
LAN-to-LAN:
used for the measurement from the LAN port of the source ip|engine to the LAN port of the destination ip|engine; applies to the throughput, Delay, Jitter and packet Loss. Also abbreviated “LAN” (e.g. LAN-to-LAN Delay = “LAN Delay”).
LDAP:
Lightweight Directory Access Protocol, used for authentication and authorization in SALSA.
LTL:
Local Traffic Limiting.
Measurement interface:
interface on the ip|engine giving access to the point of measure.
Measurement ticket:
the measurement ticket groups together the elementary observations made on an IP packet by an ip|engine.
MetaView:
Object we report on (Domain, Site, group of Sites, Application Group, etc.), created in ip|boss. The reports aggregate data on MetaViews, in ip|reporter.
MOS:
Mean Opinion Score (standard Measure of the Quality of a Voice Call (notation between 0 (very bad) to 5 (very good), normalized by the ITU-T (G.107)).
MRE:
Multi Redundancy Elimination (= SRE + ZRE; synonymous with Compression).
nano|engine:
Ultra compact Ipanema appliance that performs measurement and control, to provide Visibility and Application Control in small Branch offices (no WAN Optimization, unlike ip|engines).
NAP:
Network Access Point.
OWD:
One Way Delay.
Packets:
series of binary elements organized in a predefined format and transferred as a whole.
Packet counting:
the system indicates the number of datagrams observed. It is insensitive to fragmentation by routers, whether this fragmentation occurred in the Domain of Measure (between ip|engines) or outside the Domain (before the first ip|engine).
Packet loss:
the system indicates the number of datagrams lost. It is therefore insensitive to fragmentation by routers, whether this fragmentation occurred in the Domain of Measure (between ip|engines) or outside the Domain (before the first ip|engine).
PBR:
Policy Base Routing.
Physical site:
(Obsolete) old name for an Equipped site.
Point of measure:
place of traffic acquisition where measures are made.
QoE:
Quality of Experience (measured by the AQS).
October 2014
Ipanema Technologies
7
Ipanema System
8
QoS:
Quality of Service.
QoS Profile:
Set of parameters in ip|boss, which applies to an Application Group. The parameters are: the traffic type (real time, transactional or background), the bandwidth objective and the maximum bandwidth (per session), followed by 6 quality metrics (delay, jitter, loss, RTT, SRT and TCP retransmission) with two thresholds each (objective — maximum).
RADIUS:
Remote Authentication Dial-In User Service.
Router:
interconnection gateway between two IP networks.
Routing:
operation of determining the route to be taken through a network by a data packet.
RTT:
Round Trip Time.
SALSA:
Scalable Application Level Service Architecture.
SAML:
Security Assertion Markup Language.
Sensitivity:
Application Group parameter, used for DWS.
SLA:
Service Level Agreement.
smart|path
ip|agent providing Dynamic WAN Selection.
smart|plan
ip|agent’s Network Rightsizing service
SNMP:
Simple Network Management Protocol.
SrcPort:
Source port.
SRE:
Standard Redundancy Elimination (AKA “Disk-based compression”).
SRT:
Server Response Time.
SSL:
Secure Socket Layer.
TCP:
Transmission Control Protocol.
tele|engine:
Allows traffic on unequipped Sites to be measured and controlled by the ip|engines of the remote Sites, thus providing Application Visibility and Control without any appliance on the local Site (branch office). tele|engines are configured in ip|boss as ”physical”ip|engines, checking a specific box. A Site with a tele|engine is called a tele-managed Site.
Tele-managed Site:
Site with a tele|engine.
Ticket Record:
groups measurement tickets together for transmission between ip|engines.
TOS:
Type Of Service.
TOS Dictionary:
the TOS Dictionary contains a list of TOS recognized by the system. The TOS are identified by the field Type Of Service in IP packet.
Traffic profile:
a description of the temporal properties of a traffic stream such as rate and burst size.
Transfer delay:
the transfer delay of a packet between ip|engines is measured when the last bit of the packet passes the measure points. In the event of fragmentation of the datagram into several IP packets, the measure is made when the last bit of the last fragment passes.
Throughput:
Number of bits per second at the IP level.
Ipanema Technologies
October 2014
UC:
Unified Communications.
UDP:
User Data Protocol.
VF0 / VF4:
Vista Foundation 0 / 4 (InfoVista platforms provided with ip|reporter).
Virtual ip|engine:
(Obsolete) old name for a tele|engine (< SALSA v6).
Virtual site:
(Obsolete) old name for a tele-managed Site.
virtual|engine:
Software image of an ip|engine, to be deployed on VMware ESXi.
VoIP:
Voice over IP.
VPN:
Virtual Private Network.
VRF:
Virtual Routing and Forwarding.
WAN:
Wide Area Network (long distance network that allows data exchange between remote sites).
WAN-to-WAN:
used for the measurement from the WAN port of the source ip|engine to the WAN port of the destination ip|engine. Applies to the throughput, Delay, Jitter and packet Loss. Also abbreviated “WAN” (e.g. WAN-to-WAN Delay = “WAN Delay”). LAN-to-LAN Delay = Delay generated by the source ip|engine, if any + WAN-to-WAN Delay + Delay generated by the destination ip|engine, so the LAN-to-LAN Delay includes (and is higher than or equal to) the WAN-to-WAN Delay.
WFQ:
Weighted Fairness Queuing.
Wizard:
Way to create combinations of MetaViews and reports in ip|boss’ Reports menu.
ZRE:
Zero delay Redundancy Elimination (AKA “RAM-based compression”).
October 2014
Ipanema Technologies
9
CHAPTER 1. IPANEMA SYSTEM Document organization
1. 1. OVERVIEW 1. 1. 1. Autonomic Networking System Ipanema’s self-learning and self-optimizing Autonomic Networking System™ (ANS) tightly integrates all the features to guarantee the best application performance: Application Visibility, Application Control, WAN Optimization, Dynamic WAN Selection and Network Rightsizing. Easy to use and highly scalable, ANS addresses mid-size and thousands-sites companies. It also addresses Service Providers with thousands of customers. Based on the SALSA central management platform and on a family of appliances and software agents, ANS fits from the smallest Branch Office to the largest Datacenter.
SALSA’s centrally managed cooperative architecture
October 2014
Ipanema Technologies
1-1
Ipanema System
Ipanema’s ANS is: ■
Autonomic: – It guarantees applications performances through global and distributed coordination between Ipanema appliances and software agents, – it dynamically adapts to traffic and network changes thanks to a “Sense and Respond" mechanism (Sense: Real-time view of the network performances and users demand; Respond: Dynamic and distributed computation with second-by-second optimal policies enforcement), – full control is provided, in most cases (depending on the network architecture), with as few as 10-20% of the sites equipped with physical appliances.
■
All-in-one: – All features are tightly coupled, – it optimizes all application flows: data transfers (FTP, CIFS...), interactive flows (ERPs, Citrix...), real-time flows (VoIP, Videoconference...), etc.
■
Service Framework: – A unified management GUI is provided for all features, – the multi-tenant SALSA platform scales up to 10M’s users and 100K’s sites, – objective-based control enables Application SLAs and global WAN Governance.
1-2
Ipanema Technologies
October 2014
Ipanema System
1. 1. 2. Ipanema features This section quickly describes Ipanema features (for more details see 1.3. Features description). Application Visibility ■ ■
Goal: understand application usage and performance over the entire network. How: providing clear application performance KPIs (Application Quality Score — or AQS — and MOS), high level consolidated reports, and very detailed information at the flow level.
Application Visibility
October 2014
Ipanema Technologies
1-3
Ipanema System
Application Control ■
■
Goal: guarantee users’ experience by controlling each application flow in real-time, depending on the network resources. How: dynamically enforcing Application SLAs for each user thanks to a global and dynamic approach, where the whole traffic matrix is taken into account in real time. Application Control manages the application flows in the most efficient way, even in full-mesh and very large networks.
Application Control
1-4
Ipanema Technologies
October 2014
Ipanema System
WAN Optimization ■ ■
Goal: accelerate delay sensitive applications and reduce bandwidth consumption. How: eliminating redundancy in the application flows (both at the packet level and data stream level), and accelerating TCP segments, CIFS application, SSL flows, etc.
WAN Optimization
These features are tightly coupled to address all situations.
Tightly coupled features
October 2014
Ipanema Technologies
1-5
Ipanema System
Network Rightsizing: ■ ■
Goal: align network sizing to budget and business requirements. How: combining Application Visibility and Application Control data to determine sizing options and their consequences; the results are displayed in easy-to-use reports.
Network Rightsizing
1-6
Ipanema Technologies
October 2014
Ipanema System
Dynamic WAN Selection: ■
■
Goal: guarantee application performance across hybrid [MPLS + Internet] networks, improve business communication continuity, exploit large network capacity at low cost, benefit from Internet immediacy and ubiquity, turn back-up lines into business lines, eliminate complex policy based routing and unify the management of hybrid networks. How: automatically and dynamically selecting the best path for each application flow across the various networks.
DWS
October 2014
Ipanema Technologies
1-7
Ipanema System
1. 1. 3. Ipanema appliances, VMs and software agents Ipanema features are performed by Ipanema appliances, virtual machines and software agents, generally located at the interface between the enterprise network (LAN) and the access router to the operator network (WAN). There are two families of appliances: ip|engines and nano|engines, and two families of software agents: virtual|engines and Ipanema Mobile Agents (IMAs). Application Visibility and Application Control features are also available on sites that are not equipped (no ip|engine, no nano|engine and no virtual|engine on the site), declaring “tele|engines” on these sites. ip|engines: hardware devices; various models are available, with different capacities
nano|engines: hardware ultra compact devices, for small Branch Offices tele|engines: logical service delivered through the remote collaborating ip|agents
virtual|engines: virtual machines in .vmdk format
IMAs: software agents for Windows desktops ip|agent is the software running on ip|engines, nano|engines and virtual|engines. IMAs run some of ip|agent’s services (but we also call them ip|agents, by extension). To provide the features described above, ip|agents run the following services: ■
for Application Visibility: – ip|true: measurement, – ip|sync: time synchronization,
■
for Application Control: – ip|fast: the Application Control service, – ip|coop: tele|engines’ cooperative control,
■
for WAN Optimization: – ip|xtcp: TCP acceleration, – ip|xcomp: compression (SRE and ZRE) + TCP acceleration, – ip|xapp: CIFS acceleration,
■
for Network Rightsizing: – smart|plan
■
for Dynamic WAN Selection: – smart|path.
1-8
Ipanema Technologies
October 2014
Ipanema System
1. 1. 4. Features availability The table below summarizes the features provided by the different Ipanema appliances and virtual machines, and on tele-managed sites:
ip|e ax
ip|e non-ax
nano|e
virtual|e
tele|e
ip|true
yes
yes
yes
yes, performed by the remote ip|agents; no D/J/L info
ip|fast
yes
yes
yes
yes, performed by the remote ip|agents
no, except on hosts running IMAs
yes
no, except on hosts running IMAs
ip|xcomp SRE
yes
no
ip|xcomp ZRE
yes**
no
yes
no
ip|xtcp
yes**
no*
no*
no*
ip|xapp
yes***
no, except on hosts running IMAs
yes***
no, except on hosts running IMAs
smart|path
yes
yes
no
no
smart|plan
yes
yes
yes
no
Features availability * ip|xtcp is a single-box sender-side technology, so traffic to a site with a nano|engine, a virtual|engine or a tele|engine can be accelerated. ** except for ip|e 40so. *** ip|xapp is a single-box client-side technology, so the ip|engine or virtual|engine must be installed in the Branch Office (where the clients are). If it is not (sites with a nano|engine or a tele|engine), the feature can still be delivered, thanks to IMA.
October 2014
Ipanema Technologies
1-9
Ipanema System
1. 1. 5. Functional architecture SALSA (Scalable Application Level Service Architecture) is the Central Management Software; it is composed of: ■
ip|uniboss software (one server): it ensures the creation and management of the Domains, Unified User Management and Licenses management.
■
ip|boss software (one or several servers, depending on the number of Domains and their sizes; it can be installed on the same server as ip|uniboss): it ensures system administration, system configuration (system provisioning, application provisioning and reports provisioning), service activation, real time monitoring (ip|dashboard), supervision, collect of the Correlation Records generated by ip|agents every minute (according to the parameters), interface with ip|reporter to create or delete reports (the main reports are automatically created).
■
ip|reporter software (one or several servers, depending on the number of Domains, the volume of traffic and the number of reports; on very small networks — less than 10 sites — it can be installed on the same server as ip|boss/ip|uniboss): it ensures the reporting function, polling ip|boss to collect the raw data that it then consolidates it in many different dimensions, with about 40 pre-defined report templates. ip|reporter is powered by InfoVista and embeds an InfoVista run time licence; this run time provides all user functions in local, remote or client/server mode or with an HTML interface with VistaPortalSE. InfoVista can be provided with two different VistaFoundation platforms: VF0 (provided to most Ipanema customers) and VF4 (provided for MSPs/NSPs or customers with very large networks only). Only VF0 platform is described in this document. For VF4 information, please refer to the relevant Technical notes. ip|export, an optional module of ip|reporter, allows automatic and dynamic export of any data from any reports in text, CSV or Excel formats. It is designed for seamless inter-operability between network measurement systems and Business Support Services.
SALSA architecture
1-10
Ipanema Technologies
October 2014
Ipanema System
A SALSA unified portal gives access to ip|uniboss, ip|boss, ip|dashboard and ip|reporter web. A Domain selector (drop-down list) allows selecting the Domain to be configured (with ip|boss) or monitored (with ip|dashboard) prior to connecting.
SALSA unified portal It can be accessed with a web browser at https:///salsa/.
October 2014
Ipanema Technologies
1-11
Ipanema System
1. 2. GENERAL PRINCIPLES 1. 2. 1. System deployment A Domain is made up of a set of Ipanema appliances and virtual machines positioned at the measurement or control points of a network, in the same LANs as the CPE routers. Their ip|agent software measure, control, compress and accelerate the network traffic on the entire network. One Domain has to be created by logical entity, using ip|uniboss software. Once created, it is managed by a dedicated ip|boss instance.
System deployment ip|agents belonging to the same Domain cooperate (distributed intelligence), but do not interact with other ip|agents belonging to other Domains. To measure, control and accelerate flows on a site with no ip|agent (no appliance nor virtual machine), the user can declare a tele|engine on that site (in the same way as they would declare a real ip|engine, in ip|boss). To make this possible, ip|agents must be present at the other ends of the flows (measurement, control and acceleration will be performed by the remote ip|agents indeed — reason why such a site is also called a tele-managed site).
1-12
Ipanema Technologies
October 2014
Ipanema System
ip|agents cooperation in a Domain (with tele-managed sites) The system performs measurement, control, redundancy elimination and acceleration on the basis of the observed traffic in the user’s private IP addressing plan. Each ip|agent recognizes the local network (LAN) traffic transmitted to and received from the long-distance network (WAN). LANs have an IP address range expressed in the form a.b.c.d and a prefix, the length of which is expressed by /p. For correct system operation: ■ ■
each ip|engine, nano|engine, and virtual|engine must have a fixed IP address, the server running ip|boss must be accessible by all ip|engines, nano|engines and virtual|engines (it is not necessary for IMAs). It must therefore have an IP address, but the latter is not necessarily a fixed address, in theory (except if ip|reporter server is installed on another station, which should be the case in most cases). The server is not necessarily on the customer part of the network.
October 2014
Ipanema Technologies
1-13
Ipanema System
1. 2. 2. Communication between system elements A Technical note, “TN-0300164-02_Flow_matrix_SALSA_v”, shows all ports used between all components of the Ipanema system.
1. 2. 2. 1. Communication between ip|agents ip|agents exchange measurement and control information, among others. To accomplish this, each ip|agent hosts a specific server reachable by all other ip|agents on predetermined TCP and UDP ports. An ip|agent also hosts a specific client that transmits measurement and control signals and compressed data to the remote ip|agent servers. The source ports are dynamically selected by the transmitting ip|agents.
Service
L4
Port
ip|true
TCP
19999
ip|fast
UDP
19999
ip|agent capacity advertising
TCP
19996
ip|xcomp SRE
—
—
ip|xcomp ZRE dictionary and control
TCP
19988
ip|xcomp ZRE compression tunnel
UDP
19988
ip|xcomp ZRE keep alive
UDP
19987
ip|xtcp
—
—
ip|xapp
—
—
ip|sync (ITP)
UDP
19995
Clustering
UDP
19997
Ports used between ip|agents
1-14
Ipanema Technologies
October 2014
Ipanema System
1. 2. 2. 2. Communication between ip|boss and ip|agents There are three types of communication channels between ip|agents and ip|boss: ■ ■ ■
configuration and supervision, polling of the measurement records (Correlation Records), polling of the real-time graphs’ data.
Service
L4
Port
Usage
HTTPS
TCP
443
Configuration, supervision, collect of the Correlation Records.
FTP
TCP
20–21
Download ip|agent software (the FTP server is not necessarily on ip|boss).
SSH
TCP
22
Remote connection on Ipanema appliances and virtual machines (enabled by default). (The remote access is not necessarily granted from ip|boss.)
Telnet
TCP
23
Remote connection on Ipanema appliances and virtual machines (disabled by default). (The remote access is not necessarily granted from ip|boss.)
Real-time graphs
TCP
19990–19993
Additional polling to provide a real-time view in ip|dahsboard.
Ports used between ip|agents ■
Configuration and supervision channel
Each ip|engine, nano|engine and virtual|engine hosts an HTTPS server accessible by ip|boss for configuration and supervision. This server is reached on TCP/443 destination port (default value; another value can be configured on request). If remote connections (SSH and/or Telnet) are to be established from ip|boss (not mandatory, but very helpful), then ports 22 (SSH) and/or 23 (Telnet) are also used. (By default, SSH is enabled on all ip|agents, and Telnet is disabled.) If ip|boss is used as an FTP server to download ip|agent software, then ports TCP/20 and 21 are also used (they are not otherwise; the FTP server can be on other devices, such as an external server or even an ip|engine, for instance). ■
Periodic measurement collection channel
The HTTPS server embedded in ip|agents is also used by ip|boss to retrieve the measures (pull) (same port and remark as above). ■
Real-time measurement polling channel
Real-time measures are sent by the ip|agents on a unidirectional TCP connection to a predefined destination port (in the 19990–19993 range by default; other ranges can be configured). The TCP source port is dynamically selected (a fixed port can be configured) by the transmitting ip|agent.
October 2014
Ipanema Technologies
1-15
Ipanema System
1. 2. 2. 3. Communication between ip|boss client and ip|boss server Communications between ip|boss web client and ip|boss server use HTTPS (port TCP/443).
1. 2. 2. 4. Communication between ip|boss and ip|reporter Two kinds of communication channels exist between ip|boss and ip|reporter: ■
■
1-16
configuration and supervision channel: ip|boss supervises and configures the reporting system via the InfoVista interfaces. The used TCP ports are dynamic by default, but they can be fixed by configuration. This channel allows the reports creation and deletion according to the configuration and ip|reporter’s supervision status. collect channel (SNMP): ip|boss houses an SNMP agent used by ip|reporter (InfoVista) in order to collect the measurement data (pull mode). This SNMP agent is reachable via a UDP port configured for each Domain in ip|uniboss.
Ipanema Technologies
October 2014
Ipanema System
1. 2. 3. Security The Ipanema System provides robust security features (SSL, SSH, tools for key generation and distribution, etc.) to protect the system against break-in and hostility threats. Authentication mechanisms to access the different system elements, and between them, protect the system against unauthorized accesses. Communication encryption between the system elements protects the system against sniffing of configuration information or measurement results exchanged between them.
1. 2. 3. 1. Appliances Access Control (Console and SSH) Many security features regarding the access to Ipanema appliances, through the console or through the network, are implemented. They are listed below (however access to a particular appliance is limited to a very small number of cases): ■ ■
■
console access is secured with full password management; remote access is secured with the use of the SSH protocol (Telnet is also available, but for security reasons it is disabled by default); commands limitation: when remotely accessing an Ipanema appliance (or virtual machine), the set of available user commands is carefully restricted to the minimum (device basic configuration and troubleshooting, namely).
1. 2. 3. 2. Secured ip|boss — ip|agents communications SSL protocol is used to download the configuration file from ip|boss to all ip|agents, to monitor all appliances and to collect the measurement data. Both authentication and encryption are used. The Ipanema System allows three security levels: ■
First level (default mode): The customer uses the default factory certificate. Communications are secured. Nevertheless, as the certificate is not unique to the customer, the security level is not at its maximum.
■
Second level: The customer defines their own certificate. This can be achieved either in ip|boss or using a certificate generator. Certificate installation on ip|agents is managed from ip|boss and does not require local access to the Ipanema appliances or virtual machines. Communications are secured. Unauthorized people will not be able to enter the system nor to read or interpret configuration or measurement data.
■
Third level: The customer defines their own certificate and an SSL passphrase. This requires not only an ip|boss certificate installation, but also to have local access to all ip|agents in order to setup the passphrase configuration. Communications are secured. Combination of certificate and local passphrase provides the highest level of security.
Important reminder 80% of the security breaches are internal to companies.
October 2014
Ipanema Technologies
1-17
Ipanema System
1. 3. FEATURES DESCRIPTION 1. 3. 1. Application Visibility (ip|true) The primary goal of Application Visibility is to understand application usage and performance over the entire network. To reach that goal, applications are classified in Application Groups (AGs), and each AG has specific QoS performance objectives (nominal bandwidth per session and two thresholds — objective and maximum — for one-way-delay, jitter, packets loss, RTT, SRT and TCP retransmission ratio), thus allowing to check whether performance objectives are met or not, and to calculate an Application Quality Score (AQS) accordingly. Ipanema Application Visibility is: ■ ■ ■ ■ ■ ■
comprehensive (see the list of metrics below), highly accurate, relying on time synchronization from the network (thanks to ITP, Ipanema Time Protocol), very precise and non-intrusive: measurements are made on the actual data packets and not on test packets nor simulated flows, exhaustive: all IP packets are measured, independent from the operator network access and core technology (measurements are made at the IP layer), confidential: the contents of user packets are not, at any time, stored, saved or even transmitted between the different system components.
ip|true provides the following metrics: ■ ■ ■
the number of packets and bytes transmitted and received, the number of sessions, the following one-way metrics: – Delay, – Jitter, – packet Loss, all three (called D/J/L) both: – ingress (from the LAN to the WAN) and – egress (from the WAN to the LAN), and both: – between the LAN interfaces of the appliances (LAN-to-LAN metrics, simply called “LAN”) and – between their WAN interfaces (WAN-to-WAN metrics, simply called “WAN”):
■
the following TCP metrics: – RTT (Round Trip Time), – SRT (Server Response Time), – TCP retransmission ratio,
1-18
Ipanema Technologies
October 2014
Ipanema System
■
the following composite metrics: – Voice’s MOS (Mean Opinion Score), – all flows’ AQS (Application Quality Score).
AQS Individual measurements are aggregated and analyzed according to multiple criteria (source and destination sites, source and destination subnets, Application Groups, applications, etc.). The results are presented in the form of detailed flows lists, real-time graphs, charts, etc., and archived with periodic aggregation (in hourly, daily, weekly and monthly reports). They are made available for subsequent processing or reference, and can be used to generate alarms, analyze long-term trends, forecast future traffic increase to estimate optimum network sizing, etc. Users can specify their own aggregation criteria, thus taking into account their enterprise organization (e.g. the different countries, departments, services, etc.). The following system elements are involved: ■ ■ ■
ip|agents (ip|true): elementary observations, correlation, traffic classification, ip|boss: configuration, polling of the Correlation Records (HTTPS), MIB update, ip|reporter: polling of ip|boss’ MIB (SNMP), reports publishing and reports database management.
1. 3. 1. 1. ip|agents’ elementary observations, correlation and classification Each IP packet observed by an ip|agent undergoes a series of operations: ■ ■
filtering of IP v4 packets, classification and filtering of packets according to their types: – – – –
■
local traffic on the LAN, ingress traffic (LAN to WAN traffic), egress traffic (WAN to LAN traffic), transit traffic.
correlation, to calculate the one-way metrics (Delay, Jitter and packet Loss), when both the source and the destination of the flow are equipped with Ipanema appliances or virtual machines (this condition is necessary); this operation is achieved in four steps: – 1. when the packet is sent and crosses the upstream ip|agent, the latter calculates a signature (hash) and stores it locally, – 2. when the packet is received and crosses the downstream ip|agent, the latter calculates a signature (the same one), – 3. once a second, the downstream ip|agent sends its signatures back to the upstream one, in a compact “Ticket Record”. Ticket Records have an average length of 300 bytes and the overload they generate is approximately 2% of the measured traffic ( Search menu below), (new filter): to filter the data (see View > Filter menu below), (modify filter): to modify filters (see View > Filter menu below), (sort by): to sort the data (see View > Sort menu below), (choose columns): to choose the columns to display, (save preferences): to save the view matching the filters, etc.; give the preferences a name (“Preference name”) and select whether you want these to be your default view (checking the “Default preference” box), the default view for mobiles (checking the “Default preference for mobile” box), whether you want them to be accessible to other users (checking the “Shared preference” box) and whether you want them to apply to this view only (checking the “on this view” radio button) or to all views of the same type (checking the “on views of the same type” radio button); then a drop-down list appears on the right (if no preference had been previously saved): , allowing selecting these preferences, other saved preferences, or displaying everything with no filter (selecting “All”), (delete preferences): to delete previously saved preferences.
The menus are the following: File ■ ■
New: to create a new object, Quit: to quit ip|uniboss.
Window ■ ■
Close All: to close all open tabs, : to select the tab corresponding to the selected function.
Edit: you can select an object by clicking on its line. To select other objects, you have to click on their lines while pressing the Ctrl key. The Edit/Select all allows to select all the objects on the list. The Edit/Unselect all allows to unselect all the selected objects. In the status bar, the number of selected objects and the total number of objects is shown. ■
Search: to search for objects; opens a dialog box which allows to find all the objects with an attribute containing the specified text. The navigation between the found objects is made with the menus Edit > Next and Edit > Previous.,
October 2014
Ipanema Technologies
3-5
Ipanema System
■ ■ ■ ■
Next: to jump to the next found object, Previous: to jump to the previous found object, Select all: to select all the objects, Unselect all: to unselect all the objects.
View ■
■ ■
Sort: to sort objects; by clicking on the header of a column, you sort the list according to this column (by clicking again on the column, you change the order ascending-descending). By clicking on several columns while pressing the Ctrl key, you make a sort on multi-columns. These functions are also available with the menu Display/Sort. Group by: to group objects by various criteria, Filter: you can create some filters on the list which display only the filtered objects according to the criteria. A simple filter works with only one field whereas an extended filter is a combination of simple filters. When a filter is active, the number of displayed objects and the total number of objects is written on the status bar. – New filter: to create a new simple filter, – Modify filter: to modify an existing filter, – Active filter: to activate or deactivate the selected filter.
■ ■
Choose columns: to choose the columns to display, Preferences: – Save: to save the active filter (and column display), – Delete: to delete a filter (and column display).
Actions: allows to make all the actions achieved through the corresponding buttons: ■ ■ ■ ■
Consult, Clone, Modify, Delete.
? ■
About: shows the software version and license information (the same as the About button).
In some tables (Domains, ip|boss servers, etc.), an LED on the left gives the objects’ operational states; for the Domains, it can be: green (“Started”), grey (“n/a”: disabled), amber (Starting), red (the number of ISUs exceeds the total ISU credit), small and dark (when the Domain has just been created, before an Update has been applied). It can be displayed by moving the mouse upon it:
3-6
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
Domain’s operational state
October 2014
Ipanema Technologies
3-7
Ipanema System
3. 3. IMPORTING A LICENSE To create Domains, the license file “license.ipmsys” must be installed. To get your license file, please contact the Ipanema Support service at the e-mail address
[email protected] or
[email protected]. In the Toolbar, select
About:
It shows the software version and license information (maximum number of Domains, total ISU credits (Ipanema Software Units), maximum number of ip|engines and tele|engines, authorized features, etc.):
About menu The total number of ISUs (Ipanema Software Units) can be allocated in a flexible way accross different Domains; refer to the “Create a Domain” section below. To import a license, click on the Import button, browse your folders and select the proper license file (license.ipmsys). (The license file is copied: ■
In the directory uni_boss\conf: – if ip|uniboss and ip|boss are installed on separate servers: on ip|uniboss server, in the directory ~\salsa\uniboss\server\domains\uni_boss\conf. – if both ip|uniboss and ip|boss are installed on the same server: on ip|uniboss / ip|boss server, in the directory ~\salsa\ipboss\server\domains\uni_boss\conf.
■
3-8
In each Domain’s directory (if Domains were already existing, for example when upgrading from a version to a new one): ~\salsa\ipboss\server\domains\\conf (on ip|boss server).)
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
3. 4. SYSTEM PROVISIONING The procedures in this section and in the following ones are all based on ip|uniboss web client.
3. 4. 1. Declare ip|boss servers Before you can create a Domain, you first need to declare an ip|boss server. ■
Open the ip|boss servers table The ip|boss servers table can be displayed by clicking on Toolbar:
ip|boss servers in ip|uniboss
ip|boss servers table ■
Declare an ip|boss server To declare a new ip|boss server, click on the New icon in the ip|boss servers window. Only the host name (or the IP address) needs to be entered, all other information (ip|boss version, OS version and JRE version) will be polled from the server:
ip|boss server declaration window You need to click on Validate or Apply: – The Ok button creates the object and closes the window. – The Apply button create the object and keeps the window open. This is useful when you want to create several objects. – The Cancel button closes the window without creating an object. Use Cancel after an Apply.
October 2014
Ipanema Technologies
3-9
Ipanema System
In the servers table, the LED on the left shows the compatibility status of the server; it can be: –
green (“Compatible”) if the server is reachable and compatible with ip|boss; ip|boss version, OS version and JRE version are polled and displayed:
Compatible ip|boss server
–
grey (“Unreachable”) if the server is not reachable,
–
small and dark (when the server has just been created, before an Update has been applied: an Update into account).
3-10
is mandatory for the changes to be saved and taken
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
3. 4. 2. Domains The Domains window is opened when you start ip|uniboss client. ■
If other windows have been opened and if the Domains window is not the active one, click on the “Domains” tab.
■
If the Domains window has been closed, in the Toolbar, select
Domains.
3. 4. 2. 1. Create a Domain Operating procedure table: service ip|reporter ■ ■
An ip|boss server must be created first. Refer to the previous section. A running license is required. Otherwise an error window is displayed when committing a new Domain.
ip|uniboss’ Domains window
In the Domains window, click on the New button
.
A creation window opens where you can indicate your Domain’s characteristics:
October 2014
Ipanema Technologies
3-11
Ipanema System
Domain creation window, ’General’ tab
The fields with a legend in bold characters are mandatory.
3-12
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
The ’General’ tab of the Domain creation window contains the following fields: ■ ■ ■
Name: to specify the name of the Domain (characters string), Description: to give additional information, if needed, Welcome message: to display a text below the selected Domain in SALSA’s Domain selector,
ip|boss server ■
ip|boss server: to choose the server that will manage the Domain (from a drop-down list). In display mode, ip|boss version, OS version, JRE version and the Compatibility status are polled from the server and displayed:
Domain ISU ■
Allocated ISU: to specify the number of Ipanema Software Units that are needed on that Domain. Each function requires a certain number of ISUs, that can be purchased from Ipanema (a new license file is then provided; refer to the “Import a license” section above). The number of consumed ISUs and available ISUs for each Domain is displayed in the Domains windows. In display mode, the Credit ISUs (as a percentage of the total number of ISUs accross all Domains), the Consumed ISUs (according to the activated services and WAN accesses bandwidths) and the number of Available ISUs (= Allocated — Consumed) are computed and displayed:
■
Administrative state: to Enable or Disable the whole Domain When a Domain is disabled, ip|boss services are stopped for this Domain. As a consequence, there is no collect of the Correlation records and no data collection in ip|dashboard or in the reports. ip|engines keep on running, yet (so there is no impact on Application Control, redundancy elimination, acceleration, etc.)
■
Timezone: to choose the time zone for the Domain: – ip|reporter’s timing will be based on this value; – in ip|dashboard, it is possible to choose between this value (thus allowing the User to align the timing in ip|dashboard’s graphs with that of ip|reporter’s reports) and the local time zone (thus allowing the User to display the graphs with their local time).
■
■
Access port: port used by the client for that Domain (0 by default — 0 stands for a dynamic port). Reversor enabled:: to enable the reversor for that Domain.
October 2014
Ipanema Technologies
3-13
Ipanema System
SNMP Parameters This frame allows configuring the SNMP agent of ip|boss: ■
SNMP Port: to specify the port number of the SNMP agent, Each Domain (on the same server) must use its own SNMP port, different from the SNMP port of the other Domains.
■
■
SNMP IP Address: to specify the SNMP agent (ip|boss) to be polled by the SNMP Manager (ip|reporter). By default, it is the same as ip|boss server’s. You can specify a different one in case of multiple interfaces on ip|boss, or a servers cluster (declare the cluster’s virtual IP address). Community name: to specify the community name (’public’ by default).
ip|reporter parameters This frame allows configuring ip|reporter in order to create/delete reports in InfoVista Server: ■
■
Mode: the version of InfoVista’s VistaFoundation platform must be specified here: it can be VF0 or VF4, according to the version that was installed. If you don’t have any ip|reporter server, select Disabled. The next field depends on the selected VistaFoundation platform: – If you are using VF0: IV Server allows to select an InfoVista from the drop-down list. If the InfoVista server you want to use has not been created yet, you can create it from this window, by clicking on the New button next to the selection box. Alternatively, you can use the IV Server function in the Reporting provisioning menu (described below). – If you are using VF4: Group allows to select a servers Group from the drop-down list. If the servers Group you want to use has not been created yet, you can create it from this window, by clicking on the New button next to the selection box. Alternatively, you can use the Server Group function in the Reporting provisioning menu (described below).
■
Logo URL: to customize the logo in the reports (one logo per Domain). The size of the logo should not exceed 150 x 80 pixels; most common formats are supported (gif, jpg and png). This logo will be visible only through a web access.
Tuning This frame allows configuring the maximum number of Application Groups and User subnets, the HTTP timeout and the data collection periods between ip|boss and ip|engines and between ip|reporter and ip|boss, and used as the reporting polling period: ■
■
■
■
Maximum number of Application Groups: the administrator can limit the number of Application Groups; -1 (default value) allows an infinite number, Maximum number of User subnets: the administrator can limit the number of User subnets; -1 (default value) allows an infinite number, HTTP timeout: the timeout (in seconds) used on HTTP (or HTTPS) request; the time entered must be consistent with the network (more than the max. RTT for the most distant ip|engine), Supervision: the polling period of ip|engine updated status (default values should be used): – 1 mn: ip|boss collects the supervision status every minute (default value), – 5 mn: ip|boss collects the supervision status every 5 minutes, – 15 mn: ip|boss collects the supervision status every 15 minutes.
■
Collect: the elementary period of the Correlation Records generation (packets collected during the specified time) and collect period for ip|boss (default values should be used): – 1 mn: ip|engines make a CR and are polled every minute (default value), – 5 mn: ip|engines make a CR and are polled every 5 minutes, – 15 mn: ip|engines make a CR and are polled every 15 minutes.
3-14
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
This parameter is used for ip|dashboard’s real time flows updates and corresponds to ip|boss’ alarms “Trigger occurrences”.
■
Short reporting: update period for clients of collector service (SNMP agent) for short period reports (default values should be used): – 1 mn: the SNMP data are updated by ip|boss every minute (default value), – 5 mn: the SNMP data are updated by ip|boss every 5 minutes, – 15 mn: the SNMP data are updated by ip|boss every quarter . This parameter is used for some reports in Ipanema Libraries like Time Evolution, Detailed per Application, Detailed per Application Group, ....
■
Long reporting: update period for clients of collector service (SNMP agent) for long period reports (default values should be used): – 5 mn: the SNMP data are updated by ip|boss every 5 minutes, – 15 mn: the SNMP data are updated by ip|boss every quarter (default value). This parameter is used for some reports in Ipanema Libraries such as dashboard, Site Talker/Listener, Subnet Talker/Listener....
User management The seventh and last frame allows enabling Remote Authentication Dial-In User Service accounting for the Domain: ■
Radius Accounting: to enable (when the check box is enabled) or disable (when the check box is disabled) RADIUS accounting.
To see the RADIUS parameters, please refer to the “Create Radius servers” section below.
October 2014
Ipanema Technologies
3-15
Ipanema System
The Storage tab allows setting the data lifetime in ip|dashboard: up to 3 days of per-minute data (i.e. the last 72 hours, or 4320 minutes of measured traffic) can be stored in the database and displayed.
Domain creation window, ’Storage’ tab ■
Per minute data lifetime (in hours, between 3 — no history beyond the last 3 hours — and 72): number of hours of per minute data in all evolution quadrants, when the selected time span is the minute (then they display 3 hours of per minute information),
Example: Throughput Evolution quadrant, with time span: min ■
Per minute application flows lifetime (in hours, between 0 — no history — and 72): number of hours of per minute data in the flows lists, when the selected time span is the minute (then they display values averaged over a minute),
■
Per hour data lifetime (in days, between 0 — no hourly aggregation — and 3): number of days of aggregated data in all evolution quadrants, when the selected time span is the hour (then they display 3 days of hourly aggregated information),
Example: Throughput Evolution quadrant, with time span: hour ■
3-16
Per hour application flows lifetime (in days, between 0 — no hourly aggregation — and 3): number of days of per minute data in the flows lists, when the selected time span is the hour (then they display values averaged over an hour),
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
■
Disk size limit (in Bytes, KB, MB, GB, TB); syntax: the desired value followed by the prefix multiplier (B, K, M, G or T) with no space (e.g. “500G”): provided storage lifetimes are configured, an additional Disk size limit can be set as a safety net. History does not go beyond the first of the two limits being met (e.g., if the disk used meets the ’Disk size limit’ after 2 days, the new data will replace the 2–day old data, thus keeping 2 days of information only, even though the Per hour lifetimes have been set to 3 days). Whatever the configuration, data collection will stop if more than 90% of the physical hard disk capacity is used. Technical Notes can help you size the server resources (CPU, RAM, HD) depending on various factors, such as the number of Domains, the number of Sites, data lifetime, etc.
Default parameters ■
■
When migrating a Domain from SALSA v7 to SALSA v8, the default values are: 3, 0, 0, 0, which is completely equivalent to what we had in SALSA v7 (no history and the time span could not be set — it was a minute — as there was no hourly aggregation). When creating a new Domain, the default values are: 3, 3, 3, 3 (3 hours of history in the flows lists, hourly aggregation during 3 days).
When done, you need to click on Validate or Apply: ■ ■
■
The Ok button creates the Domain and closes the window. The Apply button creates the Domain and keeps the window open. This is useful when you want to create several Domains. The Cancel button closes the window without creating any Domain. Use Cancel after an Apply. An Update is mandatory for the changes to be saved and taken into account: click on the Update button
.
The Domains’ parameters can be read in the Domains window and in the Inventory window.
October 2014
Ipanema Technologies
3-17
Ipanema System
After a Domain creation (“HMS” in the example below) the following directory tree is created on ip|boss server (by default in ~\salsa\ipboss\server\domains\):
3. 4. 2. 2. Move a Domain Refer to the document “DomainMove.pdf” provided on the DVD-ROM, in the \doc directory.
3-18
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
3. 4. 3. Radius The Radius feature allows the user to: ■ ■ ■
Define several Radius servers, Distinguish accounting servers from authentication servers, Select the server selection algorithm.
The Radius configuration is common to all Domains. For each Domain, the Radius management can be activated or not (refer to the “Create a Domain” section above). If the Radius management is not activated, or if all declared Radius servers are unreachable, we automatically fall back to the embedded ip|boss users management mode. The Radius window can be displayed by clicking on
Radius in ip|uniboss Toolbar:
Radius window This window contains two tabs: Configuration and Accounting servers. ■
Configuration
This tab allows to configure the RADIUS accounting parameters: ■
■
■
■
Retry: number of times the server will attempt to contact the Radius servers before falling down to the embedded ip|boss users management mode; default value is 3; Timeout: time interval in seconds to wait for the Radius server to respond before a timeout; default value is 10 seconds; Dead time: duration between two accesses to an unreachable Radius server (a server is considered unreachable when the configured number of retries has been reached without receiving a response within the specified timeout); value 0 means that a server is never removed from the list of available servers; default value is 10 minutes; Selection algorithm: allows to choose between a serial and a round-robin algorithm to select the server, when there are several ones: – serial: the available servers are used one after the other, using the configured timeout and retry. The order is based on the priority attribute: the lower priority value is taken first. – round robin: the available servers are used randomly, using the configured timeout and a retry set to 1. When all servers have been tried, a second loop is done, and so on depending on the retry value. The order is based on the priority attribute: the lower priority value is taken first.
■
Accounting servers
This tab allows to create, modify or delete Accounting servers.
October 2014
Ipanema Technologies
3-19
Ipanema System
Click on the New icon
in the Accounting tab to create a new Accounting server.
Accounting server creation window The Accounting server creation window contains 5 fields: ■
■
■ ■ ■
3-20
Priority: value between 0 and 32767 used to define different priority levels between the different servers, when there are several ones; the higher the value, the lower the priority; default value is 10, Name: name you want to give the server (50 characters max); names must be unique across the servers dictionary, Host name: IP address or host name of the server (50 characters max), Port: port on which the server is listening to accounting requests (generally UDP/1646), Shared secret: shared secret for Radius authentication; it must consist of 15 or fewer printable, non space, ASCII characters; it should have the same qualifications as a well-chosen password.
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
3. 5. REPORTING PROVISIONING The Reporting provisioning menu contains four functions: ip|reporter web portals, VistaMart, Server Group and IV Server. It allows to configure the ip|reporter components, which differ according to InfoVista’ platform being used (VistaFoundation 0 or VistaFoundation 4):
ip|reporter’s architecture with InfoVista’s VF0
ip|reporter’s architecture with InfoVista’s VF4
October 2014
Ipanema Technologies
3-21
Ipanema System
3. 5. 1. ip|reporter web portals (VF0 and VF4) The ip|reporter web portals window can be displayed by clicking on in ip|uniboss Toolbar:
ip|reporter web portals
ip|reporter web portal’s window This window shows all created ip|reporter web portals in a table with 5 columns: ■ ■
■
■
■
3-22
Host name (mandatory parameter), Description: a short description can be written for each ip|reporter web portal (not mandatory), Mode: it can be either VF0 or VF4, according to the version of InfoVista platform being installed (mandatory parameter), Base URL: the URL extension to be used to reach the portal; default values are “PortalSE” with VF0 and “VPortal” with VF4 (mandatory parameter), HTTP Port: port being used, if defined (not mandatory).
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
Click on the New icon
to create a new ip|reporter web portal.
ip|reporter web portal creation window The 5 parameters in this window are described above.
October 2014
Ipanema Technologies
3-23
Ipanema System
3. 5. 2. VistaMart (VF4 only) The VistaMart window can be displayed by clicking on
VistaMart in ip|uniboss Toolbar:
VistaMart window This window shows all created VistaMart servers in a table with 7 columns: ■
A status LED, which can be: –
green (Operational state = reachable),
–
red (Operational state = unreachable),
– ■ ■ ■ ■ ■ ■
3-24
grey (when a new VistaMart server has been created but before the configuration has been updated),
Host name, Version: VistaMart version (this piece of information is polled from the server), Description: description for the VistaMart server, Port: port being used to access the VistaMart server, Login: login to the VistaMart server, ip|reporter web portal: ip|reporter web portal that runs the VistaPortal attached to the VistaMart server.
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
Click on the New icon
to create a new VistaMart server.
VistaMart creation window The VistaMart creation window contains 7 fields: ■ ■ ■ ■ ■ ■
Host name, Description: a short description can be written for each VistaMart server, Port: port being used to access the VistaMart server; default value is 11080, Login: login to the VistaMart server; default login is vmar_operator, Password and Confirm password: the password, if any, must be typed in twice, ip|reporter web portal: the ip|reporter web portal that runs the VistaPortal attached to the VistaMart server can be selected from a drop-down list. A new ip|reporter web portal can be created using the New button next to the selection box. It opens the same creation window as described in the previous section.
October 2014
Ipanema Technologies
3-25
Ipanema System
3. 5. 3. Server Group (VF4 only) In InfoVista, a server belongs to a Group, and an Ipanema Domain is allocated to a Group. A Group can be made of several servers, according to required capacity. The Server Group window can be displayed by clicking on Toolbar:
Server Group in ip|uniboss
Server Group window This window shows all created Groups in a table with three columns: ■ ■ ■
Name: name of the Group (mandatory parameter), VistaMart: VistaMart server that manages this Group (mandatory parameter), Description: short description for that Group (not mandatory).
Click on the New icon
to create a new Group.
Group creation window The three parameters in this window are described above.
3-26
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
3. 5. 4. IV Server The IV Server window can be displayed by clicking on
IV Server in ip|uniboss Toolbar:
IV Server window This window shows all created IV Servers in a table with 12 columns: ■ ■ ■ ■ ■ ■ ■ ■ ■
■ ■ ■
Host name: IV Server host name, Server Group (VF4 only): Group the IV Server belongs to, Description: short description for the IV Server, Viewer username (VF4 only): identifier used by VistaPortal SE to get connected to IV Server (’viewer’ by default), Viewer password (VF4 only): password for the Viewer username on the IV Server (no password by default for the ’viewer’ login), Username: login to the IV Server (’administrator’ by default), Password: password for the Username on the IV Server (no password by default for the ’administrator’ login), ip|reporter web portal (VF0 only): ip|reporter web portal (VistaPortal SE server) connected to IV Server. Port mapper: port used by the services based on Remote Procedure Call (RPC) which do not listen for requests on a ”well-known’’ port, but rather pick an arbitrary port when initialized; they then register this port with a Portmapper service running on the same machine. Default value for IV Server is 1275. Manager: TCP port configured in the IV Server for the manager service (0 for a dynamic port), Collector: TCP port configured in the IV Server for the collector service (0 for a dynamic port), Browser: TCP port configured in the IV Server for the browser service (0 for a dynamic port). the 3 previous fields are optional (used in firewall environment).
Click on the New icon
to create a new IV Server.
This window contains two tabs, Basic and Advanced. ■
Basic contains the following parameters: Host name (mandatory), Server Group (VF4 only, mandatory), Description (not mandatory), Username (default value: ’administrator’; mandatory), Password (there is no password by default for the ’administrator’ login; not mandatory) and ip|reporter web portal (VF0 only, not mandatory)
October 2014
Ipanema Technologies
3-27
Ipanema System
■
Advanced contains the following parameters: Viewer username (VF4 only, default value: viewer; mandatory), Viewer password (VF4 only, not mandatory), Port mapper (default value: 1275; mandatory), Manager (not mandatory), Collector (not mandatory), Browser (not mandatory)
All these parameters are described above. There is one more field, at the top of the creation window, to select the VistaFoundation version: ■
Mode: select either VF0 or VF4 with the radio buttons, according to InfoVista’s platform version being installed.
IV Server creation window (two tabs), with VF0 selected
IV Server creation window (two tabs), with VF4 selected
3-28
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
3. 6. MANAGING USERS UNIFIED USER MANAGEMENT SALSA can be configured to enable different types of user accesses to its resources: ■
Internal or external: – internal: authentication and authorization are performed by ip|uniboss’s internal LDAP; Users only have to be declared in ip|uniboss (see 3.6.1.); – external: • authentication is performed by an external LDAP (see 3.6.5.) or using the SAML service (see 3.6.6.); • authorization is performed by ip|uniboss’s LDAP, at the Users (see 3.6.1.) and/or at the User Groups (see 3.6.2.) levels; when defined at both levels, authorizations are merged. If authentication is external, whatever the method (LDAP or SAML) it is always possible to use an “internal” URL to perform authentication using SALSA users only. Internal authentication is not impacted by the different external services. To use it, simply replace “salsa” in SALSA portal URL (https:///salsa/salsa_portal/) by “internal” (https:///internal/salsa_portal/) — this also applies to all URLs used in the SALSA suite.
■
Manual or automatic: – manual: users supply their credentials on logging in SALSA portal (no configuration is required in SALSA — this is the default); – automatic: the users’ credentials can be supplied in the URL (see 3.6.3.) or the user name can be passed as an HTTP header, without authentication — only permissions are checked using the user name and the group supplied in the request headers (see 3.6.4.).
The sections below describe how to configure SALSA to enable these different accesses to its resources: ■ ■ ■ ■ ■ ■
3.6.1. 3.6.2. 3.6.3. 3.6.4. 3.6.5. 3.6.6.
System administration: Users (ip|uniboss) System administration: User Groups (ip|uniboss) User credentials supplied in the URL User name as an HTTP header External LDAP authentication External SAML authentication
October 2014
Ipanema Technologies
3-29
Ipanema System
3. 6. 1. System administration: Users User access types to SALSA resources To create internal Users, select System administration in the Toolbar, then window is displayed:
Users. The Users
External Users can belong to User Groups (see the next section), in which case they do not have to be created as (individual) Users with the procedure described here. If they are defined at both levels, their authorizations are merged.
Users window This window shows a table with the following columns: ■ ■ ■ ■ ■
■ ■ ■ ■ ■ ■ ■ ■
■
Name: User name, Groups: User Groups the User belong to, Locale: shows the User’s preferred language. Tag: free field. ip|uniboss rights: shows the User’s rights on ip|uniboss (three levels: no access (blank), ’read only’ or ’read/write’), Domains: shows the Domains the User can access (’*’: the User can access all Domains), ip|boss access: shows whether the User has access to ip|boss or not (*), ip|dashboard access: shows whether the User has access to ip|dashboard or not (*), Discovery: shows whether the User can use the Discovery function or not (*), Application Flows: shows whether the User has access to the Real-time Flows or not (*), Real-time Graph: shows whether the User has access to the Real-time Graphs or not (*), SSL Configuration: shows whether the User can configure SSL optimization (*), iPhone access: shows whether the User has access to the Ipanema system via the ad hoc iPhone software application or not (*), ip|reporter access: shows whether the User has access to the reports or not (*),
(*): Access is granted when these columns display ’access’, it is denied when they are blank.
3-30
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
Click on the New icon
to create a new User:
User creation window
October 2014
Ipanema Technologies
3-31
Ipanema System
This window contains the following fields: ■ ■ ■
Name: User name, Password and Confirm password: the password for the User must be typed in twice, Groups: allows specifying which User Groups the User belongs to. Including Users in Groups allows to authenticate them with external LDAPs (see the “User Groups” section below). When a User belongs to several Groups, their rights are merged, with the higher rights of all Groups (e.g. if a User belongs to a Group with read only rights on ip|boss for a Domain, and to another Group with read and write rights on ip|boss for the same Domain, then they will get read and write rights). – The left frame shows the User Groups the User does not belong to (all exiting groups before any selection has been made), – the right frame shows the User Groups the User does belong to. One can include the User in one or more User Groups by moving the Groups from one frame to the other using the different arrows: to move all Groups to the right frame to move the Groups selected in the left frame to the right (i.e. include the User in these Groups) to move the Groups selected in the right frame to the left (i.e. to exclude the User from these Groups) to move all Groups to the left frame (the User will not belong to any Group; they will not be authenticated by any external LDAP, but by the embedded one only)
■ ■
Locale: in the current version you can only select “English”, Tag: free field. The next 6 frames are totally identical to the 6 frames in the User Group creation window (described in the next section), except that they allow defining the rights of individual Users, instead of User Groups.
ip|uniboss ■
ip|uniboss rights: allows to give read only or read/write access to ip|uniboss (no access at all by default).
domains This frame allows restricting the User access on certain Domains only when they use ip|boss, ip|dashboard or ip|reporter (this frame does not affect ip|uniboss, as ip|uniboss is the piece of software that allows creating Domains — so it shows them all): ■
■
All domains: if the box is checked , then the User is granted an access to all Domains; if not, they are only granted an access to the Domains selected below, Domains: allows specifying which Domains the User can access (greyed if the previous check box has been selected). – The left frame shows the Domains the User can not access (all existing Domains before any selection has been made), – the right frame shows the Domains the User can access. One can grant the User access to one or more Domains by moving them from one frame to the other: – Click “All Domains” above the left frame
3-32
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
All Domains
to move all Domains to the right frame (the User will have access to all Domains) to move the Domains selected in the left frame to the right (i.e. to grant the access to these Domains) to move all Domains to the right frame (it is equivalent to selecting the “All domains” box, but for the already existing Domains only) to move the Domains selected in the right frame to the left (i.e. to deny the access to these Domains) to move all Domains to the left frame (the User will not have access to any Domain!)
ip|boss ■
■
ip|boss access: checking this box grants access to ip|boss; then the access levels must be specified for each menu (below); System administration, Service activation, Supervision, Reporting, Application provisioning and System provisioning: if access is granted to ip|boss (above), one must select the access level for each of the six ip|boss menus from the corresponding drop-down list (’read only’ or ’read/write’; blank by default — i.e. no access);
ip|dashboard ■
■
■
ip|dashboard access: checking this box grants access to ip|dashboard’s basic functions, i.e. all views and functions except the Discovery, Real-time Flows, Real-time Graphs and SSL configuration; access to these views and functions can be set independently, thanks to the following check boxes: Discovery, Application Flows and Real-time Graph: checking these boxes grants access to the corresponding function and views; SSL Configuration: checking this box allows the User to enter the SSL certificate necessary to accelerate SSL traffic;
iPhone ■
iPhone access: checking this box grants access to the simplified dashboard thanks to the ad hoc iPhone application.
ip|reporter ■
■
ip|reporter access: checking this box grants access to the reports; access rights can be defined precisely thanks to the following filters (note that they are case sensitive): MetaView: one can grant the User an access to the reports on certain MetaViews only. – Syntax in VF0: • • • •
“*” alone: any text string (default value) ”.”: any character ”.*” before or after a text: any text string before or after that text “|”: OR logical operator
Examples: • “Site”: reports on all Sites (but on Sites only) • “Domain|Site”: Domain and Sites reports • “Application Group.*Internet”: reports on AGs containing “Internet”
October 2014
Ipanema Technologies
3-33
Ipanema System
– Syntax in VF4: • “*”: any text string ■
Period: access to the reports can be per periods (hour, day, week, month). – – – –
■
“*”: grant an access to all four periods (default value) “hour”, “day”, “week”, “month”: grant an access to the corresponding period “|”: OR logical operator (VF0 only) Example (in VF0): “week|month” grants an access to the weekly and monthly reports.
Report: one can give the User an access to certain reports only. – “*”: grant an access to all reports (default value) – “|”: OR logical operator (VF0 only) – Example (in VF0): “slm|sla” grants an access to the SLM and SLA reports only.
■
Note: combining the three previous filters allows defining the access rights very precisely. For instance, one can grant an access to one report only. E.g., to grant access to SLM - Application Synthesis monthly report, on Site HQ (mind the case sensitivity!): – MetaView: “Site.*HQ” – Period: “month” – Report: “slm - application synthesis”
■
Navigation mode (VF0 only): one can choose between three values: – All: the User can navigate in the Sites reports using either the Sites MetaViews folders or the two Navigation hierarchical levels (called “Folder” and “Subfolder” in ip|engines window), – No navigation: the User can navigate in the Sites reports using the Sites MetaViews folders only (they cannot select “Navigation” and navigate using the two Navigation hierarchical levels), – No Folder: the User can navigate in the Sites reports using the two Navigation hierarchical levels only (they cannot select Folder and navigate using the MetaViews folders, so they cannot access reports other than Sites reports — the only ones that are accessible through the Navigation menu).
■
■
Folder (VF0 only) and Subfolder (VF0 only): for Users who navigate using the Navigation menu, one can specify which Folders and Subfolders (as defined in ip|engines creation window, e.g.: Continents and Countries) they can access (the default is *, i.e. any string of characters). Scope: one can give the User an access to – the public reports only (by selecting ’public’), – or to the private reports only (by selecting ’private’), – or to both the public and the private reports (by selecting ’All’). When a User is created, they have no access to any component, by default.
3-34
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
3. 6. 2. System administration: User Groups User access types to SALSA resources Users can be created in SALSA’s internal LDAP (see the previous section), but it is also possible to allow Users defined in an external LDAP to access SALSA by defining the User Groups they belong to and the User rights for these groups (described here), and by enabling and configuring the service. In this case, authentication is performed by an external LDAP (see 3.6.5.) or using the SAML service (see 3.6.6.), and authorization is performed by SALSA’s embedded LDAP. External Users belonging to User Groups do not have to be created as (individual) Users with the procedure described in the previous section. Yet, if they are defined at both levels, their authorizations are merged.
In the Toolbar, select
User Groups. The User Groups window is displayed:
User Groups window This window shows a table with 15 columns: ■ ■ ■ ■
■ ■
■ ■ ■ ■ ■ ■ ■ ■
■
Name: User Group name, Description, All users: shows whether all Users belong to the Group or not, Internal users: shows the internal Users (created in ip|uniboss’s embedded LDAP) belonging to the Group, External users: shows the external Users (created in external LDAPs) belonging to the Group, ip|uniboss rights: shows the User Group’s rights on ip|uniboss (three levels: no access (blank), ’read only’ or ’read/write’), Domains: shows the Domains the Group can access (’*’: access to all Domains), ip|boss access: shows whether the Group has an access to ip|boss or not (*), ip|dashboard access: shows whether the Group has an access to ip|dashboard or not (*), Discovery: shows whether the Group can use the Discovery function or not (*), Application Flows: shows whether the Group has access to the Real-time Flows or not (*), Real-time Graph: shows whether the Group has access to the Real-time Graphs or not (*), SSL Configuration: shows whether the Group can configure SSL optimization (*), iPhone access: shows whether the Group has an access to the Ipanema system via the ad hoc iPhone software application or not (*), ip|reporter access: shows whether the Group has an access to the reports or not (*),
(*): Access is granted when these columns display ’access’, it is denied when they are blank.
October 2014
Ipanema Technologies
3-35
Ipanema System
Click on the New icon
to create a new User Group:
User Group creation window This window contains the following fields: ■ ■
Name: User Group name, Description (optional field),
Users ■ ■
All users: if this box is checked, all the Users will belong to that Group. Internal users: allows specifying which internal Users (created in ip|uniboss’s embedded LDAP) belong to that Group: – The left frame shows the internal Users who do not belong to that Group, – the right frame shows the internal Users who do belong to that Group. One can include or more Users in the User Groups by moving the Users from one frame to the other using the different arrows: to move all internal users to the right frame to move the internal users selected in the left frame to the right (i.e. include them in the User Group) to move the internal users selected in the right frame to the left (i.e. to exclude them from the User Group) to move all internal users to the left frame (there will be no internal user in that Group)
■
External users: allows creating, modifying or deleting external Users (i.e. Users defined in external LDAPs). You can create an external user in the Group with the opens, where you have to specify the User name:
3-36
Ipanema Technologies
New button. A pop-up window then
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
New External User
The name you choose here must match the name of the User in the external LDAP: on the User logging, if external, then their name will be passed onto the external LDAP for authentication, prior to authorization according to their rights as defined in ip|uniboss (either at the User level, or for the Groups they belong to). External users can be modified or deleted with the ad hoc buttons (
Modify /
Delete).
These operations (creation, modification and deletion) only impact ip|uniboss’ embedded LDAP (no User can be created in, modified or deleted from an external LDAP via ip|uniboss menus). The next 6 frames are totally identical to the 6 frames in the User creation window (described in the previous section), except that they allow defining the rights of User Groups, instead of individual Users. Please refer to 3.6.1. System administration: Users for detailed explanations. ip|uniboss domains ip|boss ip|dashboard iPhone ip|reporter
When a User Group is created, they have no access to any component, by default.
October 2014
Ipanema Technologies
3-37
Ipanema System
3. 6. 3. User credentials supplied in the URL User access types to SALSA resources This service allows providing the credentials needed for authentication directly in the URL. Authentication is automatic and SALSA login page is skipped. Authentication is achieved using SALSA internal LDAP, and possibly an external LDAP, if configured (see 3.6.5. External LDAP authentication). Authorizations for the user are computed using information stored in the internal LDAP server. This service is not compatible with the SAML service described in 3.6.6. External SAML authentication.
3. 6. 3. 1. Enabling the service The service is disabled by default. To enable it: ■ ■
■
1. Edit the Apache configuration file “apache/conf/extra/httpd-salsa-ipaas.conf”; 2. Replace “false” by “true” in the “SetEnvIf” line: SetEnvIf SERVER_PROTOCOL ".*" IPAAS_ENABLED=true; 3. Save the modifications and restart Apache.
3. 6. 3. 2. Using the service To skip the login page, simply replace “salsa” by “ipaas” in the URL and provide the user credentials using a dedicated query parameter: ip_auth. The URL must be of the form: https:///ipaas/. ip_auth query parameter should be built as follows: ip_auth= where is the concatenation of “Basic%20” and base 64 encoding of the string “:”. Base 64 encoding must be performed before calling the URL.
The resulting parameter string for a user “administrator” using password “admin” is: ip_auth=Basic%20YWRtaW5pc3RyYXRvcjphZG1pbg== The resulting URL for this user to access SALSA portal is: https:///ipaas/salsa_portal /?ip_auth=Basic%20YWRtaW5pc3RyYXRvcjphZG1pbg== It is also possible to use this syntax with all components of the SALSA suite. For instance, to access the reports of Domain “ACME”: https:///ipaas/ipreporter_portal/ACME /?ip_auth=Basic%20YWRtaW5pc3RyYXRvcjphZG1pbg==
3-38
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
3. 6. 4. User name as an HTTP header User access types to SALSA resources This service allows skipping the login page and authentication phase, but it requires using a proxy in front of SALSA Apache server. The user name must be supplied as an HTTP header and it is used to compute the authorizations.
3. 6. 4. 1. Enabling the service The service is disabled by default. To enable it: ■ ■
■
1. Edit the Apache configuration file “apache/conf/extra/httpd-salsa-ext.conf”; 2. Replace “Off” by “On” in the “SalsaExtAuthn” line: SalsaExtAuthn On; 3. Uncomment the “SalsaExtAuthnAllow” line and specify the host name or the IP address of your proxy server; example with a proxy on 172.1.1.1: SalsaExtAuthnAllow from 172.1.1.1; For the directive “SalsaExtAuthnAllow”, you can use “all” instead of the address to disable the check on the proxy or any mask of the Apache “allow” directive http://httpd.apache.org/docs/2.4/en/mod/mod_access_compat.html#allow but be very careful if you use “all”, as this can be a security hole (any host providing a correct HTTP header will be a trusted one!)
■
4. Save the modifications and restart Apache.
3. 6. 4. 2. Using the service Your proxy should provide one or two headers when transmitting the requests to the SALSA Apache server: Header
Value
Status
Description
REMOTE_USER
User name
mandatory
The external authenticated user
x-6307-is-user-profile
User group name
optional
If provided, should match a SALSA group name
The permissions are computed using the SALSA groups defined in ip|uniboss (see 3.6.2. System administration: User Groups) that meet one of the following conditions: ■ ■
the “External users” list contains the user name (supplied by the REMOTE_USER header), the name is equal to the user group name (supplied by the x-6307-is-user-profile header).
All authorizations given to these groups are merged to determine the user permissions.
October 2014
Ipanema Technologies
3-39
Ipanema System
3. 6. 5. External LDAP authentication User access types to SALSA resources This service allows authentication using an external LDAP. Credentials supplied in the login page previous section) are checked during SALSA’s internal LDAP, if the user is check is performed, using the external
or in the URL (if the service has been activated, see the the authentication phase. The first check is done using not found or the password doesn’t match then a second LDAP.
3. 6. 5. 1. Enabling the service The service is disabled by default. To enable it: ■
■
■
■ ■ ■ ■
■
■
1. Edit the Apache configuration file “apache/conf/extra/httpd-salsa-externalLDAPAlias.conf”: 2. Modify the LDAP URL in the “AuthLDAPURL” line; the syntax is explained here: http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapurl; 3. Add the directives required to allow Apache communicating with your LDAP (AuthLDAPBindDN, AuthLDAPBindPassword, AuthLDAPCharsetConfig, AuthLDAPCompareAsUser, AuthLDAPCompareDNOnServer, AuthLDAPDereferenceAliases, AuthLDAPInitialBindAsUser, AuthLDAPInitialBindPattern, AuthLDAPSearchAsUser, AuthLDAPUrl). 4. Save the modifications and close this configuration file. 5. Edit the Apache configuration file “apache/conf/extra/httpd-salsa-authz.conf”: 6. Add “ldap-external” at the end of the “AuthFormProvider” line; 7. Uncomment the “SalsaAuthzExternalURL” line and provide your LDAP URL (use the same as provided in the httpd-salsa-externalLDAPAlias.conf file); 8. Uncomment other directives if needed to adapt the authorization module to your LDAP server. In particular use the SalsaAuthzExternalGroupClass directive to specify the object class to use to identify the groups in your LDAP and the SalsaAuthzExternalGroupAttribute directive to specify attribute labels to use to identify the user members of groups; 9. Save the modifications and restart Apache.
Example with an active directory deployed on “my-adserver” with the base directory for the search “DC=mycompany,DC=local”: AuthLDAPURL "ldap://my-adserver/dc=mycompany,dc=local?sAMAccountName? sub?(objectClass=user)" NONE “apache/conf/extra/httpd-salsa-externalLDAPAlias.conf” file AuthFormProvider ldap-internal ldap-external SalsaAuthzExternalURL "ldap://my-adserver/dc=mycompany,dc=local? sAMAccountName?sub?(objectClass=user)" NONE SalsaAuthzExternalGroupClass group SalsaAuthzExternalGroupAttribute member “apache/conf/extra/httpd-salsa-authz.conf” file if you use an active directory, you can speed up the authorization phase by using the matching rule “LDAP_MATCHING_RULE_IN_CHAIN” to retrieve groups of groups. In this case you must have the following lines in your apache/conf/extra/httpd-salsa-authz.conf file: SalsaAuthzExternalMaxSubGroupDepth 1 SalsaAuthzExternalGroupAttribute member:1.2.840.113556.1.4.1941:
3-40
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
3. 6. 5. 2. Using the service Use the login page or provide the credentials in the URL (if the service has been activated, see the previous section). During the authentication phase, credentials are checked using SALSA’s internal LDAP; if the user is not found or the password doesn’t match then the credentials are checked a second time, using the external LDAP. If the second check (external LDAP) is successful then user groups are retrieved in the external LDAP. This list of groups is completed with the SALSA groups defined in ip|uniboss (see 3.6.2. System administration: User Groups) where the “External users” list contains the user name. All authorizations given to these groups are merged to determine the user permissions.
October 2014
Ipanema Technologies
3-41
Ipanema System
3. 6. 6. External SAML authentication User access types to SALSA resources This service allows authentication using an SAML server (Shibboleth Identity Provider or Microsoft ADFS). This service is not compatible with the user credentials supplied in the URL as described in 3.6.3. User credentials supplied in the URL.
3. 6. 6. 1. Enabling the service Three steps are necessary to enable SAML authentication: ■ ■ ■
1. Provide the identity provider (IdP) metadata to the service provider (SP), 2. Activate the SAML module in SALSA Apache server, 3. Provide the service provider (SP) metadata to the identity provider (IdP). More information on SAML, SP and IdP can be found here:
https://wiki.shibboleth.net/confluence/display/SHIB2 /UnderstandingShibboleth On Windows, Shibboleth SP is not installed, so you have to install it (it is supplied on SALSA installation DVD-ROM). During installation, check "Run as 32-Bit". The installer registers a new service called “Shibboleth 2 Daemon (Default)”. (On Linux, Shibboleth SP is installed with the SALSA web server package (by default in “/opt/salsa/shibboleth-sp”) but it is not started, so you have to start it.) Step 1: provide the identity provider (IdP) metadata to the service provider (SP) One way to configure the Shibboleth SP is described here, but you can find all information at https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration To begin, you must save the metadata of the IdP on the disk where the SP has been installed. If you use Shibboleth IdP, metadata are available at this URL: https://IdPHostname:IdPPort/idp/profile/Metadata/SAML ■ ■ ■
■ ■ ■ ■
■
1. Edit “shibboleth-sp\etc\shibboleth\shibboleth2.xml”; 2. Remove the XML tag; 3. Change the “entityID” attribute located in the XML tag to one that is appropriate for your service. An https:// URL is recommended, ideally containing a logical DNS hostname associated with your service that will not change over time as physical servers do. 4. In the XML tag, change the “handlerSSL” attribute value to “true”; 5. In the same tag, change the “cookieProps” attribute value to “; path=/; secure”; 6. Replace the XML tag with SAML2, where "IdP entityID" is the entityID available in the IdP metadata file; 7. After the tag, add a tag to reference the IdP metadata file: ; 8. Save changes to the XML and restart the “Shibboleth 2 Daemon” service.
Step 2: activate the SAML module in SALSA Apache server ■
■ ■ ■
3-42
1. In SALSA installation directory, edit the following configuration file: “apache\conf\extra\httpd-salsa-shibboleth.conf”; 2. Uncomment the “LoadModule” line and save the file; 3. Update the Shibboleth SP path (Windows only). 4. Restart the “SALSA Apache” service.
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
Step 3: provide the service provider (SP) metadata to the identity provider (IdP) ■
■ ■ ■
■
1. Save the SP metadata file available at the following URL and copy it on the computer where the IdP is installed: https:///Shibboleth.sso/Metadata; 2. Configure the IdP to reference this file; Steps 3. and 4. are only to be taken if you use Shibboleth IdP. 3. Copy the SP metadata file (salsasp-metadata.xml) in: “C:\Program Files (x86)\Internet2\Shib2IdP\metadata\”. 4. Edit “C:\Program Files (x86)\Internet2\Shib2IdP\conf\relyingparty.xml” to add the following information in :
■
5. Restart the IdP service ("Apache Tomcat").
3. 6. 6. 2. Using the service You can now use the IdP login page to access all SALSA resources. During the authentication phase, the credentials are checked using the SAML server; there is no fallback on SALSA internal LDAP. You can continue to access SALSA resources even if the SAML server is down or if you forgot to add at least one SAML user in a SALSA group (in the “External user” list) by using the “internal” path. All you have to do is to replace “salsa” in the URL by “internal” (example: https://salsa_server/internal/ipuniboss_portal/; see the note at the beginning of section 3.6.). By default SAML attributes are not retrieved so we don’t have the user group list. To determine user permissions we retrieve the list of SALSA groups defined in ip|uniboss where the “External users” list contains the user name. All authorizations given to these groups are merged to determine the user permissions. If the IdP server exposes user groups then you can configure the Shibboleth SP to use them: ■
■
You need to know the OID of the attribute exposed by the IdP server that contains the list of user groups (replace ATTRIBUTE_OID in the next step by this OID); Edit shibboleth-sp\etc\shibboleth\attribute-map.xml and add the following information in the XML tag:
■
Restart the Shibboleth SP service ("Shibboleth 2 Daemon").
This list of groups exposed by the IdP server is completed with the SALSA groups defined in ip|uniboss where the “External users” list contains the user name. All authorizations given to these groups are merged to determine the user permissions.
October 2014
Ipanema Technologies
3-43
Ipanema System
3. 7. SUPERVISION The Supervision menu contains three functions: Inventory, Log and Issues.
3. 7. 1. Inventory In the Toolbar, select
Inventory:
The Inventory window is displayed.
Inventory window This window is made of two frames: ■ ■
Domain inventory, Topology inventory. This frame is contextual: if no Domain is selected in the previous frame, it displays all Domains’ topologies; if one (or several) Domain(s) is (are) selected, it displays its (their) topology(ies) only. The Print button prints all the columns of the selected Domain(s), whereas the Action / Print menu prints the selected columns of all the Domains.
3-44
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
3. 7. 1. 1. Domain inventory This frame contains the following information: ■ ■ ■ ■ ■
Name: Name of the Domain Enabled: Yes / No ip|boss server: IP address of ip|boss server Access port: port used by the client on that Domain (0 = dynamic) SNMP agent (refer to the section “Create a Domain” above): – Port – Address – C.N.: Community Name
■
ip|reporter (refer to the section “Create a Domain” above): – – – – –
■
Periods (refer to the section “Create a Domain” above): – – – –
■
Server Manager port Collector port Browser port Portmapper port
Supervision Collect Reporting short Reporting long
User management (refer to the section “Create a Domain” above): – Radius: Yes / No
■
Domain services: shows if the following services are started (Yes) or not (No): – – – – – – – – – –
■
Number of: shows the number of the following objects, with their totals on the last line: – – – – – – – – – –
■
ip|true ip|fast ip|coop ip|xcomp ip|xtcp ip|xapp smart|plan ip|reporter ip|export smart|path
ip|engines tele|engines Automatic MetaViews On demand MetaViews Automatic reports On demand reports Application Groups Topology subnets User subnets Applications
Storage: shows the Domain’s storage configuration (please refer to the “Storage” tab of the Domain’s configuration window): – – – – –
October 2014
Disk size limit Per minute data lifetime Per minute rtf lifetime Per hour data lifetime Per hour rtf lifetime
Ipanema Technologies
3-45
Ipanema System
– Per day data lifetime (unused in the current version — will always show 0) – Per day rtf lifetime (unused in the current version — will always show 0) ■
Reversor: – Enabled: Yes / No
3. 7. 1. 2. Topology inventory This frame contains: ■ ■ ■
Domain name ip|boss server Appliance (software version, model and IP addresses are polled from the ip|engine; if it has not been reachable, the field is blank): – – – – – – – – – – – – – – – – – – –
■
WAN Access: – – – –
■
Total Total Total Total
max ingress bandwidth min ingress bandwidth max egress bandwidth min egress bandwidth
Domain: shows if the following services are started (Yes) or not (No) at the Domain level (in ip|boss’s “Service Activation” menu for most of them): – – – – – – – – –
3-46
Name Main public IP address Main private IP address Auxiliary public IP address Auxiliary private IP address LAN MAC address Type: ip|engine or tele|engine Enabled: Enabled (Yes) or disabled (No) Software version Hardware Custom tag ip|true: Yes / No ip|fast: Yes / No ip|xcomp compress: Yes / No ip|xcomp uncompress: Yes / No ip|xtcp: Yes / No ip|xapp: Yes / No smart|plan: Yes / No smart|path: Yes / No
ip|true ip|fast ip|coop ip|xcomp ip|xtcp ip|xapp smart|plan ip|reporter ip|export
Ipanema Technologies
October 2014
Managing Domains, Users and Licenses (ip|uniboss)
3. 7. 2. Logs In the Toolbar, select
Log:
ip|uniboss Log window is displayed:
ip|uniboss Log window This window contains: ■ ■
the list of system events (on ip|uniboss server) with a time stamping, the list of connections/disconnections to/from ip|uniboss with a time stamping.
The events are sorted by antichronological order, by default (the latest event is the first in the list, at the top of the first page), but you can sort them by chronological order by clicking on the column header (Messages). If the list is displayed on several pages, you can select which page you want to see by clicking on the page number at the bottom of the window. You can also use the following arrows to navigate: ■
: displays the previous page of logged events,
■
: displays the next page of logged events.
You can also click on a page number to jump to that page (the current page number is displayed on the left, and underlined in the list of pages). A field allows you to specify how many objects (events) per page you want to display (40 by default); click on the Refresh button next to this field to apply a change:
October 2014
Ipanema Technologies
.
3-47
Ipanema System
3. 7. 3. Issues In the Toolbar, select display):
Issues, when applicable (the icon is greyed when there is no issue to
The Issues window is displayed:
ip|uniboss Log window It contains a list of issues that may require a user’s action: ■
Possible issues for the Domains: – – – – –
■
non non non non non
created Domains, deleted Domains, started Domains, configured Domains, reachable Domains.
Possible issues for ip|boss servers: – non configured servers, – non compatible servers, – non reachable servers.
As long as there is an issue, the Issues icon issue to display, the icon is greyed.
3-48
in ip|uniboss tool bar blinks. When there is no
Ipanema Technologies
October 2014
CHAPTER 4. CONFIGURING SERVICES (IP|BOSS) Document organization
4. 1. CONFIGURATION OVERVIEW Once your Domain has been created (refer to the previous Chapter) and before starting a measurement, Application Control or optimization session, you have to parameter your configuration (one configuration per Domain). This configuration uses: ■
general settings for all functions (measurement, Application Control, redundancy elimination, acceleration and smart plan) ensuring: – configuration of the Domain’s ip|engines and tele|engines, – configuration of the topology subnets associated with the ip|engines and tele|engines, – selection of applications, TOS and User subnets assigned to the session, according to the specific features of the traffic to be measured, controlled, compressed or accelerated,
■
specific settings that depend on customers’ requests, for measurement, Application Control, redundancy elimination and acceleration features: – – – – –
WAN accesses characteristics settings, Quality of Service (QoS profiles) settings, Coloring settings, Application Groups settings, MetaViews settings.
These data are grouped in a configuration file in the directory ~\salsa\ipboss\server\domains\\config named: __active__.ipmconf Two clients are available: ■ ■
a Web client through a Web browser, a CLI client (Command Line Interface).
October 2014
Ipanema Technologies
4-1
Ipanema System
4. 2. IP|BOSS WEB CLIENT 4. 2. 1. Connection to ip|boss To connect to ip|boss server from SALSA client, first select the Domain you want to configure from the drop-down list, then click ip|boss button:
SALSA client
4-2
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 2. 2. ip|boss main window ip|boss graphical user interface is presented hereafter. It gives access to all features of the system.
ip|boss main window ip|boss main window is divided into four parts: ■
■
■ ■
A title bar with the logo of Ipanema Technologies; it closes all opened windows when you click on it. A tool bar, on the left: it is composed of menus and icons which give access to the different functions of the software. It depends on the profile of the connected user. A status bar, at the bottom: it gives the status and statistics on the system. A working space (that displays the main image on login).
October 2014
Ipanema Technologies
4-3
Ipanema System
4. 2. 3. ip|boss tool bar The content of the Tool bar depends on the profile of the connected User.
Toolbar The buttons give a direct access to all functions of the system: Global functions Save/Update: saves/updates the configuration; flashes when an update is necessary, Service activation: allows to activate all services: ■ ■ ■ ■ ■ ■ ■ ■
global Start /Stop of ip|true (measurement) on the ip|engines, global Start/Stop of ip|fast ( Application Control) on the ip|engines, global Start/Stop of ip|xcomp (redundancy elimination) on the ip|engines, global Start/Stop of ip|coop (tele-cooperation), global Start/Stop of ip|xtcp (TCP acceleration), global Start/Stop of ip|xapp (CIFS acceleration), global Start/Stop of smart|plan (Smart planning reports), global Start/Stop of IMA (Ipanema Mobile Agent). Refresh: refreshes the view, Undo: allows to undo last modifications, Help: gives access to the online help, ip|reporter: opens ip|reporter web portal to give access to the reports,
4-4
Ipanema Technologies
October 2014
Configuring services (ip|boss)
About: shows ip|boss version and license information, Quit: quits ip|boss client.
Automatic reporting: gives access to the Automatic reporting function, Security: gives access to the security configuration.
ip|engines: configures the ip|engines, Topology subnets: configures the topology subnets addresses, WAN access: configures the WAN accesses, Coloring: configures the coloring rules, ip|sync: configures the time and synchronization servers, Scripts: launch scripts, Tools: starts the ip|engines management features: ■ ■ ■ ■
software upgrade reboot security status advanced configuration
User subnets: configures the User subnets addresses, Applications: configures the applications, TOS: configures the ToS values, Application Groups: configures the Application Groups, QoS Profiles: configures the QoS Profiles, LTL: configures the limiting rules (LTL),
October 2014
Ipanema Technologies
4-5
Ipanema System
ip|engine status: shows the status of the ip|engines, Status map: shows the status map of the ip|engines within a map, Log: displays the log window, Options: gives access to the different options (mail, SNMP trap) of the system, Configuration history: gives access to the Configuration history.
MetaView: configures the MetaViews, reports: configures the reports of ip|reporter, Alarming: configures alarms.
4-6
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 2. 4. ip|boss status zone Status on session start The status zone gives instantaneous information on the state of the system. It is one source of supervision information: in case of errors, the dedicated indicators are lighted in red or amber. More details can be obtained by clicking on the LEDs.
Status zone The status zone is made of four frames, showing the Domain name, LEDs and bargraphs. Domain: Total throughput (Mbps)
gauge displaying the current total throughput measured by all enabled ip|true agents of the Domain (left figure) over peak throughput measured since the session start-up (right figure).
Active flows
gauge displaying the current active flows (one flow = all sessions of a given application, from a given source to a given destination) measured by all enabled ip|true agents of the Domain (left) over the peak flows measured since the session start-up (right).
No Topology alarm
green if there is no Topology alarm (normal state), red otherwise (please refer to the Supervision section).
ip|boss This frame shows the state of the system with three colored LEDs: ■
Connection LED: shows the status of the connection between the client and the ip|boss server:
green red ■
the server is unreachable; it can be due to a network connectivity issue between ip|boss server and ip|boss client, or ip|boss server may be down
License LED: shows the license status:
green red ■
the server is reachable
the license is respected the license is not respected (the number of consumed ISUs exceeds the total ISU credit)
Discovery LED: indicates when Discovery is in process:
grey amber
October 2014
no Discovery agent is running Discovery agents are running on one or more ip|engines
Ipanema Technologies
4-7
Ipanema System
ip|reporter This frame shows the state of ip|reporter with two colored LEDs: ■
Server LED: shows the state of the ip|reporter server (InfoVista):
green
■
the InfoVista’s services (manager, collector and browser) are operational
yellow
one of the InfoVista’s services (manager or browser) is down check the “.../InfoVista/Essentials/log/manager.log” log file
red
all InfoVista’s services are down (or the server is unreachable) check the “.../InfoVista/Essentials/log/manager.log” and “collector.log” log files
grey
ip|reporter is disabled in the Domain’s configuration, or the ip|es on the Domain have not been enabled yet
Database LED: shows the state of the InfoVista Database:
green yellow grey red
the InfoVista’s database is operational synchronization of InfoVista’s database is running (temporary state) error happened during last synchronization of InfoVista’s database no access to the reports description (in the reports_desc.ipmsys file in ~/salsa/ipboss/server/conf on ip|boss server), or the reports description does not match the installed library (VistaViews loaded from ip|reporter DVD-ROM’s ivl directory)
ip|engine This frame shows the status and activity of all ip|engines: ■
Reachable LED and bargraph: display the reachability status of all ip|engines:
green red grey
all ip|engines are reachable some ip|es are unreachable; it can be due to a network connectivity issue between ip|boss and ip|es (firewall, WAN link breakdown,ip|e off or failure) the service is stopped, or the status is not available displays the number of ip|es currently reachable (left) upon the total number of ip|es activated (right).
■
Overload LED and bargraph: display the overload status of all ip|engines:
green red
no ip|engine is overloaded some ip|es are overloaded (the WAN throughput exceeds the capacity of the hardware) displays the number of ip|es currently overloaded (left) upon the total number of ip|es reachable (right).
4-8
Ipanema Technologies
October 2014
Configuring services (ip|boss)
■
Synchronized LED and bargraph: display the synchronization status of all ip|engines:
green yellow red grey
service start-up and the server is OK (*); all ip|es are synchronized the server is OK (*) but one or several ip|es are not synchronized (synchronization in progress, temporary synchronization loss) the server is down (*) and no ip|e is synchronized service is switched off or the status is not available displays the number of ip|es currently synchronized (left) upon the total number of ip|es reachable (right). (*) ITP case.
■
Measuring LED and bargraph: display the ip|true status of all ip|engines:
green
service start-up and all ip|true agents are operational
yellow
one or several ip|true agents are not operational (not configured yet, configuration refused or failure)
red
none of the ip|true agents are operational (not configured yet, configuration refused or failure)
grey
service is switched off or the status is not available displays the number of ip|es currently measuring (ip|true agent running) (left) upon the total number of ip|es activated (right).
■
Optimizing LED and bargraph: display the ip|fast status of all ip|engines:
green
service start-up and all enabled ip|fast agents are operational
yellow
one or several enabled ip|fast agents are not operational (not configured yet, configuration refused or failure)
red
none of the enabled ip|fast agents are operational (not configured yet, configuration refused or failure)
grey
service is switched off or the status is not available displays the number of ip|es currently controlling the traffic (ip|fast agent running) (left) upon the total number of measuring ip|es having ip|fast activated (right).
October 2014
Ipanema Technologies
4-9
Ipanema System
■
Limiting LED and bargraph: indicates when a Local Traffic Limiting rule is active on an ip|engine:
yellow grey
a Local Traffic Limiting rule is active on one or several ip|es no Local Traffic Limiting rule is active or the status is not available displays the number of ip|es currently limiting the traffic (Local Traffic Limiting rule active) (left) upon the total number of ip|es controlling the traffic (right).
■
ip|xcomp LED and bargraph: display the ip|xcomp status of all ip|engines:
green
service start-up and all enabled (de)compressing agents are operational
yellow
one or several enabled (de)compressing agents are not operational (not configured yet, configuration refused or failure)
red
none of the enabled (de)compressing agents are operational (not configured yet, configuration refused or failure)
grey
service is switched off or the status is not available displays the number of ip|es currently (de)compressing (ip|xcomp agent running) (left) upon the total number of ip|es having ip|xcomp activated (right).
■
ip|xtcp LED and bargraph: display the ip|xtcp status of all ip|engines:
green
service start-up and all enabled ip|xtcp agents are operational
yellow
one or several enabled ip|xtcp agents are not operational (not configured yet, configuration refused or failure)
red
none of the enabled ip|xtcp agents are operational (not configured yet, configuration refused or failure)
grey
service is switched off or the status is not available displays the number of ip|es currently accelerating TCP traffic (ip|xtcp agent running) (left) upon the total number of ip|es having ip|xtcp activated (right).
■
ip|xapp LED and bargraph: display the ip|xapp status of all ip|engines:
green
service start-up and all enabled ip|xapp agents are operational
yellow
one or several enabled ip|xapp agents are not operational (not configured yet, configuration refused or failure)
red
none of the enabled ip|xapp agents are operational (not configured yet, configuration refused or failure)
grey
service is switched off or the status is not available displays the number of ip|es currently accelerating CIFS traffic (ip|xapp agent running) (left) upon the total number of ip|es having ip|xapp activated (right).
4-10
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 2. 5. ip|boss table view
Typical window with a table view A table view shows a list of objects. All the table views give:
■
A menu bar: A tool bar with two parts:
■
A list of objects.
■
,
, Selection: you can select an object in the list by clicking on its line. To select other objects, you have to click on their lines while pressing the Alt key. To select an interval of objects, you select the first then the last by clicking while pressing the Shift key. The Edit menu (see below) allows to select/unselect all the objects on the list. In the status bar, the number of selected objects and the total number of objects is shown. Sort: you can sort the list according to one column by clicking on this column’s header (by clicking on the header a second time, you change the order ascending-descending). By clicking on several columns while pressing the Ctrl key, you make a sort on multi-columns. These functions are also available through the Display/Sort menu (see below).
October 2014
Ipanema Technologies
4-11
Ipanema System
The menu bar contains six menus: The File menu allows to:
■ ■ ■ ■
New: create an object, Export: export the list of objects, Import: import a list of objects (Import); this function is not available for all objects, Quit: exit ip|boss.
The Window menu allows to:
■ ■
Close All: close all open windows (tabs) within ip|boss, : select another open window (the active window is marked with a tip).
The Edit menu allows to:
■
Search: open a contextual dialog box which allows finding all the objects with an attribute containing the specified text. The first matching object is highlighted in the table below. Navigation between the found objects is made with the Next / Previous buttons.
Search contextual dialog box
4-12
Ipanema Technologies
October 2014
Configuring services (ip|boss)
■ ■ ■ ■
Next: go to the next found object, Previous: go to the previous found object, Select all: select all objects, Unselect all: unselect all objects.
The View menu allows to:
■
Sort: by clicking on the header of a column, you sort the list according to this column (by clicking again on the column, you change the order ascending-descending). By clicking on several columns while pressing the Ctrl key, you make a sort on multi-columns. These functions are also available with the menu View > Sort > Sort by. Sort the data (by any field or combination of multiple fields; other features in the Sort menu are Invert sort (global), Sort by status (global) and Invert sort by status (global)),
Sort dialog box
■ ■
The Invert Sort (global) sub-menu allows inverting the sorting criteria. The Sort by Status (global) and Invert Sort by Status (global) sub-menus allow sorting by Status. Group by: allows grouping the data by any criteria. Filter: create filters on the list which display only the filtered objects according to the selected criteria.
October 2014
Ipanema Technologies
4-13
Ipanema System
A radio button allows selecting the Filter type: – A “Simple Filter” works with only one field, – An “Extended Filter” is a combination of simple filters (using AND, OR, NOT logical operators):
Extended filter Select the filter criteria that you need and use the Add, Ok, Apply and Close buttons to perform the corresponding actions. The Modify filter and Active filter sub-menus allow modifying filters and activating/deactivating them. When a filter is active, a tip is displayed before theActive filter sub-menu, and the number of displayed objects and the total number of objects is written on the status bar. You can activate/deactivate a filter by double-clicking on the icon of the status bar:
Active filter icon ■ ■
Choose columns: choose the columns to display. Preferences: save or delete the display mode (filters and selected columns). When you save the preferences, give them a name (“Preference name”, e.g. “my preferred view”) and select whether you want these to be your default view (checking the “Default preference” box), the default view for mobiles (checking the “Default preference for mobile” box), whether you want them to be accessible to other users (checking the “Shared preference” box) and whether you want them to apply to this view only (checking the “on this view” radio button) or to all views of the same type (checking the “on views of the same type” radio button); then a drop-down list appears on the right (if no preference had been previously saved): , allowing selecting these preferences, other saved preferences, or displaying everything with no filter (selecting “All”).
The Actions menu allows to Consult, Clone, Modify, Delete and Change the administrative state of objects. The list of actions is the same as you get through the context menu of the list.
The ? menu gives access to the About menu.
4-14
Ipanema Technologies
October 2014
Configuring services (ip|boss)
The tool bar contains the same icons for most windows: (Consult): to consult an object (without modification capability), (New): to create a new object, (Clone): to create an object from another one, (Modify): to modify one or more objects, (Delete): to delete one or more objects, (Change administrative state): to change the administrative state of one or more objects. (Export): to export in a text file the content of a list. (Import): to import the content of a list from a text file. (Help): to go to the help page.
(search): to search objects matching various criteria (see Edit > Search menu above), (new filter): to filter the data (see View > Filter menu above), (modify filter): to modify filters (see View > Filter menu above), (sort by): to sort the data (see View > Sort menu above), (choose columns): to choose the columns to display, (save preferences): to save the view matching the filters, etc. (see View > Preferences menu above), (delete preferences): to delete previously saved preferences.
October 2014
Ipanema Technologies
4-15
Ipanema System
4. 2. 6. ip|boss creation form
Typical creation form
■
■ ■ ■
■
4-16
): when you move the mouse on the icon, a message is displayed. In Some fields have tips ( case of error, the field is displayed in red. Some fields are related to other objects (example: WAN access). The Ok button creates the object and closes the window. The Apply button creates the object and keeps the window opened. This is useful when you want to create several objects. The Cancel button closes the window without creating any object.
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 3. IP|BOSS CLI CLIENT For detailed information concerning ip|boss and ip|uniboss Command Line Interface clients, please refer to the CLI Reference Manual.
4. 3. 1. CLI architecture ip|boss and ip|uniboss have a specific GUI client each, that uses CORBA over SSL to communicate with a dedicated client request handler (called the “Leonardi connector” because of the underlying technology). Quite similarly, there is a CLI client for ip|boss and a CLI client for ip|uniboss. They communicate exclusively with their respective CLI connector using CORBA over SSL. The best image to illustrate what the CLI clients and CLI connectors are is to compare the CLI clients to Telnet clients and the CLI connectors to remote shell services. The CLI client/server protocol relies on three verbs: ■ ■ ■
Login Logout Execute
The client and the server exchange version information prior to the login request. This allows either side to adapt to an older peer. In its current version, the ip|boss CLI connector forwards login and logout requests to the targeted Domain’s Leonardi connector, besides establishing its own session information and setting up a session specific command parser that will process execute requests. If no specific Domain is targeted, the ip|boss CLI connector will use the naming service to get a list of all running Domains and will connect to the first available Domain (in alphabetical order) the provided credentials are valid for. The ip|uniboss CLI connector will forward the login and logout requests to the ip|uniboss Leonardi connector. Once the session is established, the CLI client acts a transparent upstream pipe between the client system’s keyboard or input file and the CLI connector and a transparent downstream pipe between the CLI connector and the client system’s display or output file.
4. 3. 2. CLI language The ip|boss Leonardi connector essentially maps a Domain’s configuration to a set of object classes and objects within each class. The ip|uniboss Leonardi connector does the same at a higher level, where Domains are objects in a class. (This is very much akin to tables and rows we are used to in DBMSes such as Oracle for example.) The CLI language builds on this paradigm. The language basics are the same for ip|boss CLI and ip|uniboss CLI. The difference currently only lies in the underlying schema - names of tables and columns. A CLI script is a (possibly empty) list of statements. A statement is always terminated by a ";" (semicolon) character. The semicolon is not a statement separator but a statement terminator. The difference is important, particularly for parser robustness’ sake. Having the semicolon act as a statement terminator and not anything else makes error recovery much easier: eat and discard input until you see the next semicolon and try to parse more statements from there. CLI statements currently fall into 2 categories: ■ ■
Data Manipulation Language (DML) Session Control Language (SCL)
CLI DML is very much akin to SQL DML.
October 2014
Ipanema Technologies
4-17
Ipanema System
With DML you can perform essentially 4 operations on objects: ■ ■ ■ ■
Create (… or insert), Modify (… or update), Delete, List (… or select).
But there are not only similarities, there are differences too. CLI DML statements act on one table or object class at a time, there is no such thing as a join. Future releases of CLI will make it easy to clone objects, just overriding a few columns with specific values. That is not easy in SQL. CLI offers fine grained control over error handling and logging because it is mainly targeted at procedure automation versus ad hoc queries. For the same reason, CLI not only produces tabular output but can also use tabular input in statements
4. 3. 3. Tabular input and output CLI can be used for procedure automation in environments where the ipanema solution fits into a bigger, centrally managed solution. This means that the primary databases are not inside ip|boss, but somewhere outside, no matter the format. As a consequence, it is important to make it easy to resynchronize the ipanema solution with external databases. Hence the choice of a bulk operation centric approach. With tabular input and output we simply mean that CLI produces output and accepts input such as: name|public_ip_address|virtual Out of domain|240.0.0.0|1 ipe_0001|10.1.1.1|0 ipe_0002|10.1.2.1|0 ipe_0003|10.1.3.1|0 ipe_0004|10.1.4.1|0 ipe_0005|10.1.5.1|0 That is easy to obtain from Excel and easy to feed into Excel, or any database (the ‘|’ (pipe) character can be changed to something else via a command line option, including the semicolon). The CLI language has been designed with bulk operations in mind. Below is an example of a valid statement that creates 5 ip|engines at a time: CREATE ip_engine FROM STREAM name|public_ip_address|virtual ipe_0001|10.1.1.1|0 ipe_0002|10.1.2.1|0 ipe_0003|10.1.3.1|0 ipe_0004|10.1.4.1|0 ipe_0005|10.1.5.1|0 ;
4-18
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 4. OPERATING PROCEDURE The operating procedure consists of the following phases: ■ ■
■
■ ■
choosing a Domain, creating a configuration or using an archived configuration, that is, specifying all ip|engines and Domain settings (topology subnets, applications, Application Groups, Qos Profiles, MetaViews....), running a measurement, control, redundancy elimination or cooperative session, applied to the Domain, analyzing the results in real-time, reporting configuration of measurement and Application Control (optional).
Table: operating procedure The tables below show operations in their chronological order for a Domain.
October 2014
Ipanema Technologies
4-19
Ipanema System
Operations to be performed
Commands
ip| true
ip| fast
(1)
Making configuration settings Create a new configuration
Manual procedure
X
X
M
Start with an existing configuration
Manual procedure
X
X
M
X
X
O
Define automatic reporting Automatic reporting
X
Configure operator coloring characteristics
Coloring
Configure the WAN accesses
WAN access
Declare ip|engines of the Domain
ip|engines
Declare the topology subnets associated with each ip|engine
X
M
X
X
M
X
X
M
X
X
O
X
X
O
X
X
O
X
X
O
X
X
O
X
X
O
X
X
O
X
X
O
X
X
Topology Subnets
Define User subnets User Subnets Add, modify or remove TOS in the dictionary
TOS
Add, modify or remove applications in the dictionary
Applications
Define QoS profiles QoS profiles Define Application Groups Application Group Define MetaViews MetaView Define reports Reports Define Alarming Alarming Save the configuration Automatic procedure (1) M = Mandatory, O = Optional, X = Applied
4-20
Ipanema Technologies
October 2014
Configuring services (ip|boss)
Operations to be performed
Commands
ip| true
ip| fast
(1)
ip|true service: measurement X
Start a session
M
Service activation, ip|engines: on Enable ip|true, for all ip|engines
X
M
Service activation, ip|engines: on X
Analyze real-time flows ip|dashboard Modify the topology subnets associated with each ip|engine
X Topology Subnets X
Modify aggregation rules: • TOS TOS • Applications Applications • User Subnets User Subnets Modify QoS profiles and Application Groups
X QoS profiles Application Group
Modify automatic reporting Automatic reporting X
Modify MetaView settings MetaView
X
Modify reports Reports
X
Modify Alarming settings Alarming
X
Modify the session dynamically
Update
Disable ip|true, for all ip|engines
Service activation, ip|engines: off
X
M
X
Stop a session Service activation, ip|engines: off
October 2014
Ipanema Technologies
4-21
Ipanema System
Operations to be performed
Commands
ip| true
ip| fast
(1)
X
M
ip|fast service: Application Control Enable ip|fast for all ip|engines
Service activation, ip|fast: on
Disable ip|fast for all ip|engines
Service activation, ip|fast: off
X X
Start a session
M
Service activation, ip|engines: on Analyze real-time controlled flows Optimize flow management by adjusting settings: ip|engines, QoS profiles, User subnets and AGs
X ip|dashboard X ip|engines X QoS profiles Application Group User Subnets X
Modify aggregation rules: • TOS TOS • Applications Applications Modify coloring policies characteristics Modify the attached WAN access
X Coloring X WAN access X
Create, modify, delete LTLs LTL Modify the session dynamically
X Update X
Stop the session Service activation, ip|engines: off
4-22
Ipanema Technologies
October 2014
Configuring services (ip|boss)
Operations to be performed
Commands
ip| true
ip| fast
(1)
X
M
ip|coop service: tele-cooperation Enable ip|coop for all ip|engines
Service activation, ip|coop: on
Disable ip|coop for all ip|engines
Service activation, ip|coop: off
X X
Start a session
M
Service activation, ip|engines: on X
Analyze real-time flows for tele|engines Modify the session dynamically
ip|dashboard X Update X
Stop the session Service activation, ip|engine: off Operations to be performed
Commands
ip| true
ip| fast
(1)
X
M
ip|xcomp service: redundancy elimination Enable ip|xcomp for all ip|engines
Service activation, ip|xomp: on
Disable ip|xcomp for all ip|engines
Service activation, ip|xcomp: off
X X
Start a session
M
Service activation, ip|engines: on Analyze real-time compressed flows
X ip|dashboard
Management by adjusting redundancy elimination settings: Application Group
Application Group
Management by adjusting redundancy elimination direction settings: ip|engines
ip|engines
Modify the session dynamically
X
X Update X
Stop the session Service activation, ip|engines: off
October 2014
Ipanema Technologies
4-23
Ipanema System
Operations to be performed
Commands
ip| true
ip| fast
(1)
X
M
ip|xtcp service: TCP acceleration Enable ip|xtcp for all ip|engines
Service activation, ip|xtcp: on
Disable ip|xtcp for all ip|engines
Service activation, ip|xtcp: off
X X
Start a session
M
Service activation, ip|engines: on Analyze real-time accelerated flows
X ip|dashboard
Management by adjusting acceleration settings: Application Group
Application Group
Management by adjusting acceleration settings: ip|engines
ip|engines
Modify the session dynamically
X
X Update X
Stop the session Service activation, ip|engines: off
Operations to be performed
Commands
ip| true
ip| fast
(1)
X
M
ip|xapp service: CIFS acceleration Enable ip|xapp for all ip|engines
Service activation, ip|xapp: on
Disable ip|xapp for all ip|engines
Service activation, ip|xapp: off
X X
Start a session
M
Service activation, ip|engines: on Analyze real-time accelerated flows Management by adjusting acceleration settings: ip|engines Modify the session dynamically
X ip|dashboard ip|engines X Update X
Stop the session Service activation, ip|engines: off
4-24
Ipanema Technologies
October 2014
Configuring services (ip|boss)
Operations to be performed
Commands
ip| true
ip| fast
(1)
X
M
DWS Start a session Service activation, ip|engines: on Management by adjusting Dynamic WAN Selection settings: Application Group
Application Group
Management by adjusting Dynamic WAN Selection settings: WAN access
WAN access
Management by adjusting Dynamic WAN Selection settings: ip|engines
ip|engines
Management by adjusting Dynamic WAN Selection advanced parameters: Tools
Tools
Modify the session dynamically
X
X Update X
Stop the session Service activation, ip|engines: off
Operations to be performed
Commands
ip| true
ip| fast
(1)
X
M
smart|plan service Enable smart|plan for all ip|engines
Service activation, smart|plan: on
Disable smart|plan for all ip|engines
Service activation, smart|plan: off
X X
Start a session
M
Service activation, ip|engines: on Management by adjusting acceleration settings: ip|engines Modify the session dynamically
ip|engines X Update X
Stop the session Service activation, ip|engines: off
October 2014
Ipanema Technologies
4-25
Ipanema System
Operations to be performed
Commands
ip| true
ip| fast
(1)
X
M
IMA service Enable IMA for all ip|engines
Service activation, IMA: on
Disable IMA for all ip|engines
Service activation, IMA: off
X X
Start a session
M
Service activation, ip|engines: on Management by adjusting acceleration settings: ip|engines
ip|engines X
Modify the session dynamically
Update X
Stop the session Service activation, ip|engines: off
Operations to be performed
Commands
ip| true
ip| fast
(1)
ip|sync service: Synchronization Synchronization
X
X
M
X
X
M
ip| fast
(1)
X
X
O
X
X
O
X
X
O
X
X
O
ip|sync Modify the session dynamically
Update
Operations to be performed
Commands
ip| true
Reporting Define InfoVista server settings
Domain creation
Define automatic reporting Automatic reporting Define MetaView settings MetaView Define reports Reports
4-26
Ipanema Technologies
October 2014
Configuring services (ip|boss)
Operations to be performed
Commands
ip| true
ip| fast
(1)
X
X
O
X
X
O
X
X
O
X
X
O
X
X
O
X
X
O
X
X
O
X
X
O
X
X
O
X
X
O
X
X
O
ip|boss: management Supervision management settings (e-mail, SNMP trap)
Options
Log window Log Configuration history Configuration history Security configuration Security Certificate generation tab enerate the keys and the certificates Configuration tab hoose the encryption algorithm ip|engine status ip|engine status ip|engine status map Security status Tools, Status tab: displays the security status of ip|engines Discovering of applications, subnets..... ip|dashboard Send results of script to Ipanema support
Tools, Script tab
Upgrade ip|engine’s software
Tools, Software Upgrade tab
Reboot ip|engines Tools, Reboot tab Quit the application File/Exit
October 2014
Ipanema Technologies
4-27
Ipanema System
4. 5. CREATE, OPEN, SAVE, UNDO A CONFIGURATION The name of the configuration file is fix. This file is in the directory ~\salsa\ipboss\server\domains\\config and its name is __active__.ipmconf (double underscore before and after). It contains all the configuration parameters of the Domain. During the start and the update, this file is sent to the ip|engines.
4. 5. 1. Create a new configuration Operating procedure table To create a new configuration file from the default parameters, you must: ■ ■ ■ ■
■ ■
Stop the current configuration with the ip|boss client (GUI) Quit the ip|boss client (GUI) Stop ip|boss services in Windows control panel In the directory ~\salsa\ipboss\server\domains\\config, copy the file __new__.ipmconf then name it __active__.ipmconf Start ip|boss services in Windows control panel Start the ip|boss client (GUI) and create your configuration for the Domain
4. 5. 2. Open a configuration Operating procedure table To work with an existing configuration file, you must: ■ ■ ■ ■
■ ■
Stop the current configuration with the ip|boss client Quit the ip|boss client Stop ip|boss services in Windows control panel Copy your file .ipmconf and rename it __active__.ipmconf in the directory ~\ipboss\server\domains\\config Start ip|boss services in Windows control panel Start the ip|boss client then start the session
4. 5. 3. Save a configuration Operating procedure table The configuration file of the Domain (__active__.ipmconf) is automatically applied and saved on the following actions: ■
ip|engines activation (Service activation, ip|engines: on),
■
Update/Save In case of necessity (for backup), you should make the backup of this file from your server to the media of your choice (do not backup the file while an update is pending on the ip|engines).
Important reminder it is advisable to backup your configuration file in a different directory than that used for installation in order to avoid deleting files during subsequent install.
4-28
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 5. 4. Undo a configuration modification Operating procedure table The 50 last configuration modifications can be undone by clicking on ■
By choosing a configuration in the Undo table and clicking on to the selected one is restored.
Undo in the Toolbar. , the configuration previous
Undo table
If a modification has been carried out by another user in the interval, undo will not operate.
October 2014
Ipanema Technologies
4-29
Ipanema System
4. 6. EXPORTING AND IMPORTING OBJECTS 4. 6. 1. Exporting objects Most objects (Sites, Topology subnets, Application Groups, etc.) can be exported (they can also be exported using ip|boss CLI client). Not all of them can be imported via ip|boss web client. They can, however, using the CLI client.
In the window containing the objects you want to export, click on the Export icon File menu, then Export. The following window opens:
or select the
Export window ■
■
■
Select the attributes you want to export by pushing them to the right with the double right-pointing arrow (objects will be exported with all their attributes) or with the single arrow to the right (objects will be exported with the selected attributes only). One attribute at least must be selected (otherwise, there would be no data to be exported, at all; in that case, all of them are exported, as if the double arrow had been clicked). if some objects were selected before using the Export function, an “Export selection” check box allows exporting selection only, If no object was selected or if the “Export selection” box is not checked, all objects are exported. Click OK. A dialog box appears, allowing you to either open the result file (“_exportXXX.res”) or save it.
The first line of the result file (wrapped in the example below) is the description of the fields present, and the subsequent lines are the exported objects with the selected attributes: @ipboss_name|ipboss_topology_subnet_network_prefix|ipboss_topology_subnet _prefix_length|ipboss_topology_subnet_site|ipboss_administrative_state| Lan_Augsburg|10.49.4.0|24|Site\Augsburg|0 Lan_Bangalore|10.91.2.0|24|Site\Bangalore|0
4-30
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 6. 2. Importing objects The following objects can be created by importing them from a configuration file: Coloring rules, WAN accesses, ip|engines and Topology subnets. All objects can be imported using the CLI client.
An existing configuration file in raw format (.res) can be imported. The first line must be the description of the fields (it is present if the file was made with an export, see the previous section), and all the subsequent lines are the objects to be imported (some may be already existing). In the example below, we will import the previously exported file, where we manually added a new object on the last line: @ipboss_name|ipboss_topology_subnet_network_prefix|ipboss_topology_subnet _prefix_length|ipboss_topology_subnet_site|ipboss_administrative_state| Lan_Augsburg|10.49.4.0|24|Site\Augsburg|0 Lan_Bangalore|10.91.2.0|24|Site\Bangalore|0 Lan_Montelimar|10.33.3.0|24|Site\Montelimar|0 ■ ■
In the ip|engines window, click on the Import icon or select the File menu, then Import: In the Import window, select the attributes to be imported and browse to the file where they should be saved, then click Ok.
Import window ■
In the Import window that opens, you can choose which objects to display: – – – –
created (objects of the imported file not found in the actual configuration), modified (objects different in the imported file and in the actual configuration), deleted (objects of the actual configuration not found in the imported file), unchanged (objects identical in the imported file and in the actual configuration).
(Only the created and modified objects are displayed by default.) Click on ’Import all’, or select the objects to import then click on ’Import selection’.
October 2014
Ipanema Technologies
4-31
Ipanema System
Import window
■
■
The symbols before the objects indicate if they already exist (red cross) or if they are new (new icon), etc. Hovering the mouse on these symbols allows reading their exact statuses in a pop-up; clicking them adds or removes the object from the import file, depending on the case (as indicated in the pop-up’s text message). A message tells you how many objects could be successfully imported; click on Ok.
Click on Ok in the Import window to commit the changes. A message tells you how many objects could be successfully committed, and the imported objects are added to the existing ones. Click on Ok.
If objects could not be created (already existing IP address for an ip|engine, for example), an error message warns you.
4-32
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 7. SYSTEM PROVISIONING 4. 7. 1. Configuring Coloring Operating procedure table: settings, ip|fast service The Coloring Policy is used with Application Control. It is the capability to modify the TOS or DiffServ field in the IP header with a new value according to the type and criticality of the packet. The mode used is “Color-Blind” (in this mode, all packets are treated as if they were uncolored: they are marked according to the selected coloring rule, regardless of their initial color). ip|fast must be enabled.
In the System provisioning Toolbar, select
Coloring:
The Coloring window is displayed.
Coloring window
By clicking on the New button
, the creation window of a new coloring rule is displayed.
Coloring rule creation window (unspecified by default)
October 2014
Ipanema Technologies
4-33
Ipanema System
Coloring directory with TOS and DiffServ selections This window defines the coloring policies to apply at the access to WAN (you can create as many Colorings as you want). The coloring parameters specify the type of service, the “TOS” or “DSCP” values function of the traffic type and criticality level. It comprises: ■
input fields: – Name: to identify the coloring policy (string of characters). By default , the name none is defined associated with an unspecified service type. The name is used to identify the Coloring policy, – Service type: to select the type of coloring policy to set-up. The service is selected from a drop-down list. The values offered are: • TOS: the TOS field of the frame is set to the value specified by the Code point setting. It then contains the value of the IP PRECEDENCE and the TOS specified for the Class of Service, • DiffServ: "Differentiated Service" type service. The TOS field of the frame is set at the value specified by the PHB Group (DSCP) setting, in accordance with RFC 2474 (definition of the Differentiated Services Fields (DS Field) in the IPv4 and IPv6 headers), RFC 2597 (Assured Forwarding PHB group), RFC 2598 (Express Forwarding PHB group) • unspecified: not specified,
■
a Coloring zone: to define or modify the coloring for type of Traffic and Criticality level: – PHB Group (DSCP): when DiffServ is the Service Type selected, the value for each peer (type of Traffic and criticality level) is selected with drop-down list, – Precedence/TOS (b0–b7): when ToS is the Service Type selected,
■
4-34
a display zone in the form of a table corresponding to the data previously entered.
Ipanema Technologies
October 2014
Configuring services (ip|boss)
Type of traffic & Criticality level Type of traffic Real time
Service type
PHB group
DSCP value
TOS value
Top
Express Forwarding
EF
101110
6
EF
101110
6
Medium
EF
101110
6
Low
EF
101110
6
AF11
001010
3
AF12
001100
3
Medium
AF21
010010
3
Low
AF22
010100
3
BE
000000
0
High
BE
000000
0
Medium
BE
000000
0
Low
BE
000000
0
Top High
Background
“ToS” default setting
Criticality level High
Transactional
“DiffServ” default setting
Top
Assured Forwarding
Best Effort
Configuration: “DiffServ” and “TOS” default setting By default, the coloring is named “none” and the Service Type is “unspecified”. The entered values should correspond with the Class of Service of the Operator.
Coloring rules can also be created by importing them from a configuration file. Refer to section Importing objects.
October 2014
Ipanema Technologies
4-35
Ipanema System
4. 7. 2. Configuring WAN Accesses Operating procedure table: settings, ip|fast, DWS. The WAN access describes the WAN line(s) connected to the CPE on the WAN side of an ip|engine. In the System provisioning Toolbar, select
WAN access:
The WAN access window is displayed:
WAN access window
By clicking on the New button
, the creation window of a new WAN access is displayed:
WAN access creation window
4-36
Ipanema Technologies
October 2014
Configuring services (ip|boss)
This window contains the following input fields: ■
Name: character string used to identify the WAN access. The same WAN access can be used on many different Sites. It is therefore advisable to mention the type of link in its name (e.g.: ”MPLS...”, ADSL...”) — and not the name of a Site where it is used.
■ ■
■ ■
Ingress (LAN to WAN) max Bandwidth: maximum ingress throughput allocated at the WAN interface of the CPE (in kbps), Ingress (LAN to WAN) min Bandwidth: minimum ingress throughput that the tracking function (see below) can track down (in kbps); if no value is entered, it is automatically set to half of the max value, Egress (WAN to LAN) max Bandwidth: maximum egress throughput allocated at the WAN interface of the CPE (in kbps), Egress (WAN to LAN) min Bandwidth: minimum egress throughput that the tracking function (see below) can track down (in kbps); if no value is entered, it is automatically set to half of the max value,
■
Coloring: selection, from a drop-down list, of the Coloring policy created in the Coloring directory, to be applied. If there is no specific coloring (LS, Best effort), select "none". The default is “none”.
■
Trust level: Routine or Business: in case of Dynamic WAN Selection (DWS), defines which type of traffic is allowed to go through the Network Access Point (Routine and Business sensitivity levels are also defined for each Application Group, where they are used in the path decision to route traffic to a NAP with at least the same Trust Level).
■
Network Report key: this field allows ip|engines to be “network aware” in case of DWS: all WAN accesses with the same Network Report key are attached to the same network, thus allowing ip|engines to “know” which networks they have in common with the remote Sites (equipped or tele-managed). A WAN access which does not have the same Network Report key as the remote Site where traffic is to be sent to (in the diagram below, the WAN access to Network 2 on ip|engine A, which has to send traffic to B) will be classified as “impossible”, so the connectivity to this remote Site via this WAN access will not even be tested (thus both simplifying the configuration and avoiding errors — for instance if a probing packet is forwarded to another WAN access).
Network Report key usage In this diagram, ip|engine A can test connectivity and send traffic to B via Network 1 (where its WAN access has Network Report key “Net1”), as B also has Network Report key “Net1”. But A cannot send traffic to B via Network 2 (where its WAN access has Network Report key “Net2”), because B does not have a Network Report key called “Net2”. This field is optional, but its usage is highly recommended in case of DWS. If no Network Report key is defined, the WAN accesses of the local Site will all be tested (with probing packets if the remote Site is equipped, based on the received traffic if the remote Site is tele-managed), regardless the existence of a link to the same network on the remote SIte. The WAN access is a key parameter for Application Control, so it should be set very carefully.
October 2014
Ipanema Technologies
4-37
Ipanema System
Bandwidth tracking Congestion detection is key to know when and where to manage flows. Network available capacity may also vary in time (DSL link, Frame Relay access, secondary link with a bandwidth different from that of the primary link, etc.). The purpose of Bandwidth Tracking is to automatically and dynamically estimate the available network capacity:
Bandwidth Tracking Bandwidth tracking principles: ■ ■
■
One independent BW tracker per potential congestion point. Fast increase (real time), slow decrease (20 seconds steps; for example, it takes approximately 5 minutes to detect an HSRP switch from a 2 Mbps line to a 1 Mbps backup line). Inputs: – Always: Usage profile (throughput) at potential congestion points. – When available: end-to-end QoS (delay, jitter, loss).
■
Output: – Available bandwidth for each potential congestion point.
ip|engines manage three potential congestion points between any pair of sites:
4-38
Ipanema Technologies
October 2014
Configuring services (ip|boss)
Potential congestion points between any pair of sites Bandwidth tracking activation: ■
By setting a minimum bandwidth lower than the maximum bandwidth, the tracking function will automatically and dynamically estimate the actual value of the bandwidth between those two values:
Bandwidth tracking activated (between 1000 and 2000 kbps)
A minimum of 0 is not recommended.
■
By setting a minimum bandwidth equal to the maximum bw, the tracking function will not execute:
Bandwidth tracking deactivated (constant bandwidth of 2000 kbps)
WAN accesses can also be created by importing them from a configuration file. Refer to section Importing objects.
October 2014
Ipanema Technologies
4-39
Ipanema System
4. 7. 3. Configuring ip|engines and tele|engines Operating procedure table, ip|fast, ip|xcomp, ip|xtcp, ip|xapp, IMA, smart|plan, DWS. In this section, the term “ip|engines” also embraces tele|engines (unless otherwise specified). Indeed, a tele|engine (that is: there is no ip|engine installed on site) is created via the ip|engine creation window, by simply checking the “tele|engine” box. In the System provisioning Toolbar, select displayed:
ip|engines. The ip|engines list window is
ip|engines list window
ip|engines can be created as described below, or by importing them from a configuration file. Refer to section Importing objects. The number of ip|engines and tele|engines that can be created is limited by the license. This number is displayed in the About window.
By clicking on the New button , the creation window of a new ip|engine is displayed. It contains two tabs, General and Advanced:
4-40
Ipanema Technologies
October 2014
Configuring services (ip|boss)
ip|engine creation window
October 2014
Ipanema Technologies
4-41
Ipanema System
The General tab contains five frames: Site ■
■
Site name: character string used to identify the site the ip|engine belongs to (50 alphanumeric characters max); if it is left blank, it is automatically filled in with the name of the ip|engine (see below). Several ip|engines can belong to the same site (in case of clusters) — so the Site name does not have to be unique —; in this case, creating a report for the Site will automatically create reports at the Site level (aggregating all the data from all ip|engines belonging to that site) and on each individual ip|engine. Local Internet Access: check the box if the Site provides an access to the Internet (avoids having to use Out of Domain or to declare the 30 subnets of the Internet address space),
Reporting Hierarchy Folders and Tags ■ ■
Folder: allows defining a first hierarchical level in the sites reports and in ip|dashboard’s flows map, Subfolder: allows defining a second hierarchical level in the sites reports and in ip|dashboard’s flows map. These two fields allow navigating in the reports (in ip|reporter) in two different ways: – The first browsing method does not use these two fields: by selecting “Folders” in the drop-down list in ip|reporter’s main window, you can access the reports with the following file system tree (4 hierarchical levels): • / / / As a consequence, in / Sites, all sites are displayed together (sorted by alphabetical order), without the possibility to sort them by geographical location for instance:
ip|reporter’s “Folders” file system tree – The second browsing method allows to navigate in the sites’ reports with two additional hierarchical levels, defined by these two fields: by selecting “Navigation” in the drop-down list in ip|reporter’s main window, you can access the sites’ reports with the following file system tree (two additional hierarchical levels): • / Navigation / / / / (The level disappears, as this method is valid to access the Sites’ reports only.) thus allowing to easily find any site according to a two-layer classification (in the example below, by continent first — as defined in the field Folder — and by country — as defined in the field Subfolder).
4-42
Ipanema Technologies
October 2014
Configuring services (ip|boss)
The ip|engines created without filling those fields are grouped under the “Unknown / Unknown” folder and subfolder names. This method is very helpful on large networks, with hundreds or thousands of sites.
ip|reporter’s “Navigation” file system tree ■
Tags: free text field (250 characters max.)
ip|engine ■
■
■
Name: character string used to identify the ip|engine (50 alphanumeric characters max). Several ip|engines can have the same Site name (in case of clusters of ip|engines on that Site; see above). If it is left blank, it is automatically filled in with the IP address of the ip|engine. Main public IP address: IP address of the ip|engine visible by ip|boss server for management purposes (configuration, collection of the correlation records, supervision), Main private IP address (if only the Main public address is declared, then the Main private address is automatically allocated the same value): IP address of the ip|engine as it has been locally configured (with the ipconfig command). - In most cases (VPN, flat addressing, ...) only the Main public address is needed. - In case of NAT, the two addresses must be different.
According to the MGT port being used or not, the Main addresses can be allocated to either the LAN-to-WAN bridge (if the MGT port is not used — in band management), or to the MGT port, if used (out of band management):
October 2014
Ipanema Technologies
4-43
Ipanema System
In band mgt: Main IP address allocated to the LAN-to-WAN bridge
Out of band mgt: Main IP address allocated to the MGT port
IP addresses are not mandatory for a tele|engine.
■
4-44
Auxiliary public IP address (mandatory when the MGT port is used; must not be declared otherwise): IP address of the ip|engine visible by other ip|engines for measurement (ip|true), Application Control (ip|fast), redundancy elimination (ip|xcomp, signalling + tunnel), TCP acceleration (ip|xtcp), CIFS acceleration (ip|xapp) and synchronization (ip|sync) purposes; it allows for out of band management (using the Main address) but in band inter-ip|engines messages (using the Auxiliary address),
Ipanema Technologies
October 2014
Configuring services (ip|boss)
■
Auxiliary private IP address (option — if only the Aux. public address is declared, then the Aux. private address is automatically allocated the same value): IP address of the ip|engine as it has been locally configured (with the ipconfig command) for the LAN-to-WAN bridge.
The Auxiliary addresses are allocated to the LAN-to-WAN bridge, when the MGT port is used (in this case, the Main addresses are allocated to the MGT port). Refer to the second diagram above. If no Auxiliary address is declared, the inter-ip|engines messages use the Main address. - In most cases (VPN, flat addressing, ...) only the Auxiliary public address is needed. - In case of NAT, the two addresses must be different. ■
Report key: this field is optional. A “report key” field is used for SNMP and ip|reporter and allows to define regrouping of ip|engines. An ip|engine belongs to only one regrouping. For example, this field can be used to gather ip|engines according to: – a geographical criteria (all ip|engines in Europe, North America, Asia, Africa...). – the type of access line (all ip|engines with an access line at 64 kbps, 128 kbps, ....)
■
■
Auto-reporting: to allow (yes) or not (no) the reports created with the Automatic reporting function to be added for this ip|engine. Refer to the Automatic reporting section. tele|engine: check the box if there is no ip|engine on the Site (tele-managed site). A tele|engine is characterized by an alias and an IP address; if no IP address is defined ip|boss randomizes a virtual IP address with a 240.x.x.x prefix.
October 2014
Ipanema Technologies
4-45
Ipanema System
Network Access Point Configuration This frame allows configuring the WAN access(es) on the Network Access Point(s); it contains the Path Selection radio buttons and various input fields that depend on the selected Path Selection method. Path Selection allows enabling DWS (by selecting “TOS” or “CPE”; DWS must be allowed in the license) or the multipath feature (by selecting “L1 Transparent” or “L2 Transparent”). To enable these features, ip|fast must be checked in the Services frame (otherwise Path Selection can only be “Disabled”). The green corners indicate the fields to be filled, depending on the methods. ■
Path Selection: Disabled (default value): disables DWS and the multipath features:
Path Selection: Disabled It is typically the case of an ip|engine with 1 LAN connection, 1 WAN connection and 1 NAP only (most basic configuration), or of an ip|engine with 2 LAN connections, 2 WAN connections and 1 NAP:
Single LAN, Single WAN, Single NAP
Multi LAN, Multi WAN, Single NAP It is the only option when ip|fast is not checked in the Services frame. So it also applies to an ip|engine with 2 LAN connections, 2 WAN connections and 2 NAPs, but which is only measuring the traffic (it will not measure the traffic NAP by NAP individually, but globally on the two NAPs):
Multi LAN, Multi WAN, Multi NAP measured as a Single one Only one WAN access has to be configured (WAN access 1), corresponding to NAP 1 or to the sum NAP 1 + NAP 2 in the diagrams above, and it has no attribute: – WAN access 1: name of the NAP’s WAN access (mandatory).
4-46
Ipanema Technologies
October 2014
Configuring services (ip|boss)
Make sure the throughput of the selected WAN access corresponds to the actual throughput of the physical line, at layer 3. Should it not be the case, congestions may not be detected, so ip|fast may not avoid them and may not protect critical applications as expected.
■
Path Selection: TOS (ip|fast must be checked in the Services frame to allow selecting it): allows configuring two or three WAN accesses for DWS, with their corresponding TOS values; TOS values are chosen from a drop down list (xxxx01xx, xxxx10xx or xxxx11xx); the CPE router has to be configured with the corresponding PBR rules, to route the packets accordingly:
Path Selection: TOS It should be selected when DWS is used on a site with a layer 3 device between the ip|engine and the two or three WAN routers (“DWS TOS”):
Single LAN, Single WAN, Multi NAP, DWS TOS
October 2014
Ipanema Technologies
4-47
Ipanema System
■
Path Selection: CPE (ip|fast must be checked in the Services frame to allow selecting it): allows configuring two or three WAN accesses for DWS, with the IP addresses of the corresponding CPE routers:
Path Selection: CPE The ip|engine will send the traffic to the selected CPE routers in Ethernet frames changing the router’s MAC addresses depending on the selection. For this reason, there must be no layer 3 device between the ip|engine and the CPE routers (there can be either a layer 2 device, or a direct connection; DWS then rewrites the MAC address of the CPE router, hence the other name often given to that method, “DWS MAC”). This method is easier than DWS as there is no need to configure PBR rules on any router. Deployment cases:
Single LAN, Single WAN, Multi NAP, DWS MAC
Single LAN, Multi WAN, Multi NAP, DWS MAC
Multi LAN, Multi WAN, Multi NAP, DWS MAC
4-48
Ipanema Technologies
October 2014
Configuring services (ip|boss)
■
Path Selection: L1 Transparent (ip|fast must be checked in the Services frame to allow selecting it): allows configuring two WAN accesses, managed independently, without path selection (neither dynamic — no DWS — nor static) — no attribute (TOS or CPE) is required:
Path Selection: L1 Transparent It should be selected when the ip|engine has two LAN connections and two WAN connections, and is required to manage the two paths [LAN 1 — WAN 1] and [LAN 2 — WAN 2] independently (hence the name: “layer 1 transparent”). No path selection is made by the ip|engine, at all (of course DWS is not used):
Multi LAN, Multi WAN, Multi NAP, no path selection ■
Path Selection: L2 Transparent (ip|fast must be checked in the Services frame to allow selecting it): allows configuring two or three WAN accesses with router-based path selection (no DWS), with the IP addresses of the corresponding CPE routers:
Path Selection: L2 Transparent It should be selected on sites with several WAN accesses, with no layer 3 device between the ip|engine and the two or three WAN routers (there can be either a layer 2 device, or a direct connection), and when the customer does not want to use DWS. Then the ip|engine can manage the links individually, selecting the ones to use based on the LAN devices’ default gateways (that they learn thanks to their MAC addresses — hence the name: “layer 2 transparent”), without requiring an additional switch:
Multi LAN, Multi WAN, Multi NAP, path selection, no DWS
Single LAN, Multi WAN, Multi NAP, path selection, no DWS
October 2014
Ipanema Technologies
4-49
Ipanema System
Multi LAN, Multi WAN, Multi NAP, path selection, no DWS
The bandwidth is an important factor for Application Control: make sure all WAN accesses are correctly configured.
Services This frame allows defining the ip|engine’s capabilities. It contains the following check boxes: Checking these boxes does not activate the corresponding services: it configures the ip|engines to run them when they are activated in the Service activation window.
■
Administrative State: measurement service (ip|true) selection: – enable: ip|engine activated, – disable: ip|engine deactivated.
■
ip|fast: Application Control service selection, if checked; Checking ip|fast on a tele|engine enables ip|coop for this tele-managed site.
To enable all the following services, ip|fast must be enabled (all of them leverage ip|fast).
■ ■ ■ ■ ■
■
ip|xcomp compress: compression service selection, if checked (**); ip|xcomp decompress: decompression service selection, if checked (**); ip|xtcp: TCP acceleration service selection, if checked (*); ip|xapp: CIFS acceleration service selection, if checked (**); IMA: Ipanema Mobile Agent selection, if checked; IMA service must be activated on both the IMA server side (i.e., on the ip|engine acting as an IMA server) and the IMA client side (i.e., on the tele|engine or nano|engine — or, possibly, ip|engine — configured on the site with IMA clients); smart|plan: Smart Planning service selection, if checked (*);
* These services are not available for tele|engines. ** These services are available on tele-managed sites on PCs or laptops running IMA.
4-50
Ipanema Technologies
October 2014
Configuring services (ip|boss)
Advanced tab This tab contains two frames:
ip|engine creation window, Advanced tab
Redundancy Elimination Method ■ ■
Zero Delay: ZRE is enabled. Standard: SRE is enabled.
By default, both methods of redundancy elimination are enabled (when ip|xcomp is checked in the Services frame in the General tab). We do not recommend to change the default settings without advice from the Ipanema Support.
Custom ■
Custom tag: free text field.
October 2014
Ipanema Technologies
4-51
Ipanema System
4. 7. 4. Configuring Topology subnets Operating procedure table: settings, ip|true service Topology subnets describe the network topology and are used by ip|engines, nano|engines and virtual|engines to classify, measure and control the traffic. They correspond to the IP subnets of all sites, equipped (sites with ip|engines, nano|engines or virtual|engines) and tele-managed (sites with tele|engines). ■
Topology subnets on equipped sites are automatically discovered by the system, so they do not have to be configured. Yet, they can be configured, if needed. – If Topology subnets that have been automatically discovered are also configured, it is the configuration that prevails. – If the discovered Topology subnets and the configured Topology subnets do not match, an alarm is raised (see 5.2.1.2. Single ip|engine status). – Topology subnets that are discovered are not displayed in the Topology subnets window. – “SA — Site throughput report” and the Discovery feature help check the Topology subnets on equipped sites.
■
Topology subnets on tele-managed sites must be configured. All Topology subnets must be configured. For instance, if 10.1.1.0/24 and 10.1.2.0/24 are present on site A (but 10.1.3.0/24 is on another site, B), then you must configure two Topology Subnets on site A, one for 10.1.1.0/24 and one for 10.1.2.0/24 (but do not configure one global Topology Subnet instead (10.1.0.0/16), as it would also include 10.1.3.0/24, which is in site B).
In the System provisioning Toolbar, select
Topology Subnets:
The Topology Subnets list window is displayed.
Topology Subnets list window
4-52
Ipanema Technologies
October 2014
Configuring services (ip|boss)
By clicking on the New button
, the creation window of a new Topology subnet is displayed.
Configuring Topology subnets It contains the following input fields: ■
■ ■ ■ ■
Name: string of characters used to identify the Topology subnet (50 non extended ASCII characters maximum), Network prefix: Topology subnet prefix, Prefix length: length of the prefix of the Topology subnet (value between 0 and 32), Associated site: site this subnet belongs to, to be selected from a drop-down list. Administrative State: – enable: Topology subnet taken into account, – disable: Topology subnet not taken into account. Topology subnets can also be created by importing them from a configuration file. Refer to section 4.6.2. Importing objects.
October 2014
Ipanema Technologies
4-53
Ipanema System
4. 7. 5. Configuring ip|sync (time synchronization) Operating procedure table: ip|sync service ip|sync is used for the time synchronization of the ip|engines through the network, and time synchronization is used for delays measurements. An ip|engine is synchronized when the offset with its source is less than 10 ms (by default; this value can be changed). Time synchronization uses three levels: ■
■
■
A Time server, which can be an external clock reference (NTP) or an ip|engine of the Domain, is used as the main synchronization source, Synchronization servers, which are ip|engines of the Domain (use several for redundancy reasons), get their synchronization from the Time server and propagate it to all the other ip|engines of the Domain, All other ip|engines of the Domain get their synchronization from the Synchronization servers (without any out of Domain connection).
This architecture allows GPS-less Domains, out of Domain synchronization and short term “no time” function (a Domain can be disconnected from its Time server, the Synchronization servers will remain synchronized to each other, thus making higher resiliency).
Time servers ■ ■ ■
can be either ip|engines, ip|boss or External NTP servers, must be delivering a consistent time between each other, if an ip|engine is a Time Server, it will use its local ITP configuration. if a Time server is an external NTP server, the ITP port must be tuned to 123 (“Sentry Tuning” section in the __active__.ipmconf ip|boss configuration file).
Synchronization servers ■ ■ ■
must be Domain ip|engines, will not use their local reference, share their clocks with their peers (all other synchronization servers). An ip|engine can be declared as both a time server and a synchronization server.
4-54
Ipanema Technologies
October 2014
Configuring services (ip|boss)
Configuration In the System provisioning Toolbar, select
ip|sync:
The Time and Synchronization servers window is displayed.
Time and Synchronization servers window This window is made of two frames: Time server directory ■
■
Server: allows entering the IP address of an NTP server (several ones can be declared, but it is not recommended); enter an address then click the “+” sign. ip|engine: allows selecting an ip|engine as a time server (select one only). Declare a Server or an ip|engine. Select one or the other, do not select an NTP server and an ip|engine.
Synchronization server directory ■
■
ip|engine: allows selecting ip|engines as ITP servers (choose three or four, for redundancy reasons). the right frame displays the selected ITP servers for the Domain.
October 2014
Ipanema Technologies
4-55
Ipanema System
4. 7. 6. Scripts Scripts are described in the SUPERVISION section: 5.2.3. Scripts.
4. 7. 7. Tools The System provisioning toolbar provides a
Tools menu, with four functions:
Tools They are described in the following sections: ■ ■ ■ ■
4-56
Software upgrade: 5.3.2. ip|engine software upgrade. Reboot: 5.3.1. Rebooting. Security status: 5.2.4. Security. Advanced configuration: 4.7.8. Configuring DWS.
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 7. 8. Configuring DWS (Tools / Advanced conf.) Operating procedure table: DWS DWS fully supports asymmetric routing. Path selection is based packet per packet, so a single session can use several Ingress WAN accesses and several Egress WAN accesses. Yet, there can be constrains (e.g. stateful firewalls) to: ■ ■
always use the same Ingress WAN access, always use the same Egress WAN access as Ingress WAN access (remote sites).
Tools, then the Advanced configuration tab. In the System provisioning Toolbar, select DWS advanced configuration window is displayed:
DWS advanced configuration window It contains three parameters: These three parameters can be overwritten for each Application Group, thanks to the Application Group configuration window’s Advanced tab (refer to 4.10.5.4. Application Groups’ advanced tab). ■
Sensitivity policiy: matching Application Groups’ sensitivities with WAN accesses’ Trust Levels depends on a policy which can be changed here. – Sensitivity policies allows to choose between three policies:
- Preferred (default):
A Business AG will be sent on a Business NAP, a Routine AG will be sent on a Routine NAP preferably, ... ... except when connectivity is down or when Qos/BW criteria cannot be met. There is a decision threshold based on QoS/BW evaluation.
- Strict:
A Business AG will be sent on a Business NAP, a Routine AG will be sent on a Routine NAP (always). If it is not possible, then no decision is made (the traffic is bridged as is). There is no possible backup.
- Backup:
A Business AG will be sent on a Business NAP, a Routine AG will be sent on a Routine NAP, ... ... except when connectivity is down, in which case a NAP with a different Trust level can be used.
October 2014
Ipanema Technologies
4-57
Ipanema System
■
- no:
both half-connections are independent (from DWS perspective) and can use different NAPs. (this value is called “Free” in the Application Group’ “Return path” parameter)
- yes (default):
always use the same Egress NAP as Ingress: Ingress half-connection (SYN+ACK) will use the observed NAP for the peer Egress half-connection (SYN). (this value is called “As received” in the Application Group’ “Return path” parameter)
■
4-58
Return path:
NAP selection policy:
- Per Packet:
decision is made packet per packet (different packets from a single session can use different paths). note: this is not recommended on heterogeneous networks
- Per Session (default):
always use the same Ingress NAP (all following packets of the same session will re-use the initially chosen NAP)
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 8. APPLICATION PROVISIONING 4. 8. 1. Configuring User subnets Operating procedure table: settings, ip|true service, ip|fast service User Subnets can be used for Application Visibility and for Application Control, so as to identify specific hosts, servers or subnets on which measurement, control or reporting is required. They can be used as filters, once created, in the applications, Application Groups and MetaViews definitions. User subnets are not mandatory. Create them only in case of specific subnets or hosts.
In the Application provisioning Toolbar, select
User subnets:
The User subnets list window is displayed (it is empty by default). By clicking on the New button
, the creation window of a new User subnet is displayed.
Configuring User subnets It contains the following input fields and check boxes: ■ ■ ■ ■
Name: string of characters used to identify the user subnet, Network prefix: user subnet prefix, Prefix length: length of the prefix of the user subnet, Administrative State: – Enable: user subnet taken into account, – Disable: user subnet not taken into account,
October 2014
Ipanema Technologies
4-59
Ipanema System
4. 8. 2. Configuring Types of service (TOS) Operating procedure table: settings, ip|true service, ip|fast service TOSs can be added to, removed from or modified in this dictionary. This dictionary is useful only when the packets are colored by the source (IP-Phone for instance). This dictionary can be used for measurement (ip|true) and Application Control (ip|fast). In the Application provisioning Toolbar, select
TOS:
The Types Of Service window is displayed (it is empty by default). By clicking on the New button
, the creation window of a new TOS is displayed.
Configuring TOS TOS that are not explicitly named in the dictionary are implicitly grouped into the Other category. The TOS window contains the following input fields and click boxes: ■ ■
Name: to identify a specific TOS value (string of characters), Mode: to select TOS field mode of use: – TOS: specifies the Type of Service, – DSCP: specifies the "Code point" for a “DiffServ” type of service,
■
According to the selected mode (TOS or DSCP): – TOS/CP: 8 bits field, value: 0, 1, X (don’t care), – DSCP: 6 bits field, value: 0, 1, X (don’t care).
4-60
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 8. 3. Configuring Applications Operating procedure table: settings, ip|true service , ip|fast service A default applications dictionary is available for each configuration. Applications can be added to, removed from or modified in this dictionary. This dictionary is used by the ip|true and ip|fast functions. In the Application provisioning Toolbar, select
Applications:
The applications window is displayed.
Applications window This window is made of two frames: ■ ■
The recognized protocols are displayed on the left, grouped by types, The Applications dictionary is displayed on the right.
The Applications dictionary specifies the applications that are recognized.
4. 8. 3. 1. Application recognition The Ipanema System recognizes application flows using the opening negotiations of the client/server session conversation (SYN, SYN-ACK, ACK, i.e. layers 3 and 4 information), then it checks the syntax of the application (layer 7 information) thanks to a “syntax engine” to uniquely identify it without any possible error, regardless the ports being used; this also allows to classify particular applications (such as Codecs, published application names, peer-to-peer applications, URLs or URIs, etc.)
October 2014
Ipanema Technologies
4-61
Ipanema System
The ip|engine’s “syntax engine” uses DPI (deep packet inspection) to detect application signatures — data patterns that uniquely identify a particular application. (Mechanisms such as this are also commonly used for virus recognition.) We are inspecting the start of the conversation (and only the start) to detect these patterns to classify the applications. It is also possible to declare applications on the ports being used (you have defined an application as traffic on a specific port/server); in this case, it is the port number that prevails to regnosize the application. When an ip|engine has not observed this start of the conversation, or if the application cannot be recognized thanks to its syntax or declared port number, it falls back to RFC1700 ("well known ports" definition). So the order of recognition of applications is as follows: ■ ■ ■
1) Declared Port (you have defined an application as traffic on a specific port/server) 2) Syntax engine (the Ipanema System uses its inbuilt application detection capabilities) 3) Well known port (RFC 1700)
Applications that are not recognized or enabled in the dictionary are implicitly grouped on their lower layer protocol (e.g. TCP or UDP).
4. 8. 3. 2. Recognized applications, by alphabetical order A
B
C
D
4-62
Adobe Connect
- (Unified Communications)
AIM Express
- (Unified Communications)
AIM Transfer
- (transferring and sharing)
Altiris
- (transferring and sharing)
AOL Instant Messenger
- (Unified Communications)
Applejuice
- (peer-to-peer)
Ares
- (peer-to-peer)
Audiogalaxy
- (deprecated)
AVG
- (anti-virus)
AVG Updates_
- (specific TCP port number, in Transport Layer Protocols)
Avira
- (anti-virus)
BBC iPlayer
- (streaming)
BGP
Border Gateway Protocol (routing)
Bitdefender
- (anti-virus)
BitTorrent
- (peer-to-peer)
Cisco Unified MeetingPlace
- (Unified Communications)
Cisco Unified MeetingPlace_
- (specific TCP port number, in Transport Layer Protocols)
Citrix
and Citrix published applications (thin client)
COTP
Connection Oriented Transfer Protocol (ISO) (Network Services)
CUPS
Common Unix Printer System (transferring and sharing)
Dailymotion
HTTP web site (Cloud Protocols)
Ipanema Technologies
October 2014
Configuring services (ip|boss)
E
F
G
DCERPC
Distributed Computing Environment Remote Procedure Call (transferring and sharing)
DHCP
Dynamic Host Configuration Protocol (Network Services)
Diameter
- (AAA)
DICT
Dictionary Server Protocol (deprecated)
DIMP
Dynamic Internet Messaging Program (Mail Services)
DirectConnect
- (peer-to-peer)
DNS
Domain Name Service (Network Services)
DRDA
Distributed Relational Database Architecture
Edonkey
- (peer-to-peer)
EIGRP
Enhanced Interior Gateway Routing Protocol (Network Services)
End Point Mapper
- (Application Services)
EtherIP
- (tunneling)
Exchange
= MAPI (mail services)
Facebook
HTTP web site (Cloud Protocols)
Filetopia
- (peer-to-peer)
Flash
- (streaming)
Foxy
- (peer-to-peer)
FTP
File Transfer Protocol (transferring and sharing)
FTPS
Secure FTP (transferring and sharing)
F-Secure
- (anti-virus)
F-Secure Online Backup_
- (specific TCP port number, in Transport Layer Protocols)
G.711a
audio/PCMA; RTP/RTCP attribute (Unified Communications)
G.711u
audio/PCMU; RTP/RTCP attribute (Unified Communications)
G.723
audio/G723; RTP/RTCP attribute (Unified Communications)
G.729
audio/G729; RTP/RTCP attribute (Unified Communications)
GIOP
General Inter-ORB Protocol (Corba) (middleware)
GIOPS
Secure GIOP (middleware)
Gizmo
- (Unified Communications)
GNUnet
- (peer-to-peer)
Gnutella
- (peer-to-peer)
GoBoogy
- (peer-to-peer)
Google Apps
HTTPS web site (Cloud Protocols)
GooglePlus
HTTPS web site (Cloud Protocols)
GoToMeeting
- (Unified Communications)
GoToMeeting_
- (specific TCP port number, in Transport Layer Protocols)
GRE
Generic Routing Encapsulation (tunneling)
October 2014
Ipanema Technologies
4-63
Ipanema System
H
I
J K
L
4-64
GTP
GPRS Tunneling Protocol
H.225
- (Unified Communications)
H.245
- (Unified Communications)
HSRP
(Cisco) Hot Standby Router Protocol (Network Services)
HTTP
HyperText Transfer Protocol (Cloud protocols)
HTTP tunnel
- (tunnelling)
HTTPS
Secure HTTP (Cloud protocols)
IAX
- (Unified Communications)
iCall
- (Unified Communications)
IBM-DB2
- (database)
IBM Informix
- (database)
IBM Lotus Sametime
- (Unified Communications)
Icecast
- (streaming)
ICMP
Internet Control Message Protocol (Network Services)
ICQ
“I seek you” (deprecated)
Identification protocol
- (AAA)
IGMP
Internet Group Management Protocol (Network Services)
IMAP
Internet Message Access Protocol v4 (Mail services)
IMAPS
Secure IMAP (Mail services)
iMesh
- (peer-to-peer)
IPComp
IP Payload Compression Protocol (Transport Layer)
IPP
Internet Printing Protocol (transferring and sharing)
IPSec
IP Secure (tunneling)
IRC
Internet Relay Chat (Unified Communications)
IRCS
Secure IRC (Unified Communications)
ISAKMP
Internet Security Association and Key Management Protocol (AAA)
Jabber
- (Unified Communications)
JetDirect
- (transferring and sharing)
Kaspersky
- (anti-virus)
Kazaa
- (peer-to-peer)
Kerberos
- (AAA)
KuGou
- (peer-to-peer)
L2TP
Level 2 Tunneling Protocol (tunneling)
LDAP
Lightweight Directory Access Protocol (AAA)
LDAPS
Secure LDAP (AAA)
Linkedin
HTTPS web site (Cloud Protocols)
Load Balancing
- (deprecated)
Ipanema Technologies
October 2014
Configuring services (ip|boss)
M
N
O
Lotus Notes
- (Mail services)
LPR
Line Printer Daemon (transferring and sharing)
Mainframe CFT
- (transferring and sharing)
Manolito
- (peer-to-peer)
MAPI
MS Exchange Mail API (Mail services)
McAfee
- (anti-virus)
MCS
Multipoint Communication Service (deprecated)
MGCP
Media Gateway Control Protocol (Unified Communications)
Microsoft ActiveSync
- (transferring and sharing)
Microsoft Office Groove
- (Application Services)
MMS
Microsoft Multimedia Streaming (Unified Communications)
MobiLink
- (database)
Mount
- (transferring and sharing)
MPEG-TS
- (Unified Communications)
MS Communicator
- (Unified Communications)
MS SQL
= TDS (database)
MS Exchange
= MAPI (Mail services)
MSN
MSN Messenger (Unified Communications)
Mute
- (peer-to-peer)
MySQL
- (database)
Napster
- (deprecated)
NARP
NBMA Address Resolution Protocol (Network Services)
Netbios
- (Network Services)
Netflow
- (Network Services)
NFS
Network File System (transferring and sharing)
NLockMgr
Network Lock Manager (transferring and sharing)
NNTP
Network News Transport Protocol (Unified Communications)
NNTPS
Secure NNTP (Unified Communications)
NOD32
- (anti-virus)
Norton
- (anti-virus)
NSPI
Name Service Provider Interface (Application Services)
NTP
Network Time Protocol (Network Services)
OCSP
Online Certificate Status Protocol (AAA)
OpenFT
- (deprecated)
openVPN
- (tunnelling)
Oracle - SQL Net
Transparent Network Service (database)
OSPF
Open Short Path First (routing)
ooVoo
- (Unified Communications)
October 2014
Ipanema Technologies
4-65
Ipanema System
P
Q R
S
4-66
PalTalk
- (Unified Communications)
Panda
- (anti-virus)
Pando
- (peer-to-peer)
PC Anywhere
- (thin client)
PIM
Protocol Independent Multicast (routing)
Pinterest
HTTPS web site (Cloud Protocols)
POP3
Post Office Protocol v3 (Mail services)
POP3S
Secure POP3 (Mail services)
Portmap
Port Mapper (Application Services)
Postgres
- (database)
PPP
Point-to-Point Protocol (tunneling)
PPTP
Point-to-Point Tunneling Protocol (tunneling)
Printer_ipp
= IPP (transferring and sharing)
Q.931
- (Unified Communications)
Quake
(game, deprecated)
RADIUS
Remote Authentication Dial-In User Service (AAA)
Radmin
- (Thin Client)
RDP
Remote Desktop Protocol (Windows Terminal Server) (thin client)
RDT
Real Data Transfer (Unified Communications)
Remote Shell
- (thin client)
RFB
Remote Frame Buffer (VNC) (thin client)
RIP v1, v2, ng
Routing Information Protocol
RLogin
Remote Login (thin client)
RLP
Resource Location Protocol (Network Services)
RPC
Remote Procedure Call (middleware)
RQuota
- (transferring and sharing)
RSH
= Remote Shell (thin client)
RStat
- (transferring and sharing)
RSS
Rich Site Summary, often dubbed Really Simple Syndication (Cloud Protocols)
RSVP
ReSerVation Protocol (Network Services)
RSync
Remote synchronous (transferring and sharing)
RTMP
Real-Time Messaging Protocol (Unified Communications)
RTP/RTCP
Real Time (Control) Protocol (Unified Communications)
RTSP
Real Time Streaming Protocol (Unified Communications)
RUsers
- (transferring and sharing)
Salesforce
HTTPS web site (Cloud Protocols)
SAP
SAP AG’s Enterprise Resource Planning (ERP) software
Ipanema Technologies
October 2014
Configuring services (ip|boss)
T
SCTP
Stream Control Transmission Protocol (Transport layer protocols)
SharePoint
- (transferring and sharing)
Sharepoint 2010_
- (specific TCP port number, in Transport Layer Protocols)
SHOUTcast
- (Unified Communications)
Siebel
- (Enterprise Applications)
Silverlight
- (streaming)
SIP
Session Initiation Protocol (Unified Communications)
Skinny Client Control Protocol
- (Unified Communications)
Skype
- (Unified Communications)
SLP
Service Location Protocol; = SrvLoc (Application Services)
SMB
Server Message Block (Windows File Server) (transferring and sharing)
SMTP
Simple Mail Transfer Protocol (Mail services)
SMTPS
Secure SMTP (Mail services)
SNMP
Simple Network Management Protocol (Network Services)
SOAP
Simple Object Access Protocol (middleware)
Socks
Sockets (tunneling)
SopCast
- (peer-to-peer)
Soulseek
- (peer-to-peer)
SrvLoc
Service Location Protocol (Application Services)
SSDP
Simple Service Discovery Protocol (Application Services)
SSH
Secure Shell (thin client)
SSL
Secure Socket Layer (Transport Layer)
STUN
Simple Traversal of UDP through NATs (tunnelling)
Sybase
- (database)
Sync
- (transferring and sharing)
Syslog
- (Network Services)
T38
- (Network Services)
TCP
Transmission Control Protocol (Transport Layer)
TDS
Tabular Data Stream, or MS SQL (database)
Telnet
- (thin client)
TelnetS
Secure Telnet (thin client)
TFTP
Trivial File Transfer Protocol (transferring and sharing)
TIBCO-RV
TIBCO Rebdez-Vous protocol (Middleware)
TNVIP
- (thin client)
TrendMicro
- (anti-virus)
TrendMicro Updates_
- (specific TCP port number, in Transport Layer Protocols)
October 2014
Ipanema Technologies
4-67
Ipanema System
Twitter
HTTPS web site (Cloud Protocols)
UCP
Universal Computer Protocol (Unified Communications)
UDP
User Datagram Protocol (Transport Layer)
URL
Uniform Resource Locator, as an HTTP attribute
uTP
see µTorrent
VMWare
- (thin client)
VNC
= RFB (thin client)
Voddler
- (streaming)
VRRP
Virtual Router Redundancy Protocol (Network Services)
Webex
- (Unified Communications)
Webex_
- (specific TCP port number, in Transport Layer Protocols)
WINMX
- (peer-to-peer)
WINS
- (transferring and sharing)
X.11
(XWindows) (thin client)
XML-RPC
Remote Procedure Call using eXtensible Markup Language (Cloud Protocols)
XoT
X.25 over TCP (tunneling)
Yahoo Messenger
- (Unified Communications)
YouTube
HTTP web site (Cloud Protocols)
YPPasswd
Yellow Pages Password (AAA)
YPServ
Yellow Pages Server (AAA)
YPUpdate
Yellow Pages Update (transferring and sharing)
Z
—
-
µ
µTorrent
U
V
W
X
Y
- (peer-to-peer) Recognized applications, by alphabetical order
4-68
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 8. 3. 3. Recognized applications, by type Anti-Virus
AVG, Avira, Bitdefender, F-Secure, Kaspersky, McAfee, NOD32, Norton, Panda, TrendMicro
Application Services
End Point Mapper, Microsoft Office Groove, NSPI, Port Mapper, SrvLoc, SSDP
Authentication Authorization Accounting
Diameter, Identification Protocol, ISAKMP, Kerberos, LDAP, LDAPS, OCSP, RADIUS, YPPasswd, YPServ
Cloud Protocols
HTTP (with specific recognition for Dailymotion, Facebook and YouTube), HTTPS (with specific recognition for Google Apps, GooglePlus, Linkedin, Pinterest, Salesforce and Twitter), RSS, XML-RPC
Database
DRDA, IBM-DB2, IBM Informix, MobiLink, MySQL, Oracle, Postgres, Sybase, TDS (= MS SQL)
Deprecated
Audiogalaxy, DICT, ICQ, Load Balancing, MCS, Napster, OpenFT, Quake
Enterprise Apps
SAP, Siebel
Mail Services
DIMP, IMAP, IMAPS, Lotus Notes, MAPI (MS Exchange), POP3, POP3S, SMTP, SMTPS
Middleware
GIOP, GIOPS, RPC, SOAP, TIBCO-RV
Network Services
COTP, DHCP, DNS, EIGRP, HSRP, ICMP, IGMP, NARP, Netbios, Netflow, NTP, RLP, RSVP, SNMP, Syslog, T38, VRRP
Peer to Peer
Applejuice, Ares, BitTorrent, DirectConnect, Edonkey, Filetopia, Foxy, GNUnet, Gnutella, GoBoogy, iMesh, Kazaa, KuGou, Manolito (MP2P), Mute, Pando, SopCast, Soulseek, WINMX, µTorrent (uTP)
Routing Protocols
BGP, OSPF, PIM, RIP v1, RIP v2, RIPng
Streaming
BBC iPlayer, Flash, Icecast, Silverlight, Voddler
Thin Client
Citrix (possibility to recognize Citrix published applications), PC Anywhere, Radmin, RDP, Remote Shell, RFB (VNC), Rlogin, SSH, Telnet, TelnetS, TNVIP, VMWare, X.11
Transferring and Sharing
AIM Transfer, Altiris, CUPS, DCERPC, FTP, FTPS, IPP, JetDirect, LPR, Mainframe CFT, Microsoft ActiveSync, Mount, NFS, NLockMgr, RQuota, RStat, RSync, RUsers, SharePoint, SMB, Sync, TFTP, WINS, YPUpdate
Transport Layer Protocols
IPComp, SCTP, SSL, TCP (with specific recognition for AVG Antivirus Updates, Cisco Unified MeetingPlace, F-Secure Online Backup, GoToMeeting, Sharepoint 2010, TrendMicro Antivirus Updates and Webex), UDP
Tunneling
EtherIP, GRE, GTP, HTTP tunnel, IPSec, L2TP, openVPN, PPP, PPTP, Socks, STUN, XoT
Unified Communications
Adobe Connect, AIM Express, AOL Instant Messenger, Cisco Unified MeetingPlace, Gizmo, GoToMeeting, H.225, H.245, IAX, IBM Lotus Sametime, iCall, IRC, IRCS, Jabber, MGCP, MMS, MPEG-TS, MS Communicator, MSN Messenger, NNTP, NNTPS, ooVoo, PalTalk, Q.931, RDT, RTMP, RTP/RTCP (G.711a, G.711u, G.723, G.729), RTSP, SHOUTcast, SIP, Skinny Client Control Protocol, Skype, UCP, Webex, Yahoo Messenger. Dynamic Codecs (Audio and Video, such as H.264, Speex, etc., by inspection of SIP signalling) Recognized applications, by type
October 2014
Ipanema Technologies
4-69
Ipanema System
4. 8. 3. 4. Creating new applications The system recognizes about 200 protocols (HTTP, ICMP, FTP, RTP/RTCP, H.225, SAP, Citrix, Skype, VMware....; refer to the comprehensive list in the tables above). New applications can be created, described by a protocol plus an attribute, possibly on certain subnets or hosts specifically: Applications that are not recognized by ip|engines, and not explicitly named and enabled in ip|boss’ Applications dictionary are implicitly grouped on the lower layer protocol (e.g. TCP or UDP).
By clicking on the New button
, the creation window of a new application is displayed:
Creation of a standard application The Application window contains the following input fields: ■ ■
Name: character string used to identify the application, Administrative State: – Enable: application taken into account, – Disable: application not taken into account,
■ ■
Protocol: protocol is to choose from a drop list, Attribute: depends on the protocol; this field is enabled or not and allows the access to a list or free fields, – for TCP or UDP: Port(s): port numbers as they appear in the Server port fields of TCP/UDP headers (either source or destination). This field can contain several ports, separated by a “;”, or a range of ports, separated by a “-”.
4-70
Ipanema Technologies
October 2014
Configuring services (ip|boss)
– for HTTP: URL (www.ipanematech.com for example) • Do not start the URL by “http://”. • You can put a URL like “*.ipanematech.*” (see below).
Syntax: ?
a unique character
*
any character string (included empty)
%
shortest word (non empty, separated by spaces)
$
longest word (non empty, separated by spaces)
;
separator in a list
Examples: www.google.fr
any URL of the site
www.google.*
all google incarnations (.fr, .com, .de .... )
www.google.*/*.gif
all .gif documents in any page of any google
*/*.gif
all .gif documents in any page of any server
Specific cases: host/*
"any" URI
host/
empty URI
*/full/uri
"any" HOST
/full/uri
empty HOST
– for HTTPS: Common Name (usually the FQDN (Fully Qualified Domain Name) of the web site; it is displayed in the Certificate):
Example of HTTPS Certificate, with “*.ipanematech.com” as a CN
October 2014
Ipanema Technologies
4-71
Ipanema System
– for Citrix: Application(s): name of published applications (Word, Excel for example) when the applications are not multiplexed in the same TCP session. – for RTP/RTCP: Predefined codecs: name of an audio or video codec, to be selected from a drop-down list with predefined codecs:
Predefined codecs Codec: name of an audio or video codec, to be written with the following syntax: “audio/” or “video/” (for instance, to create the speex codec, enter “audio/speex”). To be able to recognize the “dynamic” codecs (as per RTP), SIP signalling needs to be decoded, so SIP application recognition must be enabled. – For other protocols, no information is necessary. so there is no attribute.
■
User Subnets filter: this optional parameter can be used to identify an application by the IP address of a server or client, or list of servers or clients (ex: SAP). It is possible to choose the server or client from a drop-down list of the User subnets, or directly: – User Subnets List: choose the subnet or host in the list of User subnets to be associated with the application by selecting them and pushing them to the right frame with the single right arrow (selected User subnets only) or double right arrow (all User subnets), – Prefix/Length: set the subnet with the following notation X.X.X.X/Y where X.X.X.X is the IP address and Y the length integer between 0 and 32; a list of IP addresses can be configured (; separator). – C/S Side: specify if the application must be recognized on the server side or on the client side (it is recognized on the Server side by default).
4-72
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 8. 3. 5. Order of recognition When describing different applications using the same protocol (e.g. for HTTP: Intranet (= intranet.company.com), Internet corporate (= *.company.com) and Internet (= the rest of http)), place the more specific applications first (the Intranet, then Internet corporate in the example) and the generic one after (the Internet), so that the specific ones can be recognized as such. This ordering is achieved by selecting an application and by moving it up with the left blue arrow (“move up”) if it is more specific than the one above it, or moving it down with the right blue arrow (“move down”) if it is more generic than the one below it, and by repeating this for as many applications as necessary until they are all sorted from the most specific one (at the top) to the most generic one (at the bottom).
Moving applications to place the more specific ones above the more generic ones
October 2014
Ipanema Technologies
4-73
Ipanema System
4. 8. 4. Configuring QoS Profiles Operating procedure table: settings, ip|true service , ip|fast service This dictionary is used for measurement (ip|true) and for Application Control (ip|fast). In the Application provisioning Toolbar, select
QoS profiles:
The QoS Profiles list window is displayed.
QoS Profiles list window The settings made in this window enable to define the QoS objectives. A QoS objective associated with an Application Group is used by the system to measure (ip|true) and control (ip|fast) the traffic according to the application requirements.
4-74
Ipanema Technologies
October 2014
Configuring services (ip|boss)
By clicking on the New icon
, the creation window of a new QoS Profile is displayed.
QoS Profiles window This window contains the following input fields: ■ ■
Name: to identify the QoS profile (character string), Type: to characterize application flow type: – real-time: real-time flow (VoIP, video) sensible to delay, jitter and loss, – transactional: transactional flow (SAP, Telnet), sensible to delay, – background: other than those listed above,
■
Session B/W (kbps): to specify the bandwidth per session; the value is used by ip|fast, – Obj. (objective): nominal bandwidth per session (mandatory parameter). The objective bandwidth per session is operational during congestion.
– Max. (maximum): maximum bandwidth allowed per session (not mandatory). • If it is not defined, a value of 500 times the Objective is applied. Most of the time, the limit remains the WAN access so the user can rarely experience this parameter. It can only be observed when: – the customer declares a low objective (e.g. 20 kbps) – and the WAN access is large, with low activity (e.g. 100 Mbps available) – and there are only a few sessions (based on that QoS Profile) running at that moment. • If it is defined, it always applies when ip|fast is enabled (i.e., even when there is no congestion and when ip|fast does not control the bandwidth). ■
Delay (ms), Jitter (ms), Packet loss (%), SRT (server response time, ms), RTT (round trip time, ms), TCP retrans. (%): to specify, for each flow, the Objective and Maximum values for that QoS profile. These parameters are enabled or not by checking the boxes or not,
October 2014
Ipanema Technologies
4-75
Ipanema System
These information can be used by the Application Group reporting to control the QoS associated with each Application Group. all values <
< at least 1 value <
Obj.
Max.
< at least 1 value
acceptable
Correct
unacceptable
Interpretation of Obj. and Max. criteria for Delay, Jitter, Loss, SRT, RTT and TCP retrans. Name
Type
Session BW (kbps)
Delay (ms)
Default
Bg
30-600
200-1000
File transfer
Bg
50-1000
Business
Tr
Thin client
Jitter (ms)
Packet Loss (%)
RTT (ms)
TCP retrans. (%)
1-10
400-2000
1-10
500-1000
1-10
1000-2000
1-10
50-500
200-500
1-5
400-1000
1-5
Tr
40-400
100-500
1-5
200-1000
1-5
Mail
Bg
50-1000
500-2000
1-10
1000-4000
1-10
Net services
Bg
20-200
100-500
1-10
200-1000
1-10
Web
Tr
40-400
200-1000
1-10
400-2000
1-10
Voice
RT
90-120
100-200
Video stream.
RT
150-200
200-1000
400-2000
1-5
50-100
SRT (ms)
0.2-1 1-5
Ex. of QoS Profiles (Bg: background, Tr: transactional, RT: real-time; in each column: obj.-max.)
4-76
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 8. 5. Configuring Application Groups (AGs) Operating procedure table: , ip|true, ip|fast, ip|xcomp, ip|xtcp, DWS Users specify high-level business objectives through Application Groups. The Customer traffic is classified using a mix of the user’s applications and organization data. The Application Group attributes include: ■ ■
■
business criticality, QoS performance objectives (nominal bandwidth per application session, delay, jitter, packet loss, SRT, RTT and TCP retransmission), the enabling of compression.
The user’s objectives are the only input to the system. There is no need to set low-level, network and device specific policy rules. The Ipanema System performs: ■ ■ ■ ■ ■ ■
the configuration of high-level QoS objectives (ip|boss), the specific reporting to AG (ip|engine, ip|reporter), the control of the application flows in accordance with the AGs (ip|fast). the compression of the flows in accordance with the AGs (ip|xcomp). the TCP acceleration of the flows in accordance with the AGs (ip|xtcp). the Dynamic WAN Selection for the flows in accordance with the AGs (DWS).
Application Groups are independent of ip|true, ip|fast, ip|xcomp, ip|xtcp, DWS and smart|plan services. Application Groups are given in a tree structure, each AG is characterized by: ■ ■ ■ ■ ■ ■
a name, filters to define the rules of traffic classification corresponding to the AG, a criticality level to define the level of criticality associated to the application(s) in this AG, a QoS profile that enables QoS objectives for the application(s) in this AG, the capability to be compressed. tjhe capability to be accelerated. The position of the Application Groups in the tree structure is important, it determines the classification of the packets. The classification is performed by running the structure tree downwards. The packet is classified with the first applicable classification met. “Other”, included the whole classifications, is at the end of the tree.
The configuration of the Application Groups is necessary for the good behavior of the Application Control agent, ip|fast.
October 2014
Ipanema Technologies
4-77
Ipanema System
In the Application provisioning Toolbar, select
Application Groups:
The Application Group window is displayed:
Application Group window This window contains: ■ ■ ■
4-78
An Application Groups zone which shows the tree of AGs, A Properties zone which shows the configuration of the selected AG, A table zone which summarizes all the AGs.
Ipanema Technologies
October 2014
Configuring services (ip|boss)
By clicking on the New icon
, the creation window of an AG is displayed:
New Application Group window This window contains: ■
A zone displaying the characteristics of the selected Application Group: – – – – –
Name of the AG, Business criticality: top, high, medium or low, Compress: the compression capability for the flows belonging to the AG, Accelerate: the TCP acceleration capability for the flows belonging to the AG, QoS profile: the QoS profile that will apply to this AG (the QoS profile contains the Type of traffic, the Bandwidth objective and maximum values, the D/J/L, RTT, SRT and TCP retransmit objective and maximum values), – Sensitivity, Routine or Business: when the sites are connected through various networks (e.g. MPLS and Internet), or use various Networks Access Points to the same network, the Sensitivity is used in the path decision to route traffic to a NAP with at least the same Trust Level (defined on the WAN accesses). The DWS option must be activated in the license.
■
A zone with four tabs, to define filtering rules for traffic classification in the corresponding AG: – – – –
October 2014
Dictionary filters, Subnet filters, ip|engine filters, Advanced.
Ipanema Technologies
4-79
Ipanema System
In this zone, the selection frames depend on the selected tab (see below). – the left frame shows a list of elements of the Dictionaries (Applications, ToS values), Subnets (source and destination) or ip|engines (ingress and egress) as described in the system and managed by ip|boss – the right frame shows the selected filters for the AG. Select elements (you can select several ones simultaneously, using the SHIFT or CTRL keys) and move them from one frame to the other thanks to the simple arrows, or move all elements at a time using the double arrows. A logical “Or” is applied for the different elements inside a filter (for example filter “Applications”: HTTP or HTTPS). A logical “And” is applied for the different types of filters (for example “Applications: HTTP or HTTPS” and ”subnet-src=LAN-192”).
4. 8. 5. 1. “Dictionary filters” tab
Dictionary filters tab This tab contains two filters: ■ ■
Application, TOS. This is the main tab to use. The others are optional, and lead to the creation of local rules, so use them with care.
4-80
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 8. 5. 2. “Subnet filters” tab
Subnet filters tab This tab contains two filters: ■ ■
Sources: User subnets directory to be used as sources, Destinations: User subnets directory to be used as destinations. By selecting Subnets with this tab, you create local rules that will apply only to those Subnets! Do this only if really needed. Otherwise, use global parameters only (Dictionary filters).
4. 8. 5. 3. “ip|engine filters” tab
ip|engine filters tab This tab contains two filters: ■ ■
Ingress: ip|engines and tele|engines to be used as sources, Egress: ip|engines and tele|engines to be used as destinations. By selecting ip|engines with this tab, you create local rules that will apply only to those ip|engines! Do this only if really needed. Otherwise, use global parameters only (Dictionary filters).
October 2014
Ipanema Technologies
4-81
Ipanema System
4. 8. 5. 4. “Advanced” tab
Advanced tab This tab contains two additional frames: Redundancy Elimination Method ■ ■
Zero Delay: ZRE is enabled. Standard: SRE is enabled.
The two options appear only if Compress is checked. By default: If the type of traffic in the selected QoS profile is:
... then, by default:
Real time
both methods are disabled (real time traffic is not compressible, usually),
Transactional
only the Zero Delay method is enabled (the Standard method can create a small latency — usually less than 5 ms),
Background
both methods are enabled.
We do not recommend to change the default settings without advice from the Ipanema Support.
smart|path This frame contains three parameters, that can be used to overwrite the global values set in the System provisioning > Tools > Advanced configuration menu. Please refer to 4.9.7. Configuring DWS (Tools / Advanced conf.) for a comprehensive description of each parameter.
■
Sensitivity policy can take four values: – Default: the global “Sensitivity policy” parameter (in System provisioning > Tools > Advanced configuration) will apply, – Preferred, Strict or Backup: overwrite the global value for the selected AG.
4-82
Ipanema Technologies
October 2014
Configuring services (ip|boss)
■
Return path can take three values: – Default: the global “Return path” parameter (in System provisioning > Tools > Advanced configuration) will apply, with the following correspondence: • “As received” for “yes”, • “Free” for “no”. – As received: overwrites the global “Return path” parameter (corresponds to “yes”) for the selected AG, – Free: overwrites the global “Return path” parameter (corresponds to “no”) for the selected AG.
■
NAP selection policy can take three values: – Default: the global “Sticky choice” parameter (in System provisioning > Tools > Advanced configuration) will apply, – Per session: overwrites the global “Sticky choice” parameter with the “Per session” value for the selected AG, – Per packet: overwrites the global “Slave return” parameter with the “Per packet” value for the selected AG.
October 2014
Ipanema Technologies
4-83
Ipanema System
4. 8. 6. Configuring LTL (Local Traffic Limiting) Operating procedure table: ip|fast service The LTLs (Local Traffic Limiting) allow traffic limiting rules to be configured for each site, when this is necessary. These rules take the enterprise organization, user subnets and the applications implemented between these different entities into account. They are used by ip|fast (Application Control). These rules are defined for outgoing (LTL Ingress) or incoming (LTL Egress) traffic on the selected site. LTLs are used to: ■
limit the bandwidth used by the different networks of the departments, services (user subnets) or applications according to specific criteria taking the following constraints into account: – – – –
source subnet, remote subnet, applications, TOS/CP values.
Traffic Limiting is given in a tree structure, each LTL is characterized by: ■ ■ ■
a name, filters to define the rules to classify the traffic corresponding to the LTL, a limit on the bandwidth that can be used by the class. The LTL rules are enabled only if ip|fast is activated on the ip|engine.
In the Application provisioning Toolbar, select
LTL.
The Local Traffic Limiting Tree window is displayed.
Local Traffic Limiting Tree window This window contains an LTL tree structure per ip|engine.
4-84
Ipanema Technologies
October 2014
Configuring services (ip|boss)
To create a new policy, select the ip|engine, the direction (ingress or egress), then by clicking on the New icon
, the creation window of a new LTL is displayed:
Local Traffic Limiting window This window contains the following input boxes: ■
Name: Name of the LTL policy,
Local Traffic Limiting ■
Maximum bandwidth (kbps): to specify the limit bandwidth for a LTL, If the value 0 is specified, in this case all the traffic is dropped.
■
Limited: to enable or disable the limiting rule,
Filters Filters allow specifying filtering rules for traffic that are associated with an LTL: ■
■
■
■
Source user subnet: to filter traffic according to source User subnet. It is selected from a drop-down list corresponding to the "User subnets" directory, Destination user subnet: to filter traffic according to destination User subnet. It is selected from a drop-down list corresponding to the "User subnets" directory, Application: to filter traffic according to application(s). It is selected from a drop-down list corresponding to the "Applications" dictionary, TOS/CP: to filter traffic according to the value of the TOS field. This value specified in the "TOS/CP" dictionary, is selected from a drop-down list.
October 2014
Ipanema Technologies
4-85
Ipanema System
4. 9. REPORTING The Reporting menu gives access to three functions: MetaView, reports and Alarming.
4. 9. 1. Configuring MetaViews Operating procedure table: settings, service ip|true, service ip|reporter The MetaViews are objects used to show the data according to your criteria (topology, applications...) in order to be used by external reporting tools (including ip|reporter) and to trigger logs, traps or e-mails when certain thresholds are surpassed (Alarming). The MIB will be populated according the settings of the MetaViews. MetaViews show information about the traffic or availability according to the following criteria: ■
In the Configuration tab: – – – – – – – –
■
a (list of) source site(s), a (list of) source site(s) and a (list of) destination site(s), a (list of) source ip|engine report key(s), a (list of) source ip|engine report key(s) and a (list of) destination ip|e report key(s), a (list of) source Network Access Point(s), a (list of) source NAP(s) and a (list of) destination NAP(s), a (list of) source WAN access report key(s), a (list of) source WAN access report key(s) and a (list of) destination WAN access report key(s),
In the User subnets tab: – a (list of) source user subnet(s), – a (list of) source user subnet(s) and a (list of) destination user subnet(s),
■
In the Traffic classification tab: – a (list of) application(s), – a (list of) Application Group(s), – a (list of) criticality(ies),
■
and any complex definition with the previous parameters, using several fields and, possibly, several tabs.
For example, a MetaView can aggregate the data on the Domain (no filter), but another MetaView could detail the behavior between 2 subnets and a particular application. ip|reporter uses the MetaViews for the reports creation and data collection. Two modes of MetaView creation are available: ■
■
unitary mode: allows to create MetaViews one by one with your own naming rules. This mode can be used in order to create a troubleshooting MetaView with complex filters (for example a destination site, a source site and a specific application), wizard mode: allows to create a big number of MetaViews with automatic naming rules and simple filter (for example: one MetaView for each user subnet of the Domain). MetaViews for the Domain, for the Equipped sites, for the tele-managed sites and for the Application Groups are automatically created by the system (as soon a new Domain, a new Equipped site, a new tele-managed site or a new Application Group is created, respectively).
The MetaView name is used by ip|reporter to name the instances of the reports.
4-86
Ipanema Technologies
October 2014
Configuring services (ip|boss)
In the Reporting Toolbar, select
MetaView.
The MetaView window is displayed.
MetaView list window This window contains the MetaView list created and the parameters for each one.
October 2014
Ipanema Technologies
4-87
Ipanema System
4. 9. 1. 1. MetaView creation in unitary mode By clicking on the New icon
, the creation window is displayed
MetaView creation window
4-88
Ipanema Technologies
October 2014
Configuring services (ip|boss)
This window contains: ■ ■ ■
■
The Name of the MetaView, used by ip|reporter to name the instances of the reports, The Description: optional text field, The Type: as this function is used to create a MetaView on demand, the field always displays “on demand”. A zone with three tabs: – Configuration, – User Subnets, – Traffic classification.
Each tab contains two frames: ■
■
the left frame shows a list of elements (Sites, ip|engines, Keys, User subnets, Applications, AGs, etc.), as described in the system and managed by ip|boss, the right frame shows the selected elements for the MetaView. A logical “Or” is applied for the different elements inside a filter. A logical “And” is applied for the different types of filters.
Select the elements you want to move and use the simple arrows to move them from one frame to the other, or use the double arrows to move them all at a time. "Configuration" Tab This tab (screenshot above) comprises the filters which define the rules of traffic topologies corresponding to the MetaView (from Site A to Site B, etc.). It contains the following areas: ■
Site A: displays the Sites list as described in the configuration, Reminder: MetaViews for the Sites are automatically created by the system.
■
Site B: displays the Sites list as described in the directory, Selecting Sites A1 and A2 in “Site A” and Sites B1 and B2 in “Site B” will show the traffic between Sites [A1 or A2] and [B1 or B2]. This principle also applies to all objects below.
■
ip|engine A: displays the ip|engines and tele|engines list as described in the configuration, Reminder: MetaViews for the ip|engines are automatically created by the system.
■ ■ ■ ■ ■ ■
■
ip|engine B: displays the ip|engines and tele|engines list as described in the directory, Engine Report Key A: displays the ip|engine report key list as described in the configuration, Engine Report Key B: displays the ip|engine report key list as described in the configuration, WAN Access Id A: displays the Network Access Points list as described in the configuration, WAN Access Id B: displays the Network Access Points list as described in the configuration, WAN Access Report Key A: displays the WAN Access report key list as described in the configuration, WAN Access Report Key B: displays the WAN Access report key list as described in the configuration,
October 2014
Ipanema Technologies
4-89
Ipanema System
"User Subnets" Tab
User Subnets Tab This tab comprises the filters which define the rules of traffic topologies corresponding to the MetaView (From User Subnet A to User Subnet B). It contains the following areas: ■ ■
User Subnet A: displays the User subnets list as described in the configuration, User Subnet B: displays the User subnets list as described in the configuration. This list is available only if at least one subnet in User Subnet A is selected.
Traffic classification" Tab
Traffic classification Tab This tab comprises the filters which define the rules of traffic classification corresponding to the MetaView. It contains the following areas: ■ ■
Application: displays the applications list as described in the configuration, Application Group: displays the AGs list as described in the configuration, Reminder: MetaViews for the Application Groups are automatically created by the system.
■
4-90
Criticality: displays the criticality list as described in the configuration (from Top to Low).
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 9. 1. 2. MetaView creation in wizard mode By clicking on the Wizard icon
, the multiple creation window of MetaViews is displayed.
Wizard MetaView window This window contains: ■
A zone with three tabs: – Configuration, – User Subnets, – Traffic Classification.
Each tab contains two frames: ■
■
the left frame shows a list of elements (ip|engines, Keys, User Subnets, Application Groups, etc.) as described in the system and managed by ip|boss, the right frame shows the selected elements for the MetaViews.
Select the elements you want to move and use the simple arrows to move them from one frame to the other, or use the double arrows to move them all at a time. By selecting several elements in each list, the system will create the MetaViews according to combinative selected criteria.
The wizard mode automatically manages the naming rules, depending on the selected elements.
October 2014
Ipanema Technologies
4-91
Ipanema System
"Configuration" Tab (see screenshot above) This tab (screenshot above) comprises the filters which define the rules of traffic topologies corresponding to the MetaViews (From/to Site A, from/to Key ). It contains the following areas: ■
■
■ ■ ■
Site: displays the Sites list as described in the configuration, Reminder: MetaViews for the Sites are automatically created by the system. ip|engine: displays the ip|engines and tele|engines list as described in the configuration, Reminder: these MetaViews are automatically created by the system. Key: displays the ip|engines report keys list as described in the configuration, WAN Access id: displays the Network Access Points as described in the configuration, Network report key: displays the WAN access report keys as described in the configuration.
"User subnets" Tab
User Subnets Tab This tab comprises the filters which define the rules of traffic topologies corresponding to the MetaView (From/to User Subnets). It contains the following area: ■
User Subnets: displays the User subnets list as described in the configuration.
"Traffic classification" Tab
Traffic classification Tab This tab comprises the filters which define the rules of traffic classification corresponding to the MetaViews. It contains the following areas: ■ ■
■
4-92
Application: displays the applications list as described in the configuration, Application Group: displays the Application Groups list as described in the configuration, Reminder: Application Groups MetaViews are automatically created by the system. Criticality: displays the criticality list as described in the configuration (from Top to Low).
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 9. 2. Configuring Reports Refer to 9.2.5. Reports Management.
4. 9. 3. Configuring Alarming Operating procedure table: settings, service ip|true The Alarming feature uses the MetaViews for the alarms creation. In the Reporting Toolbar, select
Alarming.
The Alarming window is displayed:
Alarming window This window contains three frames: ■ ■ ■
Rule — : the list of created rules on the Domain, Alarm: the list of created alarms based on those rules, Help: available metrics: the metrics and operators to be used in the rules.
An alarm is the instantiation of a rule (when does the alarm trigger/rearm?) on a MetaView (on what objects - sites, Application Groups, etc. - does the rule apply?). Creating an alarm is achieved in three steps: ■ ■ ■
creating a rule, associating a rule to a MetaView, activating logs and/or mails and/or traps on alarming events.
October 2014
Ipanema Technologies
4-93
Ipanema System
4. 9. 3. 1. Rule creation By clicking on the New button
in the Rule frame, the AlarmRule creation window is displayed:
AlarmRule creation window This window contains an input zone with the following fields: ■ ■
Name: name of the rule; it must be unique. A Trigger frame, to define the rule that will trigger the alarm: – Trigger threshold: the threshold that will trigger the alarm, – Trigger occurrences: the number of consecutive collects (by default, 1 collect = 1 minute; refer to the section Create a Domain) that are necessary for this threshold to be reached before triggering the alarm.
■
A Rearm frame, to define the rule that will rearm the alarm: – Rearm threshold: the threshold that will rearm the alarm, – Ream occurrences: the number of consecutive collects (by default, 1 collect = 1 minute) that are necessary for this threshold to be reached before rearming the alarm.
■
Actions: 3 check boxes to activate (when the boxes are checked): – a Log – and/or a Mail – and/or a Trap
■
when an alarm triggers or rearms. Severity: to choose the severity of the alarm: – – – – – –
■
Clear: establishment of a normal status, Information: informational messages, Warning: possible error or incident; e.g. good (but not excellent) quality (AQS < 9), Minor: low-priority error or incident; e.g. average quality (AQS < 8.4), Major: high-priority error or incident; e.g. poor quality (AQS < 7), Critical: very high-priority error or incident; e.g. unacceptable quality (AQS < 5).
Description: text description of the alarm.
When a rule is created, an Identifier is automatically attributed to it by the system, that can be seen in the Alarming window (Ident).
4-94
Ipanema Technologies
October 2014
Configuring services (ip|boss)
Rules syntax The description of a threshold must respect the following grammar: exp ::= prefixexp exp ::= number exp ::= exp binop exp exp ::= unop exp prefixexp ::= var | ’(’ exp ’)’ ■ ■
Numbers can be integers or decimals. Examples: 0; 3; 3.14156; 10 Variables (var) represent the metrics. Naming rule: []__metric.
Throughput (kbps). 6 metrics:
__throughput lan__goodput
Bandwidth (kbps). 2 metrics:
ingress_wan_access_ingress egress_wan_access_egress
Number of sessions (per second). 2 metrics:
lan__sessions
Delay (ms). 12 metrics:
__min_delay __avg_delay __max_delay
Jitter (ms). 4 metrics:
__jitter
Loss rate (%). 4 metrics:
__packet_loss
RTT (ms). 6 metrics:
_tcp_rtt_min _tcp_rtt_avg _tcp_rtt_max
SRT (ms). 6 metrics:
_tcp_srt_min _tcp_srt_avg _tcp_srt_max
TCP retransmission (%). 2 metrics:
_tcp_retransmit
Quality (AQS: 0–10, MOS: 1–5). 4 metrics:
_aqs mos_
Available metrics (48) Examples: – “lan_ingress_packet_loss > 5”: the LAN ingress loss rate is higher than 5% – “wan_egress_throughput > 100”: the WAN egress throughput is higher than 100 kbps – “wan_ingress_throughput > 0.8 * ingress_wan_access_ingress”: the ingress WAN access is used at more than 80% of its capacity. ■
Binary and unary operators (binop and unop) consist of arithmetical, relational and logical operators.
Arithmetical operators +
addition
*
multiplication
%
modulo
–
subtraction
/
division
–
negation (unary)
Relational operators ==
equal to
<
less than
greater than
>=
greater than or equal to
Logical operators and
or
not (unary) Operators
October 2014
Ipanema Technologies
4-95
Ipanema System
Priorities between operators are (from low priority to high priority): – – – – – –
1. 2. 3. 4. 5. 6.
or and < > = ~= == +*/% not - (unary)
A rule is validated when committed; a mistake will trigger an Error message window.
4-96
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 9. 3. 2. Alarm creation in unitary mode By clicking New
in the Alarm frame, the single Alarm creation window is displayed:
Single Alarm creation window This window contains an input zone with the following fields: ■ ■ ■
Rule: drop-down list, to choose the rule to apply. MetaView: drop-down list, to choose the MetaView on which the rule will apply. Administrative state: to enable or disable the selected rule on the selected MetaView.
4. 9. 3. 3. Alarm creation in wizard mode This creation mode allows to create a package of alarms for several MetaViews. This mode could be used in the initial creation step (instead of the unitary mode). By clicking on the Wizard displayed:
in the Alarm frame, the multiple creation window of Alarms is
Alarm creation Wizard window This window contains: ■ ■
a zone with multiple selection for the Alarm rules, a zone with multiple selection for the MetaViews.
The first area (on the left) shows the list of elements (Alarm rules and MetaViews), the second area (on the right) shows the selected elements. Use the “+” and “-” signs to move the selected elements from the left to the right and from the right to the left, respectively (or click “Select All” or “Unselect All” to move them all at a time).
October 2014
Ipanema Technologies
4-97
Ipanema System
By selecting several elements in each list, the system will create the Alarms according to combinative selected criteria.
4. 9. 3. 4. Enabling logs/mails/traps So that alarming events can be logged and/or sent by e-mail and/or trapped, according to the selected Actions, Log and/or Mail and/or Trap must be enabled in the Options window (see OPTIONS - FAULT MANAGEMENT below).
4. 9. 3. 5. Operation Using the alarms triggered by ip|boss is achieved with external tools, according to the selected Actions: ■ ■ ■
text editor or script for the logs, e-mail client for the mails, SNMP manager for the traps.
When an alarm is triggered or rearmed, the following information is available (in a log, an e-mail or a trap): ■ ■ ■ ■ ■
the name of the Domain, the rule identifiers (Ident and Name), the MetaView (Ident and Name), the ip|engine (Name and public IP address), the rule with the value of the metrics; for example, if the rule “wan_egress_throughput > 1000” triggered an alarm because its value is 2000, it is displayed like this: “wan_egress_throughput [2000] > 1000”.
Alarms are sent by pair: “trigger” when the first threshold is reached, “rearm” when the second is. ■ ■
In the logs and trap, one line is generated per alarm. For the mail, only one mail is sent, containing all the alarms.
SNMP trap: example
4-98
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 10. SUPERVISION OPTIONS 4. 10. 1. Configuring Fault Management Operating procedure table In the Supervision Toolbar, select
Options.
The Options window is displayed:
Options window This window contains three tabs: ■ ■
■
Activation: specify how to manage the Supervision events and the Traffic alarming events. Mail (e-mail): Supervision and/or Traffic alarming events can be mailed to a list of recipients configured in ip|boss; it uses its own mailing command. Trap (SNMP Trap): Fault management traps generated by ip|boss on Supervision and/or Traffic alarming events are sent to configured SNMP managers.
It gives access to the fault management parameters.
October 2014
Ipanema Technologies
4-99
Ipanema System
You can manage the Supervision events. They consist of an alarm (log, mail or trap) in case of system events like: LicenseExpiration
ip|boss license expiration will occur
Start
ip|boss has been started
Stop
ip|boss has been stopped
Update
ip|boss has been updated
Upgrade
an ip|engine has received upgrade order
Reboot
an ip|engine has been rebooted
BeginOfDownStatus
an ip|engine is down
EndOfDownStatus
an ip|engine is up after a previous down status
BeginOfSynchronizationLoss
an ip|engine has lost its synchronization
EndOfSynchronizationLoss
an ip|engine is up after a previous synchronization loss
CertificateExpiration
ip|boss X509 certificate expiration will occur
RestartByRecover
ip|boss has been restarted by recover mode
IpReporterManagerIsDown
ip|reporter “Manager service” is down
IpReporterCollectorIsDown
ip|reporter “Collector service” is down
IpReporterBrowserIsDown
ip|reporter “Browser service” is down
IpReporterManagerIsUp
ip|reporter “Manager service” is up
IpReporterCollectorIsUp
ip|reporter “Collector service” is up
IpReporterBrowserIsDown
ip|reporter “Browser service” is down
IpReporterBrowserIsUp
ip|reporter “Browser service” is up
BeginOfNotReachableStatus
an ip|engine is physically down (network link is down)
EndOfNotReachableStatus
an ip|engine is physically up after a previous physical down status
MetaViewColors
the MetaView is green
BeginOfCompressDownStatus
an ip|engine has compression down
EndOfCompressDownStatus
an ip|engine has compression up
BeginOfUncompressDownStatus
an ip|engine has uncompression down
EndOfUncompressDownStatus
an ip|engine has uncompression up
BeginOfLanLinkDownStatus
an ip|engine has LAN interface down
EndOfLanLinkDownStatus
an ip|engine has LAN interface up
BeginOfWanLinkDownStatus
an ip|engine has WAN interface down
EndOfWanLinkDownStatus
an ip|engine has WAN interface up
Events (ip|engines are identified with Alias, IP Address and Domain name) You can manage the Traffic alarming events. They consist of an alarm (log, mail or trap) in case of an alarm triggered or rearmed (see CONFIGURING ALARMING above).
4-100
Ipanema Technologies
October 2014
Configuring services (ip|boss)
The Options window contains three tabs:
4. 10. 1. 1. "Activation" tab
Activation tab The tab contains three frames: Log ■
Supervision events (see above): – Enable: to log the Supervision events in ip|boss’ log file, – Disable: not to log the Supervision events.
■
Traffic alarming events (see above): – Enable: to log the Alarming events in ip|boss’ log file, – Disable: not to log the Alarming events.
Mail ■
Supervision events: – Enable: to send e-mails on Supervision events, – Disable: not to send e-mails on Supervision events.
■
Traffic alarming events: – Enable: to send e-mails on Alarming events, – Disable: not to send e-mails on Alarming events.
Trap ■
Supervision events: – Enable: to trap the Supervision events, – Disable: not to trap the Supervision events.
October 2014
Ipanema Technologies
4-101
Ipanema System
■
Traffic alarming events: – Enable: to trap the Alarming events, – Disable: not to trap the Alarming events.
4. 10. 1. 2. "Mail" tab
Mail tab This tab contains three fields: ■
Sender address: to define the sender e-mail address; must be enquired, Outgoing mail server (SMTP): to define the outgoing mail server,
■
Recipients: to see the list of destinations (use the New button
■
to add some entries).
– E-Mail: e-mail address of the destination. An alarm message gives the following data: ■ ■ ■
Subject: ip|boss, the Origin (see table above) and the alarm type, Alarm timestamp (time when alarm was detected), description: optional comments on the alarm.
The Origin and Type fields are included in the subject of the mail. The Description field is included into the body of the mail. The Field format is . Mail examples: Object: HMS: ip|boss - OSS - Cold Start Date: 26/03/02 13:42:42 Paris, Madrid From:
[email protected] To:
[email protected] ip|boss System has been started by DOC on 26/03/2002 at 13:43:47. Conf file is: C:\program files\server\domains\HMS\config\__active__.ipmconf. Object: HMS: ip|boss - OSS - Stop Date: 26/03/02 13:43:52 Paris, Madrid From:
[email protected] To:
[email protected] ip|boss System and ip|engine have been stopped by DOC on 26/03/2002 at 13:45:11. Object: HMS: ip|boss - ip|engine - End of ip|fast down status Date: 26/03/02 14:06:25 Paris, Madrid From:
[email protected] To:
[email protected] ip|fast is up on following ip|e on 26/03/2002 at 14:07:43: HQ (192.169.0.100)
4-102
Ipanema Technologies
October 2014
Configuring services (ip|boss)
4. 10. 1. 3. "Trap" tab
Trap tab This tab contains the following field: ■
Hostname: hostname or IP address of the SNMP manager (use the New button entries).
October 2014
Ipanema Technologies
to add
4-103
Ipanema System
4. 11. SYSTEM ADMINISTRATION 4. 11. 1. Configuring Automatic reporting Refer to 9.2.5. Reports Management.
4. 11. 2. Configuring Security Ipanema System security features are based on SSL and SSH protocols, plus tools for key generation and distribution. ip|boss to ip|engines communications are secured. SSL protocol is used for downloading the configuration file from ip|boss to ip|engines, monitoring of ip|engines by ip|boss and collecting the measurement data from ip|engines. Both authentication and encryption are used. The HTTPS protocol is used for the exchanges. Ipanema System allows for three different security levels to be implemented.
4. 11. 2. 1. First level (default mode) The customer uses the default factory certificate (Qosmart). Communications are secured. Nevertheless, as the certificate is not unique to the customer, the security level is not at its maximum. To start Ipanema System, just make the configuration and start the session.
4. 11. 2. 2. Second level The customer defines his own certificate. This is done centrally from ip|boss or from a customer’s certificate generator. Certificate installation on ip|engines is handled from ip|boss and does not require a local access to the ip|engines. Communications are secured. Unauthorized people will not be able to enter the system nor to read and interpret configuration or measurement data. Procedure ■ ■
■ ■ ■
■
■
1. In the Toolbar, select Security and go the Certificate generation tab. 2. Define the key/certificate name and its characteristics in the Certificate generation window. The Validity Period parameter is displayed in the About window. 3. Select the tab Configuration. 4. Define the encryption (algorithm) in Configuration window. Click on OK. 5. The key/certificate file are recorded in the directory ~/ipboss/server/ domains/ /Security. It is recommended to make a backup on an external media. 6. The second level of security is taken into account. Several minutes are necessary to activate it on the ip|engines. 7. The customer can see the ip|engines’ status by selecting Tools in the Toolbar tab Security status .
4. 11. 2. 3. Third level The customer defines his own certificate AND a passphrase. This requires not only an ip|boss certificate installation, but also to have local access to all ip|engines in order to setup the passphrase configuration. Communications are secured. Combination of certificate and local passphrase provides for highest level of security, provided that passphrase is properly managed. Procedure ■
4-104
1. The procedure (steps 1 to 5) is similar to the procedure of the second level, except that the customer selects and defines a passphrase in Security/Certificate Generation window.
Ipanema Technologies
October 2014
Configuring services (ip|boss)
■
■
2. Configure the associated ip|engines. THE SAME PASSPHRASE MUST BE USED for the ip|boss and the ip|engine to allow the SSL connections between ip|boss and ip|engine. This passphrase should be configured on all ip|engines of the Domain. 3. Before using this command, check the system Administrator to obtain the same passphrase as ip|boss.
– Command usage: sslpassphrase usage: sslpassphrase set sslpassphrase reset Copyright (c) Ipanema Technologies 2000-2005 – Set the passphrase: sslpassphrase set Enter old SSL passphrase: Enter new SSL passphrase: ******************* Confirm new SSL passphrase: ****************** Passphrase has been changed Do you want to restart HTTP Server with new passphrase now [y/n]? y
4. 11. 2. 4. Configuring ip|boss-ip|engines security Operating procedure table: Management In the System administration Toolbar, select
Security.
The security of ip|boss-ip|engines communication is managed by ip|boss and is defined by: ■ ■
the keys and certificates generation, the algorithm (security level according to the laws) selection,
To secure these communications, the user: ■
step 1) defines the certificate name. Under this name, 4 files are generated: – the private key: .isk (Ipanema Server Key) in the Security directory (~/ipboss/server/domains//Security). If a passphrase was provided, the key has been encoded with the passphrase in the file, The same passphrase should be also entered on all ip|engines of the Domain.
– the certificate: _isc.crt (Ipanema Server Certificate) in the Security directory (~/ipboss/server/domains//Security) corresponding with the created key, – the private key: .ick (Ipanema Client Key) in the Security directory (~/ipboss/server/domains//Security), – the certificate signed by the key: _icc.crt (Ipanema Client Certificate) in the Security directory (~/ipboss/server/domains//Security) corresponding to the created key, ■
step 2) defines the algorithm (encoding mode or not) used for communication encryption between ip|boss and ip|engines, ip|boss adds the ip|engine certificate in the authorized certification list.
October 2014
Ipanema Technologies
4-105
Ipanema System
4. 11. 2. 4. 1. "Security certificates generation" tab Operating procedure table: Management In the Toolbar, select
Security and go to the Security certificate generation tab.
The Security certificate generation is displayed.
Security certificate generation window This window contains: ■ ■
Certificate group box with the Name: name (without extension) of the key/certificate, Key group box with: – the field Size: choice of the key size: 512, 1024 (by default), 2048, – the field Passphrase: to enter the passphrase (optional; check the box to enter it). The selection displays the Security Generation dialog box.
If used, the same passphrase must be used for ip|boss and all the ip|engines of the Domain.
4-106
Ipanema Technologies
October 2014
Configuring services (ip|boss)
■
Identification group box with: – – – – – – – –
Country name (2 letter code) State or province name (full name) Locality name (eg. city) Organization name (eg. company) Organization unit name (eg. section) Common name (eg. YOUR name) Email address Validity period (in month): choice of the validity period of the security certificate: 6, 12, 18 (by default), 24, always (until 2037) All the fields should be fulfilled.
■
and command buttons: – Ok: to generate the private and public keys (Server and Client) with the associated certificates Server and Client), recorded in files stored in the Security directory, – Close: to cancel any changes made, – Help.
4. 11. 2. 4. 2. "Configuration" tab Operating procedure table: Management In the Toolbar, select
Security and go to the Configuration tab.
The Configuration window is displayed.
Configuration window The configuration specifies to ip|boss which certificate of the Security directory to use and which algorithm to associate in SSLv3 with RSA authentication. This window defines the encryption applied to the communications. The window contains: ■
■
Certificate group box with the Name: name (without extension) of the key/certificate to choose in the drop-down list. With this name, ip|boss finds the .isk, .isc, .isk and .icc files. Algorithm group box: click in the corresponding case (Selection) to select the encryption algorithms to be applied between ip|boss and the ip|engines. The algorithms are listed in security level order, NULL SHA is selected by default.
October 2014
Ipanema Technologies
4-107
CHAPTER 5. IPANEMA SYSTEM SUPERVISION (IP|BOSS) Document organization This chapter gives access to the system software application procedures: starting/closing applications, ip|engines and security supervision, upgrading the software version, rebooting ip|engines and launching scripts.
5. 1. IP|BOSS MAIN WINDOW The Ipanema System supervision is accessible from ip|boss’ main window, through the status zone and the Supervision menu, which gives access to more detailed information.
ip|boss main window (web client) In case of an error, the concerned indicator light in the status zone at the bottom of the window is displayed in amber or red. Please refer to 4.2.4. ip|boss status zone for a detailed desciption of the indicators.
October 2014
Ipanema Technologies
5-1
Ipanema System
5. 2. SUPERVISION 5. 2. 1. ip|engine status (monitoring ip|engines activity) Operating procedure table: Management In the Supervision Toolbar, select
ip|engine Status.
The ip|engine Status window is displayed.
ip|engine Status window
5. 2. 1. 1. ip|engine status window The ip|engine Status window gives the following information on each ip|engine: (Other columns can be added; please refer to the next section, ip|engine supervision details, to see all existing fields.) ■ ■
ip|engine: name of the ip|engine, Status: administrative status of each ip|engine: – up: the ip|engine is operational, – down: the ip|engine is not operational: • down - unreachable: the system cannot see the ip|engine, it is periodically interrogated, • down - not configured: the ip|engine can be seen, but it has not been configured. Periodic attempts of reconfiguration are made, • down - not started: the ip|engine can be seen but has not started correctly. It is periodically restarted,
■
Synchronized: time synchronization status: – yes: the ip|engine is synchronized, – no: the ip|engine is not synchronized,
■
Discovery: discovery status: – up: the discovery agent is running on the ip|engine, – nothing: no discovery agent is not running,
5-2
Ipanema Technologies
October 2014
Ipanema System supervision (ip|boss)
■
Application Control: Application Control status: – up: the Application Control service is operational for the ip|engine, – down: the Application Control service is not operational, – nothing: the Application Control service is not available,
■
Compression: compression status: – up: the compression service is operational for the ip|engine, – down: the compression service is not operational, – nothing: the compression service is not available for the ip|engine,
■
Decompression: decompression status: – up: the decompression service is operational for the ip|engine, – down: the decompression service is not operational, – nothing: the decompression service is not available for the ip|engine,
■
TCP acceleration: TCP acceleration status: – up: the TCP acceleration service is operational for the ip|engine, – down: the TCP acceleration service is not operational, – nothing: the TCP acceleration service is not available for the ip|engine,
■
Protocols acceleration: CIFS acceleration status: – up: the CIFS acceleration service is operational for the ip|engine, – down: the CIFS acceleration service is not operational, – nothing: the CIFS acceleration service is not available for the ip|engine,
■
Mobile Agents: IMA status: – up: the IMA service is operational for the ip|engine, – down: the IMA service is not operational, – nothing: the IMA service is not available for the ip|engine,
■
Interface(s) with error(s) detected: indicates whether errors were detected on the various interfaces of the ip|engine; more details can be obtained for a given ip|engine, interface by interface, in the single ip|engine status window (described below): – yes: errors were detected on some interfaces, – no: no error was detected, on any interface,
■
Overload: overload status: – yes: the ip|engine is overloaded, the WAN traffic exceeds the ip|engine specifications (see the ip|engine characteristics), – no: the ip|engine is not overloaded,
■ ■
CPU (%): ip|engine load average during the last collect period, Topology warnings: number of warnings related to the topology; a warning is raised each time an abnormal event is detected between any two sites during the last polling period, regardless the number of impacted hosts; the 20 first concerned hosts are displayed in the message; refer to the Single ip|engine status window’s third tab (described below) for more details. It’s possible to modify the columns displayed by the menu View/Choose columns.
October 2014
Ipanema Technologies
5-3
Ipanema System
5. 2. 1. 2. Single ip|engine status By selecting an ip|engine’s line in the ip|engine status window (see the note below) and clicking the Consult icon, or by double clicking on a line, the selected ip|engine’s Status window is displayed. To select an ip|engine’s line, click on the line, but not on the ip|engine’s name — this would open the corresponding ip|engine’s configuration window.
This window is made of four tabs and provides the following information for the selected ip|engine: General tab:
Single ip|engine status window, first tab ■ ■
ip|engine: name of the ip|engine, Status: administrative status of the ip|engine : – up: the ip|engine is operational, – down: the ip|engine is not operational: • down - unreachable: the system cannot see the ip|engine, it is periodically interrogated, • down - not configured: the ip|engine can be seen, but it has not been configured. Periodic attempts of reconfiguration are made, • down - not started: the ip|engine can be seen but has not started correctly. It is periodically restarted,
■
Overload: overload status: – yes: the ip|engine is overloaded, the WAN traffic exceeds the ip|engine specifications (see the ip|engine characteristics), – no: the ip|engine is not overloaded (normal state),
■ ■ ■ ■
5-4
CPU (%): ip|engine load average during the last collect period, Version: ip|agent software version and type release of the ip|engine, Serial Number: ip|engine’s Serial Number, Overload (diagnostics): it should normally read “Normal”; otherwise the ip|engine is overloaded.
Ipanema Technologies
October 2014
Ipanema System supervision (ip|boss)
Services tab: this tab contains 7 frames:
Single ip|engine status window, second tab
October 2014
Ipanema Technologies
5-5
Ipanema System
Synchronization ■
Synchronized: – yes: the ip|engine is synchronized (normal state), – no: the ip|engine is not synchronized,
■
Source: synchronization source: – network: time synchronization is acquired via the network, thanks to ITP (Ipanema Time Protocol),
■
Server: – name or IP address of the synchronization server, – n/a: not available,
■
■ ■ ■
Offset (ms): estimated synchronization offset from ITP server (time difference between synchronizing and synchronized units); by default, an ip|engine is synchronized when the offset is less than 10 ms, Delay (ms): average round trip delay between the ip|engine and its ITP server, Frequency (ppm): local oscillator free running frequency difference with the synchronization source, Synchronization (diagnostics): there is no diagnostic message by ip|sync to date.
Application Visibility ■
Discovery: discovery status: – nothing: no discovery agent is running on the ip|engine, – yes: a discovery agent is running on the ip|engine,
■
Measure (diagnostics): last diagnostic message by ip|true (’Alarm’ in the real-time flows list is at ’yes’ is any): – – – – – – – – – –
■
nothing: no diagnostic message by ip|true (normal state), OutOfTicket: there are no more up tickets, OutOfBuffer: the driver is overloaded, WanOverload: the packets received by the ip|engine on its WAN interface are more than it is capable of handling, TooManyFlow: the maximum number of sessions has been reached (depends on the ip|engine range), PktOverload: Ethernet RX overrun, CPUOverload: CPU overrun, LanIntfDown: the LAN interface of the ip|engine is down, WanIntfDown: the WAN interface of the ip|engine is down OutOfAppCnx: the maximum number of sessions of the application recognition syntax engine has been reached.
Discovery (diagnostics): there is no diagnostic message for the Discovery function to date.
ip|fast ■
Application Control: ip|fast status: – nothing: ip|fast is not available, – up: ip|fast is operational for the ip|engine, – down: ip|fast is not operational,
■
Application Control (diagnostics): last diagnostic message by ip|fast (’Alarm’ in the real-time flows list is at ’yes’, if any): – nothing: no diagnostic message by ip|fast (normal state), – ip|fast unreachable from ip|true: ip|fast is not working (transitory state), – ip|engine set in parallel mode: ip|fast was started on an ip|engine set in parallel mode,
5-6
Ipanema Technologies
October 2014
Ipanema System supervision (ip|boss)
– current state is xxxx (where xxxx can be Initial, Configuring, Configured, Stopping, Resetting or Unknown): ip|fast has not been started while it should have been; ip|true tries to start it until it succeeds (transitory state). ip|xcomp ■
Compression: ip|xcomp compression status: – nothing: ip|xcomp compression service is not available, – up: the compression service is operational for the ip|engine, – down: the compression service is not operational,
■
Decompression: ip|xcomp decompression status: – nothing: ip|xcomp decompression service is not available, – up: the decompression service is operational for the ip|engine, – down: the decompression service is not operational,
■ ■
Compression (diagnostics): state and size of the hard disk drive, Decompression (diagnostics): there is no diagnostic message by ip|xcomp — decompress to date,
ip|xtcp ■
TCP acceleration: ip|xtcp status: – nothing: ip|xtcp is not available, – up: ip|xtcp is operational for the ip|engine, – down: ip|xtcp is not operational,
■
TCP acceleration (diagnostics): diagnostic messages by ip|xtcp,
ip|xapp ■
Protocols acceleration: ip|xapp status: – nothing: ip|xapp is not available, – up: ip|xapp is operational for the ip|engine, – down: ip|xapp is not operational,
■
Protocols acceleration (diagnostics): diagnostic messages by ip|xapp,
Ipanema Mobile Agent ■
Mobile Agent: IMA status: – nothing: IMA is not available, – up: IMA is operational for the ip|engine, – down: IMA is not operational,
■ ■ ■ ■
Detected IMA Clients: number of IMA clients detected by the ip|engine, Active IMA Clients: number of active IMA clients on the ip|engine, IMA Server Tokens Used: number of tokens used on the ip|engine (that acts as IMA server), IMA Server Tokens Allocated: number of tokens allocated on the ip|engine (that acts as IMA server).
October 2014
Ipanema Technologies
5-7
Ipanema System
Alarms tab:
Single ip|engine status window, third tab Topology subnets on equipped sites are automatically discovered by the system (hosts are “claimed” by the first ip|engine that “sees” the ACK or the SYN+ACK packets of TCP sessions), but they can also be configured. If the discovered Topology subnets and the configured ones do not match, then a “mismatch” alarm is raised. An alarm is also raised when the discovered Topology subnets change as compared to the previously discovered ones (“migration” alarm). In either case, an alarm is raised when a potentially abnormal event is detected between a pair of sites during the last polling period, regardless the number of impacted hosts; the 20 first concerned hosts are displayed. (The role of Topology Subnet and how to configure them is described in section 4.7.4.) ■ ■
Type: mismatch or migration (see above). Description: there are 5 messages for mismatch alarms and 3 messages for migration alarms; ”[MIS]” stands for ”IPBOSS_TOPO_SUPERVISION_EVENT_CLS_MISMATCH”, ”[MIG]” stands for ”IPBOSS_TOPO_SUPERVISION_EVENT_CLS_MIGRATION”; all messages are ended by “_DESCRIPTION” (not displayed below): – [MIS]_WRONG_TAG: hosts configured on an equipped site claimed by another equipped site. – [MIS]_UNEXPECTED_TAG: hosts configured on a tele-managed site claimed by an equipped site. – [MIS]_WRONG_UNKNOWN_TAG: hosts configured on an equipped site claimed by an unknown site*. – [MIS]_UNEXPECTED_UNKNOWN_TAG: hosts configured on a tele-managed site claimed by an unknown site. – [MISMATCH]_MISSING_TAG: hosts configured on an equipped site not properly claimed. – [MIG]: hosts previously discovered by an equipped site claimed by another equipped site. – [MIG]_UNKNOWN_TAG: hosts previously discovered by an equipped site claimed by an unknown site*. – [MIG]_MISSING_TAG: hosts previously discovered by an equipped site not properly claimed.
■
* A site is unknown typically when the ip|engine that claimed the hosts belongs to another Domain, which happens when the traffic crosses several Domains (so it can be normal). Expected site: – for a mismatch alarm: configured site; – for a migration alarm: site previously discovered.
■
Discovered site: – for a mismatch alarm: discovered site; – for a migration alarm: latest discovered site.
■
5-8
Hosts: list of 20 first hosts concerned by the alarm.
Ipanema Technologies
October 2014
Ipanema System supervision (ip|boss)
All alarms above have two main root causes: ■ ■
either the situation is normal (e.g. traffic crossing several Domains, see above); configuring the Topology subnets manually can clear the alarm in most cases, or there is an error in the configuration: check the concerned hosts, check the topology and fix the configuration.
Interfaces tab:
Single ip|engine status window, third tab ■
Deployment mode: – Unknown: the deployment mode is not provided by the ip|engine, which is the case when its software version is earlier than v8, – Parallel: the ip|engine is installed in parallel mode, – Dual parallel: the ip|engine is installed in parallel mode on two ports, – Serial: the ip|engine is installed in serial mode, – Multi-wan: the ip|engine is directly connected to several WAN routers (but it only has one LAN connection), – Multi-path: the ip|engine has several LAN connections (it is possibly directly connected to several WAN routers too), – Redirection GRE: virtual|engine redirecting the traffic via a GRE tunnel, – Redirection L2: virtual|engine redirecting the traffic via a Layer 2 connection.
■
Bypass function ability: – Unknown: the bypass function ability is not provided by the ip|engine, which is the case when its software version is earlier than v8, – Enabled: the ip|engine shall bypass the traffic in case of failure (e.g. power failure), – Disabled: the ip|engine is configured not to bypass the traffic in case of failure (for instance on a site with two links and HSRP, so as to stop the traffic on a link with an ip|engine in failure — in bypass mode the traffic would still go through the same link, but without Visibility, Control, Optimization etc., whereas by disabling this feature and stopping the traffic, HSRP shall reroute it to the second link, where it shall be measured, controlled, optimized, etc., by the second ip|engine), – Unsupported: the bypass function is not supported by the ip|engine (it depends on its hardware).
■
Copy Lan to Wan function: – Unknown: the Lan to Wan function state is not provided by the ip|engine, which is the case when its software version is earlier than v8, – Enabled: the ip|engine is configured to copy the state of its LAN port to its corresponding WAN port, – Disabled: the ip|engine shall not copy the state of its LAN port to its corresponding WAN port, – Unsupported: the Copy Lan to Wan function is not supported by the ip|engine (it depends on its hardware).
October 2014
Ipanema Technologies
5-9
Ipanema System
■
Interfaces Status list table, with the following fields: – Name: name of the interface (lan0, wan0, etc.); the name is displayed in red in case of errors on the interface, – Type: • --: the type of interface is not provided by the ip|engine, which is the case when its software version is earlier than v8, • Lan: LAN interface, • Wan: WAN interface, or EXT interface used as a WAN interface, • Management: MGT interface, • Asymmetric routing: interface used to connect to the other ip|engine of a cluster with asymmetric routing (“ASR” function), • not used: interface not currently used; other fields describing the interface’s state are greyed out. – Settings: Ethernet configuration of the interface: • auto, 10HD, 10FD, 100HD, 100FD or 1000FD, – Status: • up: Ethernet interface is in “link Up” state, • down: Ethernet interface is in “link Down” state; it is a normal state for an unused interface (see Type above); if the interface is used, it is an alarm (displayed in red in that case), – Current Mode: current mode of the Ethernet interface (it should be compatible with the “Settings” field): • 10HD, 10FD, 100HD, 100FD or 1000FD, – – – – – –
Received packets: number of packets received on the interface, Received bytes: number of bytes received on the interface, Sent packets: number of packets sent on the interface, Sent bytes: number of bytes sent on the interface, Collisions: number of collisions on the interface (in amber if different from 0), Errors: number of frame errors on the interface (in red if different from 0). The counters show the delta between two polls (every minute by default), and not cumulative values. if the ip|engine is connected in parallel mode, only the LAN counters are significant.
5-10
Ipanema Technologies
October 2014
Ipanema System supervision (ip|boss)
5. 2. 1. 3. Downloading monitoring data (GLASS) The icon in the ip|engine status windows allows downloading monitoring data called GLASS (GlobaL Autonomic Support System) and aimed at accelerating technical escalations.
Downloading monitoring data ■
Select one or several ip|engines,
■
Click , Choose to open or save the zip file containing the monitoring data — we recommend you to save it, Send the zip file to Ipanema Support.
■
■
The zip file is called “.zip” (in case a single ip|engine was selected) or “ipe_monitoring.zip” (in case several ip|engines were selected) and it contains the following folders: ■ ■
”config”: contains the configuration made in ip|boss and sent to the ip|engines of the Domain; “” (one folder per ip|engine): contains CSV files with the GLASS metrics.
October 2014
Ipanema Technologies
5-11
Ipanema System
5. 2. 2. Status Maps (monitoring ip|engines activity) Operating procedure table: Management In the Supervision Toolbar, select
Supervision maps.
The ip|engine Supervision Maps window is displayed.
ip|engine Supervision Maps window The supervision maps show in a glance the behavior of all ip|engines. These graphical views use squares with a size depending on the ip|engine model (depending on their hardware capabilities), and a color depending on the supervision status. At each collect from the ip|engines, the map is refreshed.
This window contains: ■
the map itself, with a square for each ip|engine, the size depends on the ip|engine hardware model, and a color in order to give a quick synthetic view of the supervision status: – Red: when Status is down (ip|engine not reachable), or when one of the following functions: Measurement, Application Control, Compression, Decompression, Acceleration is “down”, “not started”, “not configured” or “not updated” (after three trials of update), – Yellow: when not Synchronized, and/or Overloaded and/or Updating (update of configuration running), – Green: all status are OK (Status, Measurement (always); Application Control, Compression, Decompression and Acceleration, if enabled; Synchronization (always)).
■
: to consult the global supervision status,
■
: to export in a text file the list of supervision status,
■
: to consult the detailed supervision status (refer to the supervision details above),
■
,
■
5-12
and
: unused,
: to show the help.
Ipanema Technologies
October 2014
Ipanema System supervision (ip|boss)
By moving the mouse on a square, a contextual text shows the supervision status (see screenshot above): ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
ip|engine: host name, Model: ip|engine range, Status: reachability of ip|engine, Measure: status of ip|true function, Application Control: status of ip|fast function, Compression: status of ip|xcomp function for compression, Decompression: status of ip|xcomp function for decompression, TCP acceleration: status of ip|xtcp function, Protocols acceleration: status of ip|xapp function, Mobile Agents: status of IMA function, Discovery: status of discovery function, Synchronization: status of ip|sync function. Overload: status of ip|engine usage, if overload the ip|engine WAN throughput exceeds the specification of the hardware.
October 2014
Ipanema Technologies
5-13
Ipanema System
5. 2. 3. Scripts Operating procedure table: Management This function is to be used with the Ipanema Technologies Support. In the System provisioning toolbar, select
Scripts.
Scripts window The window comprises the following input fields: ■ ■ ■
ip|engine: list of all ip|engines of the Domain, Script: list of the available scripts. These scripts are in the directory ~/ipboss/server/scripts Commands buttons: – –
(Select all): selects all the ip|engines, (Launch): to launch the script on all the selected ip|engines. A confirmation window is displayed: click OK. Depending on the number of selected ip|engines, a message can appear: “This can take a long time...” .
–
(Refresh): refreshes the view.
–
(Help): opens a contextual Help window.
The “Execution script result” frame displays the scripts being launched, and allows downloading and deleting them: ■
Result table fields: – Date: when the scripts were launched, – Script: name of the scripts that were launched, – ip|engine(s): ip|engines that ran the script.
5-14
Ipanema Technologies
October 2014
Ipanema System supervision (ip|boss)
■
Commands buttons: –
(Select all): selects all the scripts results,
–
(Delete): delete the selected scripts results (the data will be deleted from the server),.
–
(Download script result): allows downloading a zip file with the selected scripts results and other information (see below),
–
(Refresh): refreshes the view.
The zip file that can be downloaded is called ExecutionScriptResult.zip and has the following structure: ■
root: one folder by selected script result, where yymmdd-hhmm are the date and time when the scripts were launched. The root folder has three subfolders, containing five files: – ipboss: • __active__.ipmconf: ip|boss’s current configuration • ip_boss_00.log: ip|boss’s log file – ipengines: • .ipmres: script result in itself – script: • .ipmscp: launched script (encrypted file) • ipengine.txt: list of dumped ip|engines (alias+@ip)
The user can send this zip file (by E-mail or FTP) to Ipanema Technologies support (
[email protected]). All this information can also be found on ip|boss server (until it is deleted) here: “~/salsa/ipboss/server/domains//temp/Ipanema-dump/”. Different script files are available. The main ones are : ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
default.ipmscp: dumps all information in the ip|engine, reserved for the support, flows.ipmscp: dumps all flows in the ip|engine, ipconfig.ipmscp: dumps information about the IP and Ethernet settings of the ip|engine, check iptrue.ipmscp: dumps information about ip|true, reserved for the support, check ipfast.ipmscp: dumps information about ip|fast, reserved for the support, check ipxcomp.ipmscp: dumps information about ip|xcomp, reserved for the support, check itp.ipmscp: dumps information about ip|sync synchronization, reserved for the support, restart iptrue.ipmscp: restarts ip|true agent, reserved for the support, restart ipfast.ipmscp: restarts ip|fast agent, reserved for the support, restart ipxcomp.ipmscp: restarts ip|xcomp agent, reserved for the support, restart itp.ipmscp: restarts ip|sync agent, reserved for the support, process.ipmscp: dumps information about the process running, reserved for the support.
October 2014
Ipanema Technologies
5-15
Ipanema System
5. 2. 4. Security (monitoring security certificate) Operating procedure table: Management In the System provisioning Toolbar, select
Tools and go to the Security status tab.
The Security status is displayed:
Security status window The name of the certificate used by ip|boss is displayed in the blue bar. to check the name of the Select ip|engines in the list below and click on the Status button certificate that they use. (You can select all ip|engines simultaneously with the Select all button ). The certificates used by ip|boss and by the ip|engines should be the same. (The certificate is created in ip|boss with the System administration > Security menu.)
5-16
Ipanema Technologies
October 2014
Ipanema System supervision (ip|boss)
5. 3. SYSTEM PROVISIONING: TOOLS 5. 3. 1. Rebooting Operating procedure table: Management In the System provisioning Toolbar, select
Tools and go to the Reboot tab.
The Reboot window is displayed:
Reboot window This window contains: ■ ■
the list of ip|engines, the following command buttons: –
(Select all): selects all the ip|engines,
–
(Reboot): all the selected ip|engines receive a reboot order.
–
(Refresh): refreshes the view.
–
(Help): opens a contextual Help window.
October 2014
Ipanema Technologies
5-17
Ipanema System
5. 3. 2. ip|engine software upgrade Operating procedure table: Management ip|engine’s software (ip|agent) can be upgraded from the system manager ip|boss, or directly from the ip|engines themselves. In the first case, an FTP server reachable by both ip|boss and the ip|engines is mandatory; in the second case (direct upgrade from the ip|engines), the FTP server only needs to be reachable by the ip|engines to be upgraded. In ip|boss’ System provisioning toolbar, select
Tools and go to the Software upgrade tab.
The Software upgrade window is displayed:
Software upgrade window This window is made of two frames: ■ ■
the list of ip|engines to be upgraded (left frame), the list of ip|agent software versions (right frame).
The procedure is as follows: ■
1. At opening, the list of ip|engines in the configuration is displayed in the left frame. The Version column is not filled in. Select some ip|engines (or all with the Select all button and click on the Status button selected ip|engines. The statuses can be:
)
to see the actual software versions and statuses of the
– upgraded: the ip|engine has the software release which is described in the field version, – download scheduled: the ip|engine will be upgraded, the scheduled “Begin” hour is not passed, – install scheduled: the ip|engine is upgrading, the scheduled “End” hour is not passed, – error occurred: possible reason of failure: • “No Space left for file”: no more space on ip|engine to download the file, • “Can’t connect to server (check address/routes): FTP server is unreachable, • “Access to server denied (check login/password)”: login/pw problem on FTP server, • “File not found: xxxxxxx”: the file is not in the right directory on FTP server or the directory is wrong, • “Error while downloading”: the connection between FTP server and the ip|engine is broken, • “No disk space left for file”: no more space to uncompress the software package.
5-18
Ipanema Technologies
October 2014
Ipanema System supervision (ip|boss)
■
2. In the right frame, clisk on the Get catalog button FTP server that contains the catalog:
. A new window opens, to specify the
It contains the following fields: – FTP server (ip|boss access): IP address of the FTP server reachable by ip|boss (ip|boss reads the ip|agent versions present on the FTP server), – FTP server (ip|engine access): IP address of the FTP server reachable by ip|engines (ip|engines will download the new ip|agent version from that FTP server); it can be different from the previous address in case of NATting , – Directory: the FTP server directory containing the ip|agent software files, – Login: user name to use to get the files, – Password: password of the user, The list of ip|agent software versions on the FTP server is displayed. This table is made of two columns: – ip|agent version: list of the available software versions, – Current version compatibility: shows the compatibility with the running version of ip|boss (compatible or not compatible). ■
3. Select the ip|engines to be upgraded in the left frame and the ip|agent software version in the right frame, and click on the Upgrade button
:
A message confirms that the selected ip|engines have received the upgrade order. allows to cancel the upgrade request. Cancelling an upgrade is possible A Cancel button before or during the FTP download of the new version of ip|agent, but before the ip|engine has started swapping.
October 2014
Ipanema Technologies
5-19
Ipanema System
■
4. A scheduling window opens, that allows scheduling the upgrade (during the night for example), or launch it immediately by clicking on Ok without specifying any date or time:
This window is made of the following fields: – Start time: enter the start date and time for upgrade (this must be a future date, not the current date). The Start time corresponds to the date when the downloading ip|engine from the FTP server will be started. The chronological sequence of downloads is managed automatically by the system, – End time: enter the end date and time of the upgrade (this must be a future date, not the current date). The End time corresponds to the date when ip|engine’s downloading will end and reboot for the new version to be applied, – Mode: • Differential: download only files necessary to upgrade the current version to the new version, • Total: download all files. Click on Ok when done. The restart of ip|engines after upgrade is automatically performed at the date/time specified by the "End time" field. If the “Start time” and “End time” fields are empty, the upgrade starts immediately on the selected ip|engines. ■
5. Check that the upgrade has been completed correctly by selecting the concerned ip|engines and by clicking on the Status button
5-20
.
Ipanema Technologies
October 2014
Ipanema System supervision (ip|boss)
5. 4. IP|BOSS LOGS Operating procedure table: Management In the Supervision Toolbar, select
Log.
The Log window is displayed.
Log window This window contains: ■
■
the list of Supervision events (on ip|engines, ip|boss server and ip|reporter server) with a time stamping, in Syslog format, the list of Traffic alarming events (on MetaViews) with a time stamping (only if it has been activated in Options / Activation).
October 2014
Ipanema Technologies
5-21
Ipanema System
5. 5. CONFIGURATION HISTORY Operating procedure table: Management In the Supervision Toolbar, select
Configuration history.
The Configuration history window is displayed. It contains the list of all configurations saved with, for each one, the modification date, the name of the User who made the modifications and the modified section(s) in the configuration file. To read a configuration in the right pane, click its name:
Configuration history window To compare two configurations (make a “diff”), select them (click the first one, then click the second one with the Control key pressed) and click the Diff icon lines:
. The right pane displays the modified
Comparison between two configurations ■
■
5-22
The top frame shows the modifications, with the Previous line and the Modified line (in the example above, the Previous line is empty because an object was created), the bottom frame shows them in the two configuration files they belong to; two blue arrows allow jumping from one modification to the next one (down arrow) or to the previous one (up arrow).
Ipanema Technologies
October 2014
CHAPTER 6. USING IPANEMA SERVICES (IP|BOSS) Document organization To run a measurement or Application Control session, you must start ip|boss. For more information, refer to table "Operating procedure". A session can be started or stopped whatever the service used - ip|true (measurement), ip|fast (Application Control), ip|coop (tele-cooperation), ip|xcomp (redundancy elimination), ip|xtcp (TCP acceleration), ip|xapp (CIFS acceleration) and smart|plan (smart planning reports).
6. 1. STARTING AND STOPPING A SESSION 6. 1. 1. Starting a session Operating procedure table: ip|true, ip|fast, ip|coop, ip|xcomp, ip|xtcp, ip|xapp, DWS, smart|plan, IMA. From the Toolbar, select
Service activation.
In the Service activation window that opens, select ip|engines: on:
The start of a session of measurement, control, compression or acceleration begins by a check of the configuration. In case of error, ip|boss shows a warning. Check that the indicator lights in the Main window turn green (after a few seconds), refer to ip|boss’ status zone description for information on the meaning of indicator lights that remain amber or red. When a session starts, ip|true (measurement) is automatically activated on the ip|engines of the Domain.
October 2014
Ipanema Technologies
6-1
Ipanema System
in case of failure of ip|boss or of the server, at the next start of ip|boss, the session will be on the same state (automatic restart if it was started, or stop if it was stopped).
6. 1. 2. Stopping a session Operating procedure table: ip|true, ip|fast, ip|coop, ip|xcomp , ip|xtcp, ip|xapp, DWS, smart|plan, IMA. A session can be stopped on the ip|engines by the Toolbar,
Service activation.
In the Service activation windows that opens, select ip|engines: off:
Stopping a session will stop all functions of the system (ip|true (measurement), ip|fast, ip|xcomp, ip|coop, ip|xtcp, ip|xapp, DWS, smart|plan).
Check that the indicator lights on the status zone turn to black.
6-2
Ipanema Technologies
October 2014
Using Ipanema services (ip|boss)
6. 2. DYNAMICALLY MODIFYING A SESSION The user can dynamically modify some current session settings without stopping the system. The table below lists the ip|boss system components and services that are accessible with the current configuration running, where: ■ ■
A: means that the modifications made by a user of the service are automatically applied, U: means that the user has to use Update to apply the modifications made.
Table “Dynamically modifying a session”: ip|true service, ip|fast service, ip|xcomp service, ip|coop service, ip|xtcp service, ip|xapp service. Components
Dynamic
Services
Other
Manager System
System Administration
System provisioning
October 2014
Login
A
Login/User Settings
A
Update
A
Help
A
User
U
Automatic reporting
U
Security/Generation
U
Security/Configuration
U
ip|engines
U
Topology Subnets
U
WAN access
U
Coloring
U
ip|sync
U
Tools/Software upgrade
A
Tools/Reboot
A
Tools/Script
A
Tools/Security status
A
Ipanema Technologies
Not available with the system shut down
”None” cannot be suppressed
6-3
Ipanema System
Components Service activation
Supervision
Application provisioning
Reporting
Dynamic
Services
Other
Enable ip|engines
A
start the session
Disable ip|engines
A
stop the session
Enable ip|fast
U
Disable ip|fast
U
Enable ip|xcomp
U
Disable ip|xcomp
U
Enable ip|coop
U
Disable ip|coop
U
Enable ip|xtcp
U
Disable ip|xtcp
U
Enable ip|xapp
U
Disable ip|xapp
U
ip|engines status
A
Supervision map
A
Log
A
Options/Activation
U
Options/Mail
U
Options/Trap
U
User subnets
U
Applications
U
TOS
U
Application Group
U
“other” cannot be suppressed
QoS profile
U
“Default” cannot be suppressed
Local Traffic Limiting
U
MetaView
U
ip|reporter
U
Alarming
U
Whether for a Start or an Update, the configuration is checked to inform the user that resources (Domains and services) are referenced even though they are not configured in the directories or dictionaries. As long as the check is not OK, no Start or Update operation can be performed on ip|engines. The check operation accepts configurations with empty dictionaries or directories.
6-4
Ipanema Technologies
October 2014
Using Ipanema services (ip|boss)
6. 2. 1. Update procedure Operating procedure table: ip|true, ip|fast, ip|coop, ip|xcomp, ip|xtcp, ip|xapp , DWS, smart|plan, IMA, ip|sync. In the Toolbar, select
Update.
The Update option performs the following steps: ■ ■
■
■ ■ ■ ■
checks the configuration, archives the old configuration (__active__.ipmconf.bak) with its date and time and user in the file name (__active__...undo.ipmconf; the 50 most recent archives are kept), saves the current configuration (__active__.ipmconf) as the old configuration (__active__.ipmconf.bak), saves the new configuration as the current configuration (__active__.ipmconf), releases the locked resources (during an edit of it), applies the new configuration to each ip|engine with an immediate application request. applies the new configuration to ip|reporter (if some reporting modifications were made).
If some ip|engines do not apply the new configuration, ip|boss automatically reconfigures these ip|engines. The status indicator is yellow and shows either: ■ ■
“not configured”: some ip|engines refuse the new configuration, “not updated”: some ip|engines have received the new configuration, but refused it.
ip|boss systematically sends a complete configuration file to the ip|engines of the Domain.
6. 2. 2. Transition In the ip|engine’s reconfiguration phase, some ip|engines must measure, control and compress on the basis of different configurations. In addition, as an SNMP agent must take the new configuration into account (after Update), it may receive measurement results for the previous configuration. Different problems can arise: ■ ■ ■ ■
an application dictionary entry is suppressed, a TOS dictionary entry is suppressed, an ip|engine directory entry is suppressed, a subnet directory entry is suppressed.
For suppressed dictionary entries, reports on the previous configuration (i.e. with old aggregate application or TOS values) are automatically classified in “other” by ip|boss. There is no retroactive effect on measurement data that may have been saved in ip|reporter. For suppressed subnet directory entries, reports on the previous configuration (i.e. with old subnet values) are automatically rejected by ip|boss. For suppressed ip|engine directory entries, reports on the previous configuration (i.e. with old ip|engine values) are automatically rejected by ip|boss. For suppressed ip|engine directory entries, the ip|engines that have disappeared are stopped. However, the stop signal may not reach the ip|engines concerned after 10 attempts spaced out over the recovery interval configured in the system, the “stop” operation is abandoned by the manager and the user is informed.
October 2014
Ipanema Technologies
6-5
Ipanema System
6. 3. SERVICE ACTIVATION 6. 3. 1. ip|true (measurement) Operating procedure table: ip|engines Enabled, ip|engines Disabled Stopping ip|true will stop all other functions of the system (ip|fast, ip|xcomp, ip|coop, ip|xtcp, ip|xapp, DWS, smart|plan). Refer to the section Stopping a session.
The measurement mechanisms are designed to measure precisely all flows crossing the ip|engines and to provide comprehensive metrics (volume and quality). ip|true is enabled, if: ■
Administrative stare: enable is checked in the ip|engines creation window (“Services” frame):
ip|engine creation window, “Services” frame (The display window shows a green tip in front of the line:)
ip|engines display window
■
6-6
ip|engines are enabled in the Service activation window session):
Ipanema Technologies
(refer to the section Starting a
October 2014
Using Ipanema services (ip|boss)
Service activation window Modifying quality (AQS) measurement settings Depending on the results obtained, you can modify some settings. To access the options, refer to the table “Dynamically modifying a session”. The settings you may need to modify are:
Applications
User Subnets
QoS profiles
MetaViews
Application Groups
Reports
TOS
October 2014
Ipanema Technologies
6-7
Ipanema System
6. 3. 2. ip|fast (Application Control) Operating procedure table: Application Control Enabled, Application Control Disabled The Application Control mechanisms are designed to find the best compromises to reach QoS objectives and take express customer requirements into account: ■ ■
QoS objectives are expressed in terms of "physical" constraints (delay, jitter, loss rate, etc.), customer policies are expressed in terms of classes, defining relative traffic criticality.
ip|fast is enabled, if: ■ ■
ip|fast is enabled in the license file, ip|fast is checked in the ip|engines creation window ( “Services” frame):
ip|engine creation window, “Services” frame
■
(The ip|engines display window shows “yes” in the optimization column.) the Application Groups have been configured, not mandatory, the Coloring offered by the operator has been configured (only for a network with Classes of Service), ip|engines have been started (Service activation window, ip|engines: on),
■
Application Control is activated in the Service activation window:
■ ■
ip|fast: on:
Service activation window At this stage, Application Control is performed according to the specified QoS objectives.
6-8
Ipanema Technologies
October 2014
Using Ipanema services (ip|boss)
Modifying Application Control settings Depending on the results obtained, you can modify some settings. To access the dictionaries, see the table “Dynamically modifying a session”. The settings you may need to modify are:
Applications
User Subnets
QoS profiles
LTL
Application Groups
Coloring
TOS
WAN access
October 2014
Ipanema Technologies
6-9
Ipanema System
6. 3. 3. ip|coop (tele-cooperation) Operating procedure table: tele-cooperation Enabled, tele-cooperation Disabled The tele-cooperation mechanisms are designed to control the traffic on tele-managed sites as efficiently as possible. To achieve this, a remote coordination group (RCG), that contains the main sources of traffic to that site, is automatically and dynamically configured by ip|boss; the RCG can contain up to 8 ip|engines. Each tele|engine has its own RCG. ip|coop is enabled, if: ■ ■
ip|coop is enabled in the license file, ip|fast is checked in the ip|engines creation window ( “Services” frame):
ip|engine creation window, “Services” frame (The ip|engines display window shows “yes” in the optimization column.) If ip|fast is not checked for a tele|engine, the traffic on that site will be controlled anyway (as long as ip|fast is enabled globally), as it is the remote ip|engines which actually do it, but without ip|coop (that is, without the remote ip|engines cooperating to control the site with the tele|engines). ■
ip|engines have been started (Service activation window, ip|engines: on), Application Control has been started (Service activation window, ip|fast: on),
■
ip|coop is activated in the Service activation window:
■
ip|coop: on.
Service activation window
6-10
Ipanema Technologies
October 2014
Using Ipanema services (ip|boss)
If ip|coop is not enabled, tele|engines will still measure and control the traffic, with the following restrictions: ■ ■
measurement: the traffic will be measured and reported exactly the same, control: the traffic will be controlled with no Remote Coordination Group, each ip|engine managing the flows to and from the unequipped sites (tele|engines) on its own, without coordination with the other ip|engines communicating with this site.
Modifying tele-cooperation settings There are no settings that are specific to ip|coop (table “Modifying a session dynamically”).
October 2014
Ipanema Technologies
6-11
Ipanema System
6. 3. 4. ip|xcomp (redundancy elimination) Operating procedure table: compression Enabled, compression Disabled The redundancy elimination mechanisms are designed to use as much bandwidth as possible, but still taking the Application Control parameters into account. ip|xcomp is enabled, if: ■ ■
ip|xcomp is enabled in the license file, ip|xcomp compress and/or ip|xcomp decompress is/are checked in the ip|engines window (“Services” frame — ip|fast must be checked first):
ip|engine creation window, “Services” frame
■
(The ip|engines display window shows “yes” in the compress and/or decompress columns.) the Application Groups have been configured (“Compress” must be checked),
Application Group creation window
■
ip|engines have been started (Service activation window, ip|engines: on), Application Control has been started (Service activation window, ip|fast: on),
■
compression is activated in the
■
6-12
Service activation window: ip|xcomp: on:
Ipanema Technologies
October 2014
Using Ipanema services (ip|boss)
Service activation window At this stage, compression is performed according to the Application Group set up. Modifying redundancy elimination settings Depending on the results obtained, you can modify some settings. To access the dictionaries, see the table “Modifying a session dynamically”. The settings you may need to modify are:
ip|engines
October 2014
Application Groups
Ipanema Technologies
6-13
Ipanema System
6. 3. 5. ip|xtcp (TCP acceleration) Operating procedure table: TCP acceleration Enabled, TCP acceleration Disabled The TCP acceleration mechanisms are designed to accelerate the traffic between sites with a high RTT and/or a high available bandwidth. ip|xtcp is enabled, if: ■ ■
ip|xtcp is enabled in the license file, ip|xtcp is checked in the ip|engines creation window (“Services” frame — ip|fast must be checked first):
ip|engine creation window, “Services” frame ■
the Application Groups have been configured (“Accelerate” must be checked):
Application Group creation window
■
ip|engines have been started (Service activation window, ip|engines: on), Application Control has been started (Service activation window, ip|fast: on),
■
TCP acceleration is activated in the Service activation window:
■
6-14
Ipanema Technologies
ip|xtcp: on:
October 2014
Using Ipanema services (ip|boss)
Service activation window Modifying acceleration settings Depending on the results obtained, you can modify some settings. To access to the dictionaries, see the table “Modifying a session dynamically”. The setting you may need to modify is:
ip|engines
October 2014
Application Groups
Ipanema Technologies
6-15
Ipanema System
6. 3. 6. ip|xapp (CIFS acceleration) Operating procedure table: CIFS acceleration Enabled, CIFS acceleration Disabled The CIFS acceleration mechanisms are designed to accelerate CIFS traffic between sites with a high RTT and/or a high available bandwidth. ip|xapp is enabled, if: ■ ■
ip|xapp is enabled in the license file, ip|xapp is checked in the ip|engines creation window (“Services” frame — ip|fast must be checked first):
ip|engine creation window, “Services” frame
■
ip|engines have been started (Service activation window, ip|engines: on), Application Control has been started (Service activation window, ip|fast: on),
■
CIFS acceleration is activated in the Service activation window:
■
ip|xapp: on:
Service activation window Modifying acceleration settings Depending on the results obtained, you can modify some settings. To access to the dictionaries, see the table “Modifying a session dynamically”. The setting you may need to modify is:
ip|engines
6-16
Ipanema Technologies
October 2014
Using Ipanema services (ip|boss)
6. 3. 7. smart|plan Operating procedure table: Smart Planning Enabled, Smart Planning Disabled Ipanema Technologies Smart planning reports provide easy-to-use data for Capacity Planning optimization. smart|plan generates very high added value data enabling a complete analysis for each network access of the relationship between Traffic (resource) and delivered service level (results). Using this automatically generated data, it is immediately possible to identify if the access link is under-provisioned or over-provisioned in regard of the expected service level per application’s business criticality. smart|plan is enabled, if: ■ ■
smart|plan is enabled in the license file, smart|plan is checked in the ip|engines creation window (“Services” frame — ip|fast must be checked first):
ip|engine creation window, “Services” frame
■
ip|engines have been started (Service activation window, ip|engines: on), Application Control has been started (Service activation window, ip|fast: on),
■
smart|plan is activated in the Service activation window:
■
smart|plan: on:
Service activation window
October 2014
Ipanema Technologies
6-17
Ipanema System
6. 3. 8. IMA Operating procedure table: IMA Enabled, IMA Disabled Ipanema Mobile Agent is a SoftWOC (Software WAN Optimization Controller), more precisely a software agent for Windows desktops and laptops, which provides SRE compression and CIFS acceleration services to nomad users and small offices on non-equipped (or tele-managed) sites and sites equipped with a nano|engine. It works in server-client mode, where an ip|engine (ip|e 140ax or above) plays the role of IMA server and IMA software installed on the user’s desktop or laptop is an IMA client. IMAs detection, configuration and activation are fully automatic. IMA service is enabled, if: ■ ■
IMA is enabled in the license file, IMA is checked on the IMA server (ip|engine creation window — ip|fast must be checked first) and on the tele|engine or nano|engine (or, possibly, ip|engine) configured on the site with IMA clients. If the IP address of the user’s desktop or laptop running anIMA client does not belong to any allocated Topology subnet, it is “Out of Domain”; for this user to benefit from IMA service, IMA must be enabled on “Out of Domain” tele|engine.
IMA checkbox in the ip|engine / tele|engine creation window
■
ip|engines have been started (Service activation window, ip|engines: on), Application Control has been started (Service activation window, ip|fast: on),
■
IMA is activated in the Service activation window:
■
IMA: on:
Service activation window
6-18
Ipanema Technologies
October 2014
Using Ipanema services (ip|boss)
6. 4. HELP In the Toolbar, select
Help:
The Help window is displayed.
Help window This window contains the documentation of Ipanema System.
October 2014
Ipanema Technologies
6-19
CHAPTER 7. MONITORING (IP|DASHBOARD) Document organization This chapter describes ip|dashboard capabilities.
7. 1. CONNECTION To connect to ip|dashboard from the SALSA client, first select the Domain you want to monitor, then click on the ip|dashboard button:
SALSA client
October 2014
Ipanema Technologies
7-1
Ipanema System
ip|dashboard main window then opens:
ip|dashboard main window
7-2
Ipanema Technologies
October 2014
Monitoring (ip|dashboard)
7. 2. GRAPHICAL USER INTERFACE 7. 2. 1. ip|dashboard window, menus and views ip|dashboard window is made of three parts: ■ ■ ■
1. the top bar, 2. the menu and view bar, and 3. the main space:
ip|dashboard main window ip|dashboard version is displayed at the bottom of the window.
7. 2. 1. 1. The top bar The top bar shows: ■ ■
the Ipanema logo, a Quick search text box, which allows searching for the Sites containing the typed string; for instance, typing “ara” in our example displays Caracas, Maracaibo, Paracatu and Santa Barbara:
Quick search ■ ■ ■ ■
the User who is logged in (“Connected as”), the Domain where the User is connected to (“Domain”), a Quit button, a Local Time drop-down list, which allows the User to display the data with: – either the Local time zone – or the Domain time zone (as configured in ip|uniboss), thus allowing them to align the timing in ip|dashboard’s graphs with that of ip|reporter’s reports.
October 2014
Ipanema Technologies
7-3
Ipanema System
7. 2. 1. 2. The menu and view bar The menu and view bar shows: ■
two main menus: – Dashboard: to monitor the network flows (explained here), – Configuration: to configure SSL optimization (explained in Chapter 8),
■
and, when Dashboard is selected, several views (the active view is displayed with a blue title): – – – –
: allows displaying Domain-level information; Sites (): shows the list of Sites with their links usage and quality; Flows (): shows the list of flows at the Domain level; (only displayed when the User clicks on a Site name or bar in one of the previous views): allows seeing more details for the selected Site; several Site views can be open simultaneously — no one is open when the User first connects. A Site view can be closed by clicking on the white cross next to its name: .
7. 2. 1. 3. The main space The main space shows the different views: ■
■
■
■
, with two frames: –
- Quality Summary
–
- Activity Summary
Sites (), with two frames ( is the number of Sites currently configured): –
Overview
–
Sites
Flows (), with two frames ( is the number of Flows measured during the last polling period): –
Overview
–
Application flows
, with up to five frames, depending on the User rights: –
- Quality Summary
–
- Activity Summary
–
- Throughput Summary per NAP
–
- Application flows
–
- Discovery
You can open them by clicking on their names in the view bar. A Site view has to be opened first by clicking on the Site name or bar in the Domain or Sites views.
7-4
Ipanema Technologies
October 2014
Monitoring (ip|dashboard)
7. 2. 2. Frames and timing The frames in the different views can be expanded or collapsed by clicking on their headers (grey bars).
Example of a Site view with one frame expanded and all other frames collapsed The first frame header of each view (at the top of the main space, just below the menu and view bar) contains, after the name of the frame:
first frame header, below the menu and view bar
■
a tooltip
(Domain and individual Site views): shows additional information:
Site tooltip
October 2014
Ipanema Technologies
7-5
Ipanema System
■
■
a date and time area : allows searching historical data (up to the last 4320 minutes of data), by clicking on this area and scrolling in the past in the pop-up calendar that opens; a drop-down list (previous screenshot): allows choosing the time span: – min: evolution quadrants display 3 hours of per minute* information, and the user can scroll in the past; the flows list displays values averaged over a minute*, All views (unless freezed) are automatically refreshed every minute*. * The period can also be 5 or 15 minutes, if the Collect period has been set to 5 or 15 minutes respectively (see the Domains’ parameters in ip|uniboss). – hour: evolution quadrants display up to 3 days of hourly aggregated information; the flows list displays values averaged over an hour; All views (unless freezed) are automatically refreshed every hour.
Example: Throughput Evolution quadrant, with time span: hour
The lifetime of the data and the ability to aggregate hourly data depend on the storage parameters in ip|uniboss’ Domain window.
■
a button to set the date and time to Now and unfreeze the view (the view is frozen when a date and time have been selected; the button is greyed when clicked);
■
a or button, in the Domain and Site views, allowing an easy and contextual access to the reports (see “Access to the reports” below).
■
a
button, providing a contextual access to this very manual. The first frame header is always visible (when scrolling down a view that is higher than the window height, the first frame header moves up with the rest of the view until it hits the top of the windows, then it stays there):
First frame header
7-6
Ipanema Technologies
October 2014
Monitoring (ip|dashboard)
7. 2. 3. Reading ip|dashboard contents ip|dashboard displays bar graphs, historical graphs, pie charts, cord diagrams and tables. The exact values of the various curves, fields, etc., can be read precisely:
Bar graphs and pie charts ■
You can read the exact values on a bar graph or on a pie chart, by rolling over them with your mouse. A small pop-up then appears with the name on the field and its value:
Reading graphs and pies’ exact values ■ ■
You can access a Site view by clicking on its bar in a bar graph. You can access the Flows view filtered out to match an Application Group by clicking this AG in a bar graph or in a pie chart. For instance, clicking on VideoStreaming in the “Application Groups by AQS” graph in the Domain view shows the flows belonging to the VideoStreaming AG:
Filtering the flows list by clicking on a graph (1)
Filtering the flows list by clicking on a graph (2)
October 2014
Ipanema Technologies
7-7
Ipanema System
Historical graphs ■
You can read the exact values on historical graphs by rolling over them with your mouse. A vertical bar then appears on the graph, with a pop-up indicating the exact time and the exact values of each curve at this time; the same vertical bar and pop-up also appear in the other historical graphs of the view, thus allowing a synchronized navigation and reading of all graphs:
Reading various historical graphs’ exact values at the same time ■
■
You can change the time (of the entire page) by clicking anywhere in these graphs; the time then changes to the clicked moment. You can highlight any curve by rolling over its legend, and you can hide or show it by clicking its legend. In the example below, we just show the Top and High traffic, highlighting the High curve.
Playing with the legend ■
7-8
You can export any graph, both in PNG and CSV formats, by right-clicking it.
Ipanema Technologies
October 2014
Monitoring (ip|dashboard)
7. 2. 4. Access to the reports From the Domain and Site views, one can access the corresponding reports thanks to the reports buttons
or
at the right of the first frame header at the top.
To access the reports, click on the icon to display the reports list; for example:
October 2014
Ipanema Technologies
7-9
Ipanema System
7. 3. DOMAIN VIEW Dashboard views The Domain view shows two frames: ■
- Quality Summary
■
- Activity Summary
7. 3. 1. Quality Summary This frame shows four graphs with the following information:
Domain - Quality Summary
AQS Evolution Historical graph showing the evolution of the AQS for all flows, and for the Top, High, Medium and Low flows, on the whole Domain. The covered period and the granularity of the data depend on the time span (see “Frames and timing” above): it can be three hours of per-minute information, if the time span is the minute (then the user can scroll the past hours with the horizontal scroll bar at the bottom of the graph), or it can be the last three days of hourly averaged information, if the time span is the hour. Site Overview Pie chart showing the number of Sites (and the percentage of the total that they represent): ■ ■ ■ ■
7-10
with an AQS higher or equal to 9 (in green), with an AQS between 6 and 9 (in yellow), with an AQS lower than 6 (in red), where the AQS could not be computed (“none”, in grey).
Ipanema Technologies
October 2014
Monitoring (ip|dashboard)
Application Groups by AQS ■
■
Bar graph showing the Top 10 Application Groups (i.e. the 10 AGs with the best quality) sorted by decreasing quality (the best AG of the Domain is displayed in the first bar on the left), with their AQS values displayed both as a number (between 0 and 10 with two decimals) and as a colored bar (the height of the bar indicates the value on the vertical axis and the color can take any hue between green (AQS = 10) and red (AQS = 0)). By clicking on Worst 10 at the top of the bar graph, the 10 worst Application Groups are displayed, sorted by increasing quality (the worst AG of the Domain is displayed in the first bar on the left), with their AQS values. Sites by AQS
■
■
This bar graph shows the Top 10 Sites (i.e. the 10 Sites with the best quality) sorted by decreasing quality (the best Site of the Domain is displayed in the first bar on the left), with their AQS values displayed both as a number (between 0 and 10 with two decimals) and as a colored bar (the height of the bar indicates the value on the vertical axis and the color can take any hue between green (AQS = 10) and red (AQS = 0)). By clicking on Worst 10 at the top of the bar graph, the 10 worst Sites are displayed, sorted by increasing quality (the worst Site of the Domain is displayed in the first bar on the left), with their AQS values.
By clicking on a bar, a new window opens and shows detailed information for the selected Site.
October 2014
Ipanema Technologies
7-11
Ipanema System
7. 3. 2. Activity Summary This frame shows two graphs with the following information:
Domain - Activity Summary
Throughput Evolution Historical graph showing the evolution of the WAN throughput for the Top, High, Medium and Low flows (or any combination of these, according to the selection in the legend — by default, it shows all of them, i.e. the total WAN throughput), on the whole Domain. The covered period and the granularity of the data depend on the time span (see “Frames and timing” above): it can be three hours of per-minute information, if the time span is the minute (then the user can scroll the past hours with the horizontal scroll bar at the bottom of the graph), or it can be the last three days of hourly averaged information, if the time span is the hour. Top by volume Pie chart showing the names and volumes of the top 10: ■
■ ■
7-12
Application Groups in volume (by clicking Top 10 Application Groups at the top of the graph; this is the default view), Sites in volume of outgoing traffic (by clicking Top 10 Sites (LAN => WAN)), Sites in volume of incoming traffic (by clicking Top 10 Sites (WAN => LAN)).
Ipanema Technologies
October 2014
Monitoring (ip|dashboard)
7. 4. SITES VIEW Dashboard views The Sites view gives access to the following information: In the view bar, the total number of Sites currently configured on the Domain is displayed into parenthesis (in the screenshot below: 100). ■
Overview
■
Sites
7. 4. 1. Overview This frame shows two graphs with the following information:
Sites - Overview
AQS Evolution Historical graph showing the evolution of the AQS for all flows, and for the Top, High, Medium and Low flows, on all the Sites of the Domain, i.e. for the whole Domain: it is identical to the “AQS Evolution” graph described in the previous section (please refer to that section for more details). Throughput Evolution Historical graph showing the evolution of the WAN throughput for the Top, High, Medium and Low flows on all the Sites of the Domain, i.e. for the whole Domain: it is identical to the “Throughput Evolution” graph described in the previous section (please refer to that section for more details).
October 2014
Ipanema Technologies
7-13
Ipanema System
7. 4. 2. Sites This frame shows, for all Sites of the Domain, the following information:
Sites - Sites ■
■
Site: name of the Site; by clicking on that name, a new window opens with more details on the selected Site. The Sites’ links usage and quality with, for each direction (LAN => WAN and WAN => LAN), the following fields: – link size: WAN access throughput, as declared in ip|boss (max BW), – link usage: usage of the link, displayed both as a percentage of the link size and as a bar, the size of which is proportional to the usage, – AQS: quality of the link, displayed both as an AQS value (between 0 and 10) and as a color (between green (AQS = 10) and red (AQS = 0)).
■
The Sites’ Application Groups volume and quality, sorted by Criticality levels (Top, High, Medium, Low), with each square’ color representing the quality of the corresponding Application Group (in the same column) for the corresponding link (on the same line); it can take any hue between green (AQS = 10) and red (AQS = 0). – you can read the exact values by hovering your mouse on the squares; – clicking on a square opens a new window for the corresponding Site, where it filters the flows in the Site’s Real Time Flows list (see below) according to the selected Application Group: thanks to this features, you can immediately access the details of any Application Group for any Site.
This view is automatically refreshed every minute (or every 5 or 15 minutes, according to the collect period — see the Domains’ parameters in ip|uniboss).
7-14
Ipanema Technologies
October 2014
Monitoring (ip|dashboard)
7. 4. 3. Searching for Sites / Filtering the Sites At the top of the frame, one can use the text field to filter the Sites with their tags (corresponding to the fields “Folder”, “Subfolder” or “Tag” in the ip|engines creation window), or use the button next to this text field to open a map where the sites can be filtered by clicking their tags:
Filtering the Sites thanks to their tags In this map, the size of the names is a representation of the size of the Sites, and their colors represent their quality — the exact AQS can be displayed by hovering the mouse on the names. If several names are selected, they will all be displayed and applied in the filter. They can be cleared by clicking the Clear button, applied by clicking the OK button or cancelled by clicking the Cancel button.
7. 4. 4. Downloading the data It is possible to download a zipped CSV file containing all the sites’ information displayed in this frame, or to open it, with the “Download” button:
Downloading the data
October 2014
Ipanema Technologies
7-15
Ipanema System
7. 5. FLOWS VIEW Dashboard views — Application flows in the Site view Operating procedure table: ip|true service, ip|fast service, ip|xcomp service, ip|coop service, ip|xtcp service, ip|xapp service. The Flows view shows two frames: ■
Overview
■
Application flows
In the view bar, the total number of flows currently running on the Domain is displayed into parenthesis (in the screenshot below: 3366). In the Ipanema system, we call a “flow” all the sessions of a given application, from a given source to a given destination.
7. 5. 1. Overview This frame shows two graphs with the following information:
Flows - Overview
AQS Evolution Historical graph showing the evolution of the AQS for all flows, and for the Top, High, Medium and Low flows, on all the flows of the Domain, i.e. for the whole Domain: it is identical to the “AQS Evolution” graph described in the Domain view section above (please refer to that section for more details). Throughput Evolution Historical graph showing the evolution of the WAN throughput for the Top, High, Medium and Low flows for all the flows of the Domain, i.e. for the whole Domain: it is identical to the “Throughput Evolution” graph described in the Domain view section above (please refer to that section for more details).
7-16
Ipanema Technologies
October 2014
Monitoring (ip|dashboard)
7. 5. 2. Application flows The top of the view contains four filters (see 7.5.2.1) and the rest of the view shows: ■ ■
either the detailed flows list (by default; see 7.5.2.2) or a flows map (chord diagram; see 7.5.2.3).
One can toggle between the two views with the
/
button.
In either case, the information displayed matches the selected filters (all flows on the Domain if no filter was selected).
Flows - Application flows
7. 5. 2. 1. Filters It is possible to filter the flows by AQS, moving the two cursors of the AQS filter at the top of the frame (e.g. to see the “bad” flows only (AQS France > Paris); the cursor shows a down arrow: displayed when one zooms in;
■
; the zoom level is represented by external arcs,
zoom out by clicking on the external arcs; the cursor shows an up arrow:
.
Zooming in the flows map Hovering the mouse on any arc (without clicking down) shows the flows between that arc and the others only (instead of the whole matrix between all pairs of arcs) (see below). The colors of the flows and their extremities indicate the quality (between green (AQS = 10) and red (AQS = 0)). The color is strong for the flows, pale for the extremities. The exact AQS of both the flows and their extremities can be displayed by hovering the mouse on these objects. There is a maximum number of flows that can be displayed simultaneously (a diagram showing thousands of flows would be unreadable anyway, so it would be completely helpless). If this maximum number is exceeded, the map is replaced by a message telling you that there are too many groups to display, and that you should refine your filter: use the filters to concentrate on the flows you want to see.
Flows map with ”too much zoom” and “too many” chords displayed When the map is opened, it shows the “Folders” level (e.g. the flows between continents). Out of Domain is displayed on its own, indicated by an arrow.
7-26
Ipanema Technologies
October 2014
Monitoring (ip|dashboard)
Hovering the mouse on an extremity hide the traffic between the other extremities and displays this extremity’s details (volume and quality) in a pop-up. Here for instance, we show the traffic between Asia and the rest of the world:
Flows map, showing the traffic flows of one extremity
October 2014
Ipanema Technologies
7-27
Ipanema System
Clicking on an extremity or on its name (e.g. Asia) allows zooming in this extremity (e.g. continent), breaking it up into the next level (here: countries). So here for instance, we are zooming into Asia to see the traffic between each Asian country and the rest of the world (still displayed as continents):
Flows map, zooming from a continent (folder) into its countries (subfolders)
7-28
Ipanema Technologies
October 2014
Monitoring (ip|dashboard)
It is possible to zoom in again, from a country (subfolder) to its Sites...
Flows map, zooming from country (subfolder) to its Sites ... and from a Site to its NAPs (when there are several NAPs on the Site). Use the Reset button to reset the view.
October 2014
Ipanema Technologies
7-29
Ipanema System
The three switches at the top left of the diagram allow changing some display settings: LAN=>WAN / WAN=> LAN, Per link usage / Per throughput and Traffic only / All groups. By default, the three switches are in the “LAN=>WAN”, “Per link usage” and “Traffic only” positions:
Flows map, with the three switches in their default positions ■ ■
The [LAN=>WAN / WAN=> LAN] switch allows changing the direction of the flows displayed. [Per link usage / Per throughput] allows showing traffic chords with a size proportional to: – the links (“Per link usage”); arc = available bandwidth; chords = traffic; in the example above, we can see that in South America, about a third of the bandwidth is used (we can read the exact percentage by hovering the mouse on the arcs); – the throughput (“Per throughput”); arc = sum of the chords = total traffic: the traffic is displayed independently of the available bandwidth.
Flows map, displaying the link usage (“Per link usage”) ■
7-30
[Traffic only / All groups] allows displaying extremities with traffic matching the filters only (“Traffic only”) or all the groups where traffic is also present (but without matching the selected filters).
Ipanema Technologies
October 2014
Monitoring (ip|dashboard)
The three switches can be combined to display the desired information. Here for instance, we want to see the traffic from Las Vegas to Sao Paulo (LAN=>WAN), as a proportion of the links on these Sites (“Per link usage”), showing the other links as well (“All groups”), so that we can see what the traffic from Las Vegas to Sao Paulo represents on the whole Domain (i.e. also displaying the other Sites of the Domain):
Flows map, displaying the link usage between two Sites, on the whole Domain
October 2014
Ipanema Technologies
7-31
Ipanema System
By removing the “Remote Sites” filter, we can now see, on the same diagram, the traffic from Las Vegas to all remote sites (with the one between Las Vegas and Sao Paulo highlighted):
Flows map, displaying the link usage between a Site and all the remote ones, on the whole Domain At any level of the map, clicking on a chord opens the flows list, automatically filtered out to display the flows corresponding to the selected chord.
7-32
Ipanema Technologies
October 2014
Monitoring (ip|dashboard)
Exporting the maps Right-clicking the map, a contextual menu allows exporting it, either as a graph (PNG format) or as raw data (CSV format):
Exporting the application flows map The frame that opens has two tabs: ■
Chart, allowing to download the map as a PNG image:
Downloading a map’s image Three check boxes allow displaying or hiding the Borders, the Date and Time and the Title.
October 2014
Ipanema Technologies
7-33
Ipanema System
■
Data, allowing to download the map as CSV data:
Downloading the map’s data
In either case, use the button to download the data. Depending on the Operating System being used, a menu appears, allowing to either save the data on disk or to open the data with the ad hoc software program.
7-34
Ipanema Technologies
October 2014
Monitoring (ip|dashboard)
7. 5. 3. Real Time Graphs From any flow in the Detailed flows list described above, one can open a Real Time Graph, which is a 12–minute window showing the evolution of the above metrics with additional polling every 10 seconds. Up to four graphs can be open on a Domain, simultaneously. To access the Real Time Graphs, right click on a flow and select “Start Real Time Graph”:
Flows contextual menu
Pop-up windows must not be blocked in your web browser.
Real Time Graph A Real Time Graph is empty when it starts. You can see some data after 10 to 20 seconds.
October 2014
Ipanema Technologies
7-35
Ipanema System
The graph window contains four tabs, and each tab is made of 4 graphs, displayed simultaneously: Tab
Graphs
What is shown
OVERVIEW
Avg. Delay (ms)
LAN-TO-LAN (in blue) and WAN-TO-WAN (in orange) average delays
Packet loss (%)
LAN-TO-LAN (in blue) and WAN-TO-WAN (in orange) packet losses
Avg. sessions
Average number of sessions
Throughput (kbps)
LAN-TO-LAN (in blue) and WAN-TO-WAN (in orange) Throughputs
Delay (ms)
LAN-TO-LAN maximum (in red), average (in blue) and minimum (in green) delays
Packet loss (%)
LAN-TO-LAN packet loss
Jitter (ms)
LAN-TO-LAN jitter
Throughput (kbps)
LAN-TO-LAN layer 3 (in blue) and layer 4 (in green) throughputs
Delay (ms)
WAN-TO-WAN maximum (in red), average (in blue) and minimum (in green) delays
Packet loss (%)
WAN-TO-WAN packet loss
Jitter (ms)
WAN-TO-WAN jitter
Throughput (kbps)
WAN-TO-WAN layer 3 throughput
SRT (ms)
Maximum (in red), average (in blue) and minimum (in green) Server Response Time
RTT (ms)
Maximum (in red), average (in blue) and minimum (in green) Round Trip Time
Retransmission (%)
TCP retransmissions
Throughput (kbps)
Layer 3 (in blue) and layer 4 (in green) TCP throughputs
LAN
WAN
TCP
In case of control and/or compression, the differences between LAN and WAN values can be very different. If the upstream or downstream ip|engine is not synchronized, or if the flow is between and equipped site and a tele-managed site, then the delay, jitter and packet loss are not measured.
7-36
Ipanema Technologies
October 2014
Monitoring (ip|dashboard)
Exporting the graphs Right-clicking any graph, a contextual menu allows exporting it, either as a graph (PNG format) or as raw data (CSV format):
Exporting the Real Time Graphs The frame that opens has two tabs: ■
Chart, allowing to download the graph as a PNG image:
Downloading a graph’s image Three check boxes allow displaying or hiding the Borders, the Date and Time and the Title.
October 2014
Ipanema Technologies
7-37
Ipanema System
■
Data, allowing to download the graph as CSV data:
Downloading the graph’s data
In either case, use the button to download the data. Depending on the Operating System being used, a menu appears, allowing to either save the data on disk or to open the data with the ad hoc software program.
7-38
Ipanema Technologies
October 2014
Monitoring (ip|dashboard)
7. 5. 4. Discovery From any flow in the flows list described above (7.5.1), one can open a Discovery agent, which polls additional information on the selected ip|engine. To access the Discovery function, right click on a flow and select “Start Discovery”:
Flows contextual menu It open a Single Site view for the selected Local Site, with the Discovery frame open with the corresponding filters automatically set. Please refer to the next section for its description.
October 2014
Ipanema Technologies
7-39
Ipanema System
7. 6. SINGLE SITE VIEW Dashboard views A Site view can be opened for any Site by clicking on its name or bar in the previous views (Domain or Sites). It gives access to the following frames: ■
- Quality Summary
■
- Activity Summary
■
- Throughput Summary per NAP
■
- Application flows
■
- Discovery
7. 6. 1. Quality Summary This frame shows two graphs with the following information:
Site - Quality Summary
AQS Evolution Historical graph showing the evolution of the AQS for all flows, and for the Top, High, Medium and Low flows, on the selected Site. It is similar to the “AQS Evolution” graph described in the Domain view section above, but at the Site level (please refer to that section for more details). Application Groups by AQS ■
■
7-40
This bar graph shows the Top 10 Application Groups (i.e. the 10 Application Groups with the best quality) sorted by decreasing quality (the best Application Group of the Site is displayed in the first bar on the left), with their AQS values displayed both as a number (between 0 and 10 with two decimals) and as a colored bar (the height of the bar indicates the value on the vertical axis and its color can take any hue between green (AQS = 10) and red (AQS = 0)). By clicking on Worst 10 at the top of the bar graph, the 10 worst Application Groups are displayed, sorted by increasing quality (the worst Application Group of the Site is displayed in the first bar on the left), with their AQS values.
Ipanema Technologies
October 2014
Monitoring (ip|dashboard)
7. 6. 2. Activity Summary This frame shows four graphs with the following information:
Site - Activity Summary
Top Application Groups by volume This pie chart shows the following information, with their names and volumes: ■
■
top 10 AGs in volume of outgoing traffic (by clicking Top 10 Application Groups (LAN => WAN) at the top of the graph), top 10 AGs in volume of incoming traffic (by clicking Top 10 Application Groups (WAN => LAN) at the top of the graph),
Clicking on an Application Group in the chart automatically filters the traffic for that Application Group in the Real Time Flows frame below (see below). Top Remote Sites by volume This pie chart shows the following information, with their names and volumes: ■
■
top 10 Remote Sites in volume of traffic sent to these Sites (by clicking Top 10 Remote Sites (LAN => WAN) at the top of the graph), top 10 Remote Sites in volume of traffic received from these Sites (by clicking Top 10 Remote Sites (WAN => LAN) at the top of the graph), LAN => WAN Throughput Evolution Per Criticality
This historical graph shows the evolution of the WAN throughput of the outgoing traffic, by criticality level (Top/High/Medium/Low). WAN => LAN Throughput Evolution Per Criticality This historical graph shows the evolution of the WAN throughput of the incoming traffic, by criticality level (Top/High/Medium/Low).
October 2014
Ipanema Technologies
7-41
Ipanema System
7. 6. 3. Throughput Summary per NAP This frame shows two graphs with the following information:
Site - Throughput Summary per NAP
- - LAN => WAN Throughput Evolution This historical graph shows: ■
■
■
the ingress bandwidth of the Site (“B/w”, dotted black line), corresponding to the “Ingress max. B/W” in the WAN access configuration window, the evolution of the ingress LAN-to-LAN throughput (measured on the LAN interface of the ip|engine, “LAN”, in blue and in the background), the evolution of the ingress WAN-to-WAN throughput (measured on the WAN interface of the ip|engine, “WAN”, in orange and in the foreground), ■
■
As the WAN-to-WAN throughput is displayed in front of the LAN-to-LAN throughput, when both are equal (i.e., when the traffic is not compressed), only the WAN-to-WAN throughput (orange area) is visible. It can be hidden by clicking “WAN” in the legend, thus revealing the LAN-to-LAN throughput (blue area) behind it (LAN-to-LAN throughput can also be hidden, by clicking “LAN” in the legend). When the LAN-to-LAN throughput is higher than the WAN-to-WAN throughput (i.e., when the traffic is compressed), the blue area above the orange area corresponds to the bandwidth “saved” thanks to compression (difference between LAN-to-LAN throughput and WAN-to-WAN throughput).
- - WAN => LAN Throughput Evolution This historical graph shows: ■
■
■
the egress bandwidth of the Site (“B/w”, dotted black line), corresponding to the “Egress max. B/W” in the WAN access configuration window, the evolution of the egress LAN-to-LAN throughput (measured on the LAN interface of the ip|engine, “LAN”, in blue and in the background), the evolution of the egress WAN-to-WAN throughput (measured on the WAN interface of the ip|engine, “WAN”, in orange and in the foreground), Same remarks as above.
The two same graphs are displayed for each NAP.
7-42
Ipanema Technologies
October 2014
Monitoring (ip|dashboard)
7. 6. 4. Application flows This frame shows the same information as described above (7.5 Flows view), but for the selected Site as the Local Site (so the Local Sites filter is not necessary here, reason why there are three filter frames instead of four). Please refer to that section. It may not be visible for some Users, depending on their rights (as defined in ip|uniboss).
Site - Application flows, Detail
October 2014
Ipanema Technologies
7-43
Ipanema System
Site - Application flows, Map
7-44
Ipanema Technologies
October 2014
Monitoring (ip|dashboard)
7. 6. 5. Discovery Operating procedure table This frame allows polling more information from an ip|engine. It may not be visible for some Users, depending on their rights (as defined in ip|uniboss).
Site - Discovery The Discovery function consists in creating a Discovery agent for the selected ip|engine (one agent maximum per ip|engine) to collect additional data (as compared to the data already collected and displayed in the Real Time Flows list — see above). To use the Discovery function: ■ ■ ■ ■
1. 2. 3. 2.
Set the ad hoc filters (see 7.6.5.1), Start the Discovery agent (see 7.6.5.2), Check the results (see 7.6.5.3), Stop the Discovery agent (see 7.6.5.2).
7. 6. 5. 1. Filters The flows can be filtered according to multiple criteria, using the 5 drop-down lists and 2 check boxes surrounding the network diagram: ■
Template: three templates can be used to filter: – Out of local subnets: (= out of local config) packets crossing the ip|engine, but where neither the source IP address nor the destination IP address belong to one of its Topology subnets (this traffic is called in Transit); these flows are not measured individually by the ip|engine; instead, only their global volume is measured and reported (i.e., these flows are not present in the Real Time Flows list nor in any report, except in the Site Analysis reports, which show the volume of “Transit traffic”). – Unrecognized Application: packets belonging to applications which are not recognized by the ip|engine’s syntax engine, which were not declared in ip|boss and which do not use well-know ports, – Out of Domain: sent packets with a destination IP address which does not belong to a declared Topology subnet, or received packets with a source IP address which does not belong to a declared Topology subnet (in either case, these packets will match “Out of Domain” Topology subnet — which is in the system by default, so it does not have to be declared —, 0.0.0.0/0).
October 2014
Ipanema Technologies
7-45
Ipanema System
■
Local User Subnet: to filter the data using a User subnet declared in ip|boss for the local Site, – An “Out of Local Config.” check box allows, if checked, to display the traffic which does not belong to the local configuration only (see Out of local subnets above)
■
■ ■
Remote User Subnet: to filter the data using a User subnet declared in ip|boss for a remote Site, Remote Site: to filter the data using a User subnet declared in ip|boss for a remote Site, Application: to filter the data according to one application, – An “Out of config” check box, allows, if checked, to discover the port number used by the unrecognized applications (see above).
7. 6. 5. 2. Start/stop a Discovery agent A Discovery agent can be started or stopped with the - Discovery frame header:
and
buttons at the right of the
Start/Stop Discovery agents
If the Start button is greyed and the Stop button is visible , it means that a Discovery agent is running on the ip|engine. Discovery agents consume resources, and they are not meant to run permanently. So when you have found what you were looking for thanks to a Discovery agent, do not forget to stop it. The indicator LED Discovery in ip|boss main window turns amber when a Discovery agent is running.
7. 6. 5. 3. Result table According to the configuration rules this Discovery agent will collect the following data and send them to ip|boss: Local IP
local IP address
Remote IP
remote IP address
Application
name of the application, displayed as follows: ■
when the application is recognized: “A (b)”, where “A” is the name declared in ip|boss and “b” is the application recognized by the syntax engine: – for a “standard” application (e.g. FTP) it reads: “FTP (ftp)”, – for an application with a specific declaration in ip|boss (e.g. Ping_X is declared as follows: protocol: ICMP; User subnet: X), it reads: “Ping_X (icmp)” – for an application which is not recognized by the ip|engine’ syntax engine, but which is declared in ip|boss, it reads: “ (unknown)”
■
7-46
when the application is not recognized (it is not recognized by the ip|engine and it has not been declared in ip|boss), it displays the layer 4 protocol and the port number.
LAN => WAN Packets
number of ingress packets
LAN => WAN Bytes
number of ingress bytes
LAN => WAN Sessions
number of ingress sessions
Ipanema Technologies
October 2014
Monitoring (ip|dashboard)
WAN => LAN Packets
number of egress packets
WAN => LAN Bytes
number of egress bytes
WAN => LAN Sessions
number of egress sessions
%
percentage of traffic that each line represents over the total, in terms of LAN=>WAN Packets, LAN=>WAN Bytes, LAN=>WAN Sessions, WAN=>LAN Packets, WAN=>LAN Bytes or WAN=>LAN Sessions, according to the “Sort by” choice Discovery result table The counters are cleared at each start of a Discovery agent.
The result can be downloaded in CSV format by clicking on the the - Discovery frame header.
button at the right of
Display settings The results can be displayed in different ways, thanks to 6 drop-down lists below the network diagram: ■
Local IP: – Detail: the local IP addresses are displayed (so different local IP addresses will always be displayed on different lines), – Group: the local IP addresses are not displayed (and all flows with the same remote IP address and same application will be merged on one line, even if they have different local IP addresses).
■
Remote IP: – Detail: the remote IP addresses are displayed (so different remote IP addresses will always be displayed on different lines), – Group: the remote IP addresses are not displayed (and all flows with the same local IP address and same application will be merged on one line, even if they have different remote IP addresses).
■
Application: – Detail: the application names are displayed (so different applications will always be displayed on different lines), – Group: the application names are not displayed (and all flows with the same local IP address and same remote IP address will be merged on one line, even if different applications are running between these two addresses).
■
Top: – 20: shows the 20 most significant results (in Packets, Bytes or Sessions, according to the field used to sort the data), – 50: shows the 50 most significant results, – 100: shows the 100 most significant results.
■
Sort by: it is possible to sort the data according to the number of: – – – – – –
LAN => WAN LAN => WAN LAN => WAN WAN => LAN WAN => LAN WAN => LAN
Bytes, Packets, Sessions, Bytes, Packets, Sessions.
It is also possible to sort the data by clicking on the column headers.
October 2014
Ipanema Technologies
7-47
Ipanema System
■
Period: – 10 s: the results are refreshed every 10 seconds, – 1 mn: the results are refreshed every minute, – 5 mn: the results are refreshed every 5 minutes.
7-48
Ipanema Technologies
October 2014
CHAPTER 8. OPTIMIZING SSL (IP|DASHBOARD) Document organization This chapter describes the SSL optimization feature.
8. 1. OVERVIEW The SSL Optimization feature is actually an enabler for applying any Ipanema optimization service to the SSL encrypted flows (the “main” optimization service being ip|xcomp SRE).
8. 1. 1. Deployment SSL Optimization can apply wherever there are SRE-capable appliances (i.e. ip|engines ax models) deployed on the flow’s path, on both sides of the WAN (branch-side and datacenter-side).
8. 1. 2. Applications SSL Optimization applies on any application over SSL. This includes (but is not limited to): ■ ■ ■ ■ ■ ■ ■
443 HTTPS (HTTP over SSL), 636 LDAPS (LDAP over SSL), 992 TelnetS (Telnet over SSL), 993 IMAPS (IMAP over SSL), 994 IRCS (IRC over SSL), 995 POP3S (POP3 over SSL), 5061 SIPS (SIP over SSL).
SSL Optimization does not apply on applications that are not over SSL (whatever is over IPSec, encrypted MAPI, encrypted SMBv2, SSH …).
October 2014
Ipanema Technologies
8-1
Ipanema System
8. 1. 3. Principles The datacenter-side ip|engine acts as an SSL proxy and intercepts the SSL handshake between the client and the server.
SSL proxy The SSL proxy re-signs server certificates on the fly, using a “proxy CA certificate” that is provided by the end-user company IT. Therefore, it is not the original certificate that the client application (e.g. HTTPS browser) presents, rather a clone of this certificate, issued by the SSL proxy and signed with the “proxy CA certificate”.
SSL certificate Once the security parameters are negotiated on both sides of the proxy connection (client-to-proxy and proxy-to-server), the session keys are sent over a secure encrypted tunnel to the branch-side ip|engine.
Exchanging the session key Then both ip|engines can decrypt and re-encrypt the flows, hence enabling any optimization service to work on the decrypted traffic.
Optimizing SSL encrypted flows
8-2
Ipanema Technologies
October 2014
Optimizing SSL (ip|dashboard)
8. 2. CONFIGURATION Enabling SSL optimization requires a simple four–step configuration process in ip|dashboard SSL configuration page:
ip|dashboard SSL configuration page ■ ■ ■ ■
1. Configure domain-wise trusted proxy CA credentials (see 8.2.1.); 2. Select SSL proxy enabled sites (see 8.2.2.); 3. Select optimization enabled SSL servers (see 8.2.3.); 4. (optional) Customize the SSL Proxy Certificate Trust Store (see 8.2.4.).
8. 2. 1. Configure domain-wise trusted proxy CA credentials To configure domain-wise trusted proxy CA credentials (certificate and private key), open the Certificate Authority frame (by clicking on the frame header; for more information on ip|dashboard GUI, please refer to section 7.2.):
Certificate Authority frame
October 2014
Ipanema Technologies
8-3
Ipanema System
From there you can: ■
either import a Certificate existing in your IT environment, by clicking the Import button:
Import a Certificate
If the Proxy CA Private key you import is encrypted with a passphrase, this passphrase must also be provided to the ip|engines belonging to SSL proxy enabled Sites. Please refer to the ip|engines installation manuals. ■
or generate a Certificate, by clicking the Generate button (then you should export it to your IT trust-store, using the Export button):
Generate a Certificate The following fields can be specified (bold characters: mandatory; standard characters: optional): – Common name (CN), – Passphrase (has to be entered twice, if used): to be used if you want the Proxy CA Private key to be encrypted with a passphrase, to raise the security level of SSL Optimization (see 8.3. SECURITY AND LEGALS). In that case, the passphrase must also be provided to the ip|engines belonging to SSL proxy enabled Sites. Please refer to the ip|engines installation manuals. – – – – – –
Expiration date, Organizational Unit (OU), Organization (O), Country (C), State (ST), Locality (L).
In either case, the proxy CA certificates must be in your workstations trust-store.
8-4
Ipanema Technologies
October 2014
Optimizing SSL (ip|dashboard)
8. 2. 2. Select SSL proxy enabled sites The SSL Proxy and SSL Server frame allows selecting the SSL proxy enabled sites and SSL servers. The left part of the frame allows selecting the SSL proxies:
SSL proxy ■ ■
■ ■
Click Add, Select the Sites you want to enable and push them to the right with the single arrow pointing to the right (second icon; the double arrow — first icon — can be used to select all Sites in a single click), Select “Activated” in the “SSL Optimization” drop-down list; Click Ok.
Then the selected Sites appear with a green LED in the Status column. All ip|engines that belong to these Sites (and only those) will be able to proxy SSL flows. All sites where your enabled SSL servers are hosted should be on that list. In case you want to optimize traffic to the cloud, the site where your gateway is hosted should be in there, too.
It is also possible to select Sites you do not want to be SSL proxies, by doing the same as above, but selecting “Desactivated” in the “SSL Optimization” drop-down list. These Sites appear with a grey LED in the Status column.
October 2014
Ipanema Technologies
8-5
Ipanema System
You can select the declared Sites (activated or deactivated) by clicking the checkboxes before their names, or by using the selection menu:
Selection menu The following operations can be performed for the selected Sites: ■
their statuses can be displayed with the “Show status” button:
SSL status ■ ■ ■
8-6
they can be activated with the “Activate” button, they can be deactivated with the “Deactivate” button, they can be removed with the “Remove” button.
Ipanema Technologies
October 2014
Optimizing SSL (ip|dashboard)
8. 2. 3. Select optimization enabled SSL servers The right part of the SSL Proxy and SSL Server frame allows providing the list of SSL optimization enabled servers:
SSL server ■ ■
Click Add, Enter: – either the SSL server’s IP v4 address, followed by the port number if needed (example: 1.1.1.1:123), – or the SSL server’s common name (example: *.ipanematech.*),
■ ■
Select “Activated” in the “SSL Optimization” drop-down list; Click Ok.
All flows to these servers can be deciphered and optimized by the ip|engine before being re-ciphered and forwarded. It is also possible to select SSL servers you do not want to decipher nor optimize, by doing the same as above, but selecting “Desactivated” in the “SSL Optimization” drop-down list.
October 2014
Ipanema Technologies
8-7
Ipanema System
8. 2. 4. Customize the SSL Proxy Certificate Trust Store The SSL Proxy Certificate Trust Store frame allows customizing the SSL Proxy Certificate Trust Store. It is configured with a set of standard institutional certificates by default . You can add your own corporate CA certificates, and/or remove all those you do not need.
SSL Proxy Certificate Trust Store This frame contains three windows, accessible with three tabs: ■
■
■
8-8
Current Domain Custom Trust Store, where you can import Trusted Certificates, activate them, deactivate them and remove them, Default Trust Store, that shows the list of standard institutional certificates; they can be activated or deactivated; Current Domain Trust Store Summary, that displays a summary of the current Domain Trust Store.
Ipanema Technologies
October 2014
Optimizing SSL (ip|dashboard)
8. 3. SECURITY AND LEGALS 8. 3. 1. Security To enable the SSL proxy, it is required to provide it with the “proxy CA certificate” and the associated “private key”. Such security elements practically enable the SSL proxy to transparently inspect and decrypt any SSL flow on the network. Therefore, it is required that the system enforces drastic protection of these security elements.
Proxy CA Certificate, Private key and passphrase The Proxy CA certificate and private key are stored on ip|boss server and distributed by ip|boss to all authorized ip|engines; to prevent any third party actor (carrier, provider…) from using these files (hence being able to proxy and inspect SSL encrypted flows in the Domain), the user can encrypt the private key with a secret passphrase that only the customer knows (see 8.2.1.). This optional Proxy CA private key passphrase, if used, must be entered in all ip|engines that are required to act as SSL proxies (datacenter-side sites). It must and can only be entered by a specific user, which is the end-user’s IT. Please refer to the ip|engines installation manuals.
8. 3. 2. Legals Ipanema’s SSL proxy cryptographic functions rely on the standard open-source OpenSSL toolkit. The OpenSSL cryptographic libraries are used unmodified in order to take full advantage of the standard. OpenSSL toolkit has been approved by the US Department of Commerce for export as a mass-market encryption product with >64 bit encryption. It is on the end-user’s responsibility to ensure that using this library is also permitted without restriction in their local country. It is also on the end-user’s IT’s responsibility to make sure that the SSL flows inspection is used respectfully of the current local legal policies and the company collaborators privacy.
October 2014
Ipanema Technologies
8-9
CHAPTER 9. REPORTING (IP|REPORTER) Document organization This chapter describes capabilities for communication with external systems via an SNMP agent. This function allows measures to be archived on an external system, whether they are optimized or not. The data available via the MIB depend on the MetaViews configured in the system.
9. 1. MIB ACCESS 9. 1. 1. MIB The description file is available in the directory of ip|boss: “~/salsa/ipboss/server/interface/ipanema-technologies.mib” “~/salsa/ipboss/server/interface/ipanema-technologies-notifications.mib”
9. 1. 2. SNMP Measures can be used via a MIB access thanks to an SNMP agent included in the ip|boss software. The UDP port used by this agent must be configured, Domain per Domain (a different port must be declared for each Domain), in ip|uniboss. Access to the agent is read-only with SNMPv2c protocol. The Community name is public (default value, can be configured by user). The SNMP agent instantiates the system and SNMP groups as well as a private MIB. The SNMP agent is updated every Short reporting period (as defined in the Domain configuration — see chapter 3).
October 2014
Ipanema Technologies
9-1
Ipanema System
9. 2. IP|REPORTER This section describes the reporting system, ip|reporter, made by Ipanema Technologies.
9. 2. 1. Ipanema Architecture The Ipanema solution architecture is composed of the following system elements: ■
ip|boss is the centralized management software for the Ipanema performance management system which runs on a standard Solaris or Windows platform. Through the ip|boss, business objectives are communicated to ip|engines and measurement data are collected.
■
ip|engines are software/hardware appliances that automatically measure and control network and application performance. Using the business objectives defined by the company, ip|engines work together as a real-time system to measure network performance and utilization, and to manage application service levels.
■
ip|reporter is a full-service report generating utility. It provides a global view of service levels for each application, as well as detailed, metrics based reports for problem diagnostics. The ip|reporter is a reporting tool powered by InfoVista and based on OEM agreement.
InfoVista can operate with real-time data or deferred-time data. Real time, such as SNMP data, is retrieved from the ip|boss at regular intervals by polling the resource and requesting it for specific information about the behavior of the resource. These data give up to date information about IS behavior. Deferred-time data is external to the SNMP world. It has its source in existing log files (a web site log file, for example) or databases. It is batch-loaded onto the InfoVista server as some time after it was generated. InfoVista uses these data to calculate Indicators in the same way as it handles real time data. And, in fact, when the data is displayed on a report, the origin of the resource data is totally transparent to the user. ■
9-2
SNMP (System MIB) Collect of measurement. Interfaced with SNMP agent of ip|boss.
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 2. 2. Ipanema’s ip|reporter architecture Ipanema Technologies’ ip|reporter is the easy to use report generating component of Ipanema’s service level management system. Using information gathered from ip|engines performance measurement and control appliances, and aggregated by the ip|boss management software, ip|reporter generates sophisticated reports showing network performance and utilization. These reports summarize real-time as well as historic data that an enterprise can use to appropriately size a network, thus reducing WAN operating costs significantly, while improving or maintaining application performance levels. ip|reporter includes embedded report generation software which handles all user interface functions. Ipanema’s ip|reporter is powered by InfoVista. ip|reporter can be purchased without InfoVista software, if an enterprise already owns the software package. ip|reporter should run on a dedicated server. According to InfoVista’s platform being used, Vista-Foundation 0 (VF0) or Vista-Foundation 4 (VF4), there are two different possible architectures. ■
ip|reporter architecture with InfoVista’s VF0 platform ip|reporter runs in client/server mode. The server processes (InfoVista) collect data from ip|boss SNMP agent. The rich client (IVreport) is the GUI (graphical user interface) that allows to show the reports. The reports can also be visualized through a web client, using VistaPortal SE’s web server (refer to section “ip|reporter web edition”).
ip|reporter architecture with InfoVista’s VF0 platform
October 2014
Ipanema Technologies
9-3
Ipanema System
■
ip|reporter architecture with InfoVista’s VF4 platform The VistaFoundation 4 is an ensemble of InfoVista products working in conjunction with each other in a N-tier architecture:
ip|reporter architecture with InfoVista’s VF4 platform – Administration: VistaCockpit provides a centralized view of the distributed system and thus helps to maintain a coherent configuration over the life time of the project. From the Cockpit console, an administrator can configure components in a homogeneous fashion, debug the system, and automate the administrator’s tasks (such as debugging data, InfoVista Server backup, etc.) – Consolidation: this layer consists of just one product, VistaMart, which models the service, provisions InfoVista Servers accordingly (load balancing between the servers), and stores the collected data that subsequently go to the presentation layer in an Oracle database; this is where the configuration and the dashboard data are stored. VistaMart controls groups of InfoVista servers, which can spread over different systems. – Data collection: InfoVista servers use SNMP to obtain the data from ip|boss’ SNMP agent, store the collected data in ObjectStore databases and and push them to VistaMart using HTTP. This is where the real time reports are stored. – Presentation: the collected data are presented to Users in VistaPortal in pages that form together a management dashboard. Alerts show up directly in VistaPortal, and you can obtain real-time data by drilling-down from higher-level summary reports. All components connecting to InfoVista servers (i.e. VistaMart and VistaPortal) must use the Port Mapper (default port 1275). See the InfoVista Server Administration Guide for complete connection details.
9-4
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 2. 3. Terms 9. 2. 3. 1. The Instance Each monitored resource in the network is represented by an Instance object (equivalent to a MetaView in ip|boss) . An Instance can represent any logical or physical element in the network such as an ip|engine source, an ip|engine destination, a subnet source, a subnet destination, an application, a Key A, a Key B, an Application Group, a criticality. The Instance consists of values and identify and characterize the resource (for example, the alias for an application). These characteristics are called Property and the values assigned to them are called Property Values. The data is displayed on a Graph. The Instance is mapped to the Graph via a report.
9. 2. 3. 2. The Vista You create each Instance object from a template object called the Vista. The Vista indicates which Properties each Instance should have. You can create any number of Instances from the same Vista. In this way, you define each type of equipment only once and when you create Instances of this equipment, you simply supply the values of the Properties. InfoVista is installed with a number of standard, pre-configured Vistas which allow you to get up and running immediately. For example: ■
the Vista IpNode has the Property ip (IP Address).
■
the Vista SNMP node has the Properties snmprd (SNMP community read) and snmpwr (SNMP community write). Rules can be defined to create relationships between Vistas. They are not immediately visible in the object model but they are exploited by several Vistas you use. For example, one of the standard Rules states that “All Routers are SNMP nodes”. The result is that the Vista “Router” automatically inherits all the Properties of the Vista “SNMP node” as well as its own intrinsic Properties.
9. 2. 3. 3. The Indicator An Indicator is a measurement. It tells us something about the operation of a resource. Examples are “data traffic” or “quality of service”. InfoVista calculates the values of Indicators from the source data, which it collects from the monitored resource. Standard, pre-configured Indicators exist for the most common situations that you encounter (and for some of the more difficult ones, too).
9. 2. 3. 4. The Report An InfoVista report shows one or more Graphs and possibly some decorative text or bitmaps. Each Graph shows the values of a set of Indicators for a set of Instances (the monitored resources).
9. 2. 3. 5. The Report Template Each Report is derived from a template object called the Report Template. The Report Template represents a typical report layout. It does not contain data, it just shows the Graphs that are used and the visual layout of the report. The same template can be used by any number of Reports. You can therefore define a typical report template once, and each time you create a report from this template, your work is reduced to specifying which Instances the report will monitor. InfoVista is installed with a number of standard, pre-configured Report Templates.
October 2014
Ipanema Technologies
9-5
Ipanema System
Typical Report Template names: ■ ■
■
■
■ ■ ■
Short/Long reporting: SNMP agent polling period. Display Rate: The time interval between two consecutive values of an Indicator. Each Report Template may be provided with several different display rates (select from the list: hourly, daily, weekly and monthly). Time Span: The time period over which the Graph must display data. The Time Span value is not subject to any limitations, though typically it is set to a simple multiple of the display rate. For example, if the display rate is 1 day and the time span is set to 1 week, the graph is scaled to display 7 consecutive Indicator values. Life Time: The Life Time is one of the factors used by the system to calculate and reserve the necessary buffer space for storing the Indicator values. When the data becomes older than this Life Time it is considered to be obsolete and is gradually purged from the system. Hourly: Specifies that the display period is one hour. Ingress: name of the ip|engine upstream of the flow (from LAN to WAN). Egress: name of the ip|engine downstream of the flow (from WAN to LAN).
9. 2. 3. 6. The Report Folders A Report Folder is a list of Reports. The Reports in a folder may be derived from different Report Templates. The folder provides a way of grouping the Reports together: ■
either to simplify readability in the object tree
■
or to provide common access rights to a number of Reports.
You can also create sub-folders, if necessary, to organize your working environment.
9. 2. 3. 7. Libraries A Library (supplied by InfoVista or third parties, or created by you) is used to group together objects such as Vistas, Indicators, etc. in order to obtain logical “units”.
9-6
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 2. 4. Starting the system 9. 2. 4. 1. Starting the server application Normally, the InfoVista server is started automatically, after installation, and each system reboot. A message such as: Manager/Collector server not found
Manager service
Collector service or Client-Server communication failure
Browser service Which may be displayed after trying to connect to a server, means that the InfoVista server has not started correctly. If you have a problem, refer to chapter 1 section Troubleshooting.
October 2014
Ipanema Technologies
9-7
Ipanema System
9. 2. 4. 2. Starting IVreport rich client application (VF0) ■
Windows
In the Windows Task bar, click on Start/Programs/InfoVista/IVreport.
Starting IVreport ■
Unix
The InfoVista software is installed in: /opt/InfoVista/Essentials/bin (Solaris) (The path should be included in the PATH variable) To start the client, execute: ./ivreport &
9-8
Ipanema Technologies
October 2014
Reporting (ip|reporter)
After startup, the Connection dialog box is displayed. Enter the parameters requested and click on OK.
Startup window
InfoVista Server Connection ■
Server name: Name of the system running the InfoVista server or IP address. If the server is on the same machine as the client application, leave this field blank or put the loop back address (127.0.0.1). Several instances of InfoVista can be installed on the same server. In this case the syntax is the following: “@x.x.x.x” (where x.x.x.x is the IP address of InfoVista server). In a firewall environment, the endpoints for Manager, Collector and Browser services can be fix. In this case the syntax is the following: “x.x.x.x:ManagerPort:CollectorPort:BrowserPort” (where x.x.x.x is the IP address of InfoVista server). The endpoints ports can be setup using ip|reporter rich client (IVreport):
October 2014
Ipanema Technologies
9-9
Ipanema System
InfoVista Endpoint Setup ■ ■
9-10
User name: Enter administrator. Password: The default value is blank. To reconnect to the same server or to another server, select the command File/Connect to Server in the InfoVista Main window.
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 2. 4. 3. IVreport main window (VF0) After connection, the InfoVista Main window is displayed. The left-hand panel displays the objects of the InfoVista model in the form of a tree structure.
InfoVista Main window The root of the tree (at the top) is the InfoVista server system. If the name of the server is local, this means that the server is on the same system as the client application. or a
Nodes in the tree are indicated by a expanded. It may contain subfolders. A
.A
indicates that the branch has not been
indicates that the node is already expanded.
■
Click a
■
Click a
■
Click a branch or object name to select the item.
■
Double-click the name of an object to open the Property sheet or List view window of the object (shortcut for Edit/Open).
October 2014
node to expand the branch. node to collapse the branch.
Ipanema Technologies
9-11
Ipanema System
The right-hand pane of the window displays the list of sub-objects of the object that is currently selected in the object tree. ■
Click the square symbol
in front of an object to display the next level of sub-object.
■
Double-click an object name to open the Property sheet of the object (shortcut for Edit/Open).
The tool bar contains buttons which provide shortcuts for the more frequently used menu commands.
Create a new object of the selected type (shortcut for Edit/Add).
Copy the selected object to the clipboard (shortcut for Edit/Copy).
Paste an object from the clipboard (shortcut for Edit/Paste)
Delete the selected object (shortcut for Edit/ Delete).
Open the Property sheet of the selected object (shortcut for Edit/Open).
Find objects by name or description (shortcut for Edit/Find…).
Schedule report-related actions (shortcut for Reports/Schedule)
Create a new report with the Instant Report wizard (shortcut for Reports/Instant Report…).
Filter reports based on specified criteria (shortcut for Reports/Filter…).
9-12
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 2. 4. 4. IVreport’s Report Viewer (VF0) Use the viewer to view or print a Report. This paragraph describes the manipulation of the Report viewer.
Report viewer
Report/Periodical Refresh/Stop
Report/Periodical Refresh/Start The report template is configured to update the data display in function of the display rate value.
While the report is running, inhibit Periodical Refresh (click the and wait a few minutes. Note that the data in the reports stops being updated and the Report Reference Time, displayed at the top right of the viewer also becomes fixed. The reference time indicates the timestamp of the last data sample displayed in the Report (in other words, the timestamp of the last update of data). After a few minutes, enable Periodical Refresh again (click the button). You will see the data updated immediately, one new point on the Traffic graph for every period you wait. You also see the reference time updated to display the current time again.
Graph/Refresh/Data if a graph is selected.
File/Print While a Report is open, you can print it with this command. The report is printed on your system’s default printer.
Edit/Copy
Graph/Properties if a graph is selected
Toggle Information Mode (not in a menu) When depressed, displays a tool tip over graphic objects, indicating the Metric name, Vista name and acquisition rates, time span and the object’s Description attribute.
October 2014
Ipanema Technologies
9-13
Ipanema System
Reference Time slider
Use the reference Time slider to adjust the reference time of the report: ■
either drag the slider
■
or click on the arrow buttons
■
or click on the time or date, edit with the keyboard and press Enter to validate
■
click on the latest button to set the reference time to the current date and time (equivalent to dragging the slider all the way to the right)
For more information, please refer to the InfoVista Reference Manual.
9-14
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 2. 4. 5. ip|reporter web client (VF0 and VF4) To access ip|reporter web, click the ip|reporter button in SALSA web client:
SALSA web client
The Domain selected in theSALSA web client has no impact, as once in ip|reporter, you will be able to select the reports on any Domain you have an access to (according to you User rights). If you are connected on a Domain with ip|boss (and if you accesses it via SALSA), you can open ip|reporter web by selecting the
ip|reporter web button in ip|boss toolbar.
Different accesses can be defined with different user rights (unlike for the users of IVreport (VF0), who always have access to all the reports managed by the server). Refer to the Technical note “TN-0200011-04__how_to_configure_report_access_with_VPSE2.pdf”. Two different windows can be displayed, according to the VistaFoundation being installed, VF0 or VF4:
October 2014
Ipanema Technologies
9-15
Ipanema System
ip|reporter web client with VF0
ip|reporter web client with VF4
9-16
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 2. 5. Reports Management Operating procedure table: settings (automatic reporting), settings (define reports), service ip|true (automatic reporting), service ip|true (modify reports), service reporting (automatic reporting), service reporting (define reports) The reports are managed in the ip|boss interface, thanks to the Reports and Automatic reporting tools. ip|boss manages the Instances creation and deletion in InfoVista according to the configuration parameters. ip|boss is the reference for the reports and Instances for infovista. If some reports described in ip|boss configuration file are not present in InfoVista database, then ip|boss creates the missing reports. On the opposite, if some reports exist (for the Domain) in InfoVista database and not in ip|boss configuration, then ip|boss deletes them. ip|reporter uses the MetaViews for the reports creation and filling. Three modes of reports creation are available: ■
■
■
Reports, unitary mode: one report is created on one MetaView. This mode is to use to add a specific report on a specific MetaView, or to create some reports that cannot be created in the Wizard mode. Reports, Wizard mode: several reports can be created on several MetaViews in one operation. For example: two given reports on all User subnets. Automatic reporting: reports are automatically created for the Domain, for all Equipped sites, for all tele-managed sites or for all Application Groups, and will be added automatically when new Domains, new Equipped sites, new tele-managed sites or new Application Groups are created.
October 2014
Ipanema Technologies
9-17
Ipanema System
9. 2. 5. 1. Automatic reporting This tool allows creating reports for the Domain, for all Equipped sites, for all tele-managed sites and for all Application Groups. The selected reports are automatically added for existing Equipped sites*, tele-managed sites* and Application Groups, and will be automatically added when new Equipped sites*, new tele-managed sites* or new Application Groups are created. * For the sites (equipped or tele-managed), the selected reports are created only if Auto-reporting is at “yes” in the ip|engine parameters.
In the System administration Toolbar, select
Automatic reporting.
The Automatic reporting window is displayed.
Automatic reporting window This window contains four tabs: ■ ■ ■ ■
9-18
Domain, Equipped sites, Tele-managed sites, Application Groups.
Ipanema Technologies
October 2014
Reporting (ip|reporter)
By clicking on the New button within any tab, the automatic report creation window is displayed (Domain, Equipped sites, tele-managed sites or Application Groups automatic reports creation window, according to the selected tab):
Domain automatic reports creation window This window contains an input zone with the following field: ■
■
Report template: drop-down list of available report templates, to choose the reports attached to the selected tab. four click boxes allow to define which time aggregation can be created for the report: – – – –
■
Hour, Day, Week, Month.
a check box that allows defining the level of confidentiality for the report: – Public (unchecked by default): • when checked, the reports are stored in the “hour” / “day” / “week” / “month” folders in IVreport, and an access to the reports can be given to all users using the web client; • otherwise, the reports are stored in the “hour private” / “day private” / “week private” / “month private” folders in IVreport, and the access to the reports can be restricted, for the users using the web client, to authorized users only (refer to the Technical note TN-0200011-04__how_to_configure_report_access_with_VPSE2.pdf).
October 2014
Ipanema Technologies
9-19
Ipanema System
9. 2. 5. 2. Reports creation in unitary mode In the Reporting Toolbar, select
Reports. The Reports window is displayed:
Reports window This window contains the list of reports created on each instance with the specific parameters. By clicking on the New button
, the report creation window is displayed.
reports creation window This window contains an input zone with the following fields: ■
■
■
■
MetaView: drop-down list of MetaViews, to choose the MetaView on which the reports will be created. Report template: drop-down list of available report templates, to choose the reports attached to the selected MetaView. 4 check boxes allow to define which time aggregation can be created for the report:Hour, Day, Week and Month a check box that allows to define the level of confidentiality for the report: – Public (unclicked by default): • when clicked, the reports are stored in the “hour” / “day” / “week” / “month” folders in IVreport, and an access to the reports can be given to all users using the web client; • otherwise, the reports are stored in the “hour private” / “day private” / “week private” / “month private” folders in IVreport, and the access to the reports can be restricted, for the users using the web client, to authorized users only (refer to the Technical note TN-0200011-04__how_to_configure_report_access_with_VPSE2.pdf).
9-20
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 2. 5. 3. Reports creation in wizard mode This creation mode allows to create a big number of reports. It allows to create a package of reports for several MetaViews. This mode could be used in the initial creation step. In the Reporting Toolbar, select
Reports.
The Reports window is displayed:
Reports window
By clicking on the Wizard icon
, the multiple creation window of Reports is displayed.
Reports Wizard window
October 2014
Ipanema Technologies
9-21
Ipanema System
This window contains: ■ ■
■
a zone with multiple selection for the MetaViews, a zone with multiple selection for the Report template . The list is modified according to the type of MetaView selected. 4 check boxes, that allow to define which time aggregation can be created for the report: – – – –
■
Hour, Day, Week, Month.
a check box that allows to define the level of confidentiality for the report: – Public (unchecked by default): • when checked, the reports are stored in the “hour” / “day” / “week” / “month” folders in IVreport, and an access to the reports can be given to all users using the web client; • otherwise, the reports are stored in the “hour private” / “day private” / “week private” / “month private” folders in IVreport, and the access to the reports can be restricted, for the users using the web client, to authorized users only (refer to the Technical note TN-0200011-04__how_to_configure_report_access_with_VPSE2.pdf).
The left frame shows the list of elements (MetaViews and Report templates) as described in the system and managed by ip|boss; the right frame shows the selected elements. Select the elements you want to move (you can select several ones using the SHIFT or CTRL keys), then use the simple arrows to move them from one frame to the other, or use the double arrows to move them all at a time. By selecting several elements in each list, the system will create the reports according to combinative selected criteria.
9. 2. 5. 4. Reports Deletion To delete some reports in the InfoVista database, just suppress the reports in the list accessible by Reports. After the validation of the deletion and update of the configuration, the reports are definitively deleted, the reports and their data cannot be accessed anymore. It is possible to suppress several reports by selection with the keyboard. Another way to remove the reports is by clicking on the icon reports is displayed.
, the multiple deletion window of
If the reports were created with the Automatic reporting function , they will be automatically re-created after deletion, so they must be deleted with this funciton (be aware that suppressing a report with this function will impact all the concerned objects — ip|engines or Application Groups).
9-22
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 2. 5. 5. Update in InfoVista After creation or deletion of reports, click on the flashing Update button in order to update the InfoVista Database with ip|boss configuration. After you have confirmed you want to update the configuration in ip|reporter, this step is identified by the ip|reporter Database LED (in ip|boss status zone) in amber during the synchronization (this can last several minutes, or several hours if you created a large number of reports at a time).
Warning before configuration update
ip|reporter Database LED during database update
9. 2. 5. 6. Force synchronize If InfoVista suffers a Database synchronization problem, it is possible to force the synchronization using Reports menu Actions / Force synchronize. This function should not be used under normal circumstances. Use it only in case of synchronization problem. A synchronization problem can be checked in the logs, and thanks to the Database LED above (grey: an error happened during last synchronization; red: error in the reports description; amber is a normal color during synchronization, but it should be a temporary state: if the LED remains amber for an abnormaly long time, this can also be due to a synchronization problem).
Reports Force synchronize menu As this can last several minutes, or several hours if you created a large number of reports, a warning message is displayed. Click ’Yes’ to confirm you want to force synchronization, ’No’ if you want to abort:
Warning before forced synchronization
October 2014
Ipanema Technologies
9-23
Ipanema System
9. 2. 5. 7. Default reports The following reports are created (with the Automatic reporting function) by default (S stands for Equipped site, T stands for tele-managed site): Report
Domain
SLM - Site Synthesis
X
SLM - Application Synthesis
X
S
T
AG X
X
X X
SLM - Site Summary (per dir.) SLM - AG Summary PM - Site Summary
X
X
PM - AG Summary (per dir.)
X
X
PM - Detailed per AG
X
X
PM - Detailed per Application
X
PM - Detailed per App. - Top
X
PM - Time Evolution
X
X
X
X
X
AM - Site Summary - TCP AM - Time evolution - TCP
X
SA - Site Throughput
X
SA - Site Summary (ingress/egress)
X
FI - Availability Overview
X
X
X
FI - Availability Evolution Default reports
9-24
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 3. HOW TO READ THE REPORTS Reports can be read either using IVreport (InfoVista rich client, VF0) or InfoVista web client (VF0 and VF4).
9. 3. 1. IVreport (VF0) To open a report using IVreport, launch IVreport (default login / password are administrator / — (no password)), open the Reports tab, open the following folders: “Report folders” / / / , then double-click on the report’s name. ■
■
If the Public click box was clicked on the report’s creation, it can be found in the “hour” / “day” / “week” / “month” folders; otherwise, it can be found in the “hour private” / “day private” / “week private” / “month private” folders.
Reports directory structure in IVreport
October 2014
Ipanema Technologies
9-25
Ipanema System
9. 3. 2. Web client (VF0) Using the web client, the directory structure is similar, but users may not have an access to all reports (for example, the access may be limited to the Public reports only), according to their rights (refer to the Technical note TN-0200011-04__how_to_configure_report_access_with_VPSE2.pdf).
ip|reporter web client There are two ways to navigate in the reports: ■
by selecting “Folders” in the drop-down list in ip|reporter’s main window, you can access the reports with the following file system tree (4 hierarchical levels): – / / /
ip|reporter’s “Folders” file system tree
9-26
Ipanema Technologies
October 2014
Reporting (ip|reporter)
■
The second browsing method allows to navigate in the sites’ reports with two additional hierarchical levels, defined by the ip|engines’ Navigation fields “Folder name for level 1” and “Folder name for level 2”: by selecting “Navigation” in the drop-down list in ip|reporter’s main window, you can access the sites’ reports with the following file system tree (6 hierarchical levels): – / Navigation / / / / (the level disappears, as this method is valid to access the sites’ reports only). This method is very helpful on larges networks, with hundreds or thousands of sites. In the example below, “Folder name for level 1” was used to group sites per continents, and “Folder name for level 2” was used to group sites per countries. The ip|engines created without filling those fields are grouped under the “Unknown” folder name:
ip|reporter’s “Navigation” file system tree
October 2014
Ipanema Technologies
9-27
Ipanema System
9. 3. 3. Web client (VF4) The web client, with VistaFoundation 4, shows two levels of reports: ■ ■
all the reports available with VF0 are also available (they are called real time reports hereafter), and there are new high level reports displayed in the main web page (they are called Service Level Overview reports).
ip|reporter web client with VF4 The window contains five frames: ■ ■ ■ ■
Time Navigator, Navigation, Service Level Overview, and two frames in Reports.
The Time Navigator frame shows the date and time, and allows to browse the selected reports in the past.
9-28
Ipanema Technologies
October 2014
Reporting (ip|reporter)
To access a report, first select the MetaView or group of MetaViews in the Navigation frame (click on the
before a branch to expand the navigation tree,
to collapse a branch):
Selecting MetaViews in the Navigation frame
October 2014
Ipanema Technologies
9-29
Ipanema System
The Service Level Overview report corresponding to the selected MetaView(s) is displayed in the Service Level Overview frame:
Selecting the periodicity in the Navigation frame ■
For a Site or a list of Sites, this report shows, for each site: – the name of the MetaView ( x Site:), – the AQS per criticality level (Top, High, Medium and Low) with color bars; the colors indicate the AQS (from red = 0 to green = 10), and one can read the exact value of the AQS by moving the mouse over the bars, – the ingress (LAN => WAN) and egress (WAN => LAN) WAN accesses utilization (in percentage of the WAN accesses throughputs) and the WAN accesses throughputs (as defined in ip|boss); the utilization bars are blue between 0 and 70% of utilization, yellow between 70 and 90% of utilization, and red above 90% of utilization; the percentage of utilization can be read by moving the mouse over the bars,
■
For an Application Group or a list of Application Groups, this report shows, for each Application Group: – the name of the MetaView ( x Application Group:), – the AQS of the Application Groups with color bars; the colors indicate the AQS (from red = 0 to green = 10), and one can read the exact value of the AQS by moving the mouse over the bars, – the ingress (LAN => WAN) and egress (WAN => LAN) throughputs, both on the LAN interfaces of the ip|engines and on their WAN interfaces, – the number of sessions.
9-30
Ipanema Technologies
October 2014
Reporting (ip|reporter)
A second type of Service Level Overview reports is available by selecting the Evolution tab, at the top of the window:
Evolution tab It shows four frames: ■ ■ ■ ■
the the the the
volume per Criticality level, AQS per Criticality level, ingress (LAN => WAN) throughput, egress (WAN => LAN) throughput.
for the selected MetaViews. Select the Overview tab to come back to the previous view (Service Level Overview frame).
October 2014
Ipanema Technologies
9-31
Ipanema System
To access the real time reports, once the MetaViews have been selected in the Navigation frame, select the periodicity in the Reports frame:
Selecting the periodicity in the Reports frame The names of the available reports for the selected MetaViews and periodicity are diplayed in a second frame in Reports, called Name:
Selecting the periodicity in the Reports frame To open the real time reports displayed in this frame, double click on their names or right click and select “Instant report”:
Selecting the periodicity in the Reports frame The real time reports open in a new window. They are explained in the following sections.
9-32
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 3. 4. Dynamic reading of the reports The reports show graphs and tables:
Report example ■
■
The graphs show the history of the values. Click on the graphs (IVreport) or move your mouse on them (web client) to read detailed values in a popup. The values in the tables are measured over the last display period. Click successively on any column header to sort the table by increasing or decreasing values.
On the client you can use the time slider (IVreport) or specify the date and time (both clients) to see the previous values of each indicator. This presents you with a historical view of each resource for any moment during the lifetime of the report.
October 2014
Ipanema Technologies
9-33
Ipanema System
9. 3. 5. Definitions Here is a definition of the symbols and specific metrics that are used in the reports (for the definitions of the standard metrics, such as AQS, Delay, Jitter, packet Loss, RTT, SRT, TCP retransmission, etc.), please refer to 7.5.2.2 Detailed flows list): =>
Represents the LAN => WAN - or ingress - direction,
LAN - or egress - direction.
Session
A session is identified: ■
■
For TCP or UDP by the following parameters: source IP address, destination IP address, protocol (TCP or UDP), source port and destination port. For other protocols over IP (for example: ICMP) by the following parameters: source IP address, destination IP address, protocol.
Qualified (sessions, throughput, goodput)
Traffic between synchronized ip|engines; delay, jitter and packet loss are measured.
Non qualified — or Unqualified (throughput, goodput, sessions)
Traffic between non synchronized ip|engines, or (more frequently) between an ip|engine and atele|engine; delay, jitter and packet loss cannot be measured.
MOS (1 to 5)
9-34
Ipanema Technologies
October 2014
Reporting (ip|reporter)
Overactivity (%)
Percentage of time when the Right Size (computed by Smart planning) is higher than the WAN access for “Top” and “High” traffic.
Evolution (Volume, Quality, Activity) (++/+/0/-/- -)
Evolution, according to the following symbols, as compared to the average value over the 3 last periods (3 hours, 3 days, 3 weeks or 3 months, according to the time scale of the report): ■ ■ ■ ■ ■
++: the metric has increased a lot (by more than +20%), +: the metric has slightly increased (between +5 and +20%), o: the metric is stable (between –5% and +5%), - : the metric has slightly decreased (between –5 and –20%), - -: the metric has decreased a lot (by more than –20%). Default reports
Color Management
October 2014
Ipanema Technologies
9-35
Ipanema System
9. 4. IPANEMA SYSTEM VISTAVIEWS The following sections (8.5, etc.) correspond to each VistaView, and each section is further divided into sub-sections (8.5.1, etc.) that correspond to each report template. A report sub-section includes an overview of the report features, a graphical representation of the report, a detailed description of the report, and finally a suggested way of using the report.
Ipanema VistaViews
Some of these VistaViews are available only if you have purchased the corresponding options and if they are enabled in the license file.
VistaViews are used to collect all information by querying ip|boss’ SNMP agent. They work in pairs: ■ ■
9-36
(e.g.: VoIP): contain the metrics and Indicators for this “family”; (e.g.: VoIP - en): Report Templates used to display these metrics.
Ipanema Technologies
October 2014
Reporting (ip|reporter)
The statistics generated by the different functions are available throughout the whole Ipanema System: ■
■
■
ip|boss aggregates the data gathered from ip|engines’ measurement, Application Control, redundancy elimination and acceleration functions, and makes them available through the SNMP interface. ip|dashboard uses uses them to generate the appropriate helpdesk tables and graphs, that provide real-time analysis for each Site and each network access. ip|reporter uses them to generate the appropriate easy-to-use reports, that provide historical analysis for each Site, each network access and each Application Group.
All reports can be created with ip|boss using the single or the wizard mode (unless otherwise specified). The reports on the Domain, on Equipped or tele-managed sites (i.e.: equipped or tele-managed Sites), and on Application Groups can also be created with the Automatic reporting tool. The available periodicity levels for the reports are the following (unless otherwise specified): ■ ■ ■ ■
Hourly, Daily, Weekly, Monthly.
The Ipanema System library contains the following report templates, with the following abbreviations being used: ■
■
in What is measured: App: Application; Crit: Criticality; D/J/L: Delay/Jitter/Loss; Ses: number of sessions; Thput: Throughput; Gput: Goodput; (un)qual: (un)qualified; AG: Application Group; Vol: volume; evol: evolution in Filters: – – – – – – – –
D: Domain; S: Equipped site; T: tele-managed site; K: report Keys; S: User Subnets; G: Application Groups; A: Applications; C: Criticality
Legend in the Filters: – X: the report is available for MetaViews that contain this object. Example: is - slm - site summary is available on the Domain. – L: the report is available for MetaViews that contain a list of this object. Ex.: is - slm - site synthesis is not available on a single Equipped site, but it is if the MetaView contains a list of Equipped sites. – o: the report is available for MetaViews that contain this object, but only if the MetaView also contains objects with an X. Ex.: is - slm - application group summary per direction is not available on an Application Group, but it is if the MetaView is a combination of an Equipped site AND an Application Group.
October 2014
Ipanema Technologies
9-37
Ipanema System
SLM (Service Level Monitoring) Report template (is - slm -)
What is measured
service level evolution
AQS, qual. and unqual. ses., Thput, Gput
X
site summary
AQS, D/J/L, RTT, SRT, TCP retrans., ses., Thput.
X
ag summary
AQS, D/J/L, RTT, SRT, TCP retrans., ses., Thput.
X
ag summary per direction
Filters D S
app. synthesis
Vol. & AQS evol. per crit., Ingress & Egress Thput, vol. & vol. evol. per AG, AQS & AQS evol. per AG, vol. per app. (top 10), site activity, global evol.
site synthesis
Vol. & AQS evol. per crit., Total Thput, vol. & vol. evol. per site, AQS & AQS evol. per site.
X
X
T
K
S
G A
C
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
o
o
o
X
X
X
G A
C
X
X
X
X
L
L
L
L
T
K
S
SLA (Service Level Agreement)
9-38
Report template (is - sla -)
What is measured
Filters
domain overview graph
AQS per AG, AQS per site, over activity per site
X
domain overview table
Vol., AQS, MOS, over activity — per AG, per site
X
domain - aqs summary
AQS, over activity — per AG, per site
X
domain - ag aqs summary
AQS, over activity — per AG
X
domain - site aqs summary
AQS, over activity — per site
X
domain - mos summary
MOS, over activity — per AG, per site
X
site summary
AQS, MOS, over activity — per AG
X
site aqs summary
AQS, over activity — per AG
X
site mos summary
MOS, over activity — per AG
X
site exploitation
AQS, MOS, vol., ses., over activity
X
site customer
AQS, MOS, vol., ses., over activity
X
D S
Ipanema Technologies
October 2014
Reporting (ip|reporter)
CAM (Cloud Application Monitoring) Report template (is - cam -)
What is measured
clients overview
time evolution
Filters D S
T
K
S
G A
C
Users, Transactions, Transac. Time, Server delay, Transac./s, Transac. size, Transac. efficiency
X
X
X
X
X
X
X
X
Users, Transaction Time, ses./s, Transac./s, Transac. efficiency
X
X
X
X
X
X
X
X
D S
T
K
S
G A
C
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
AM (Application Monitoring) Report template (is - am -)
What is measured
site summary - tcp
SRT, RTT, Packet retrans., Thput, ses.
ag summary - tcp
Filters
X
ag summary - per direction - tcp
X
application summary - tcp
X
X
X
X
app. summary - per dir. - tcp time evolution - tcp
October 2014
X
X
Ipanema Technologies
X
X
X
X
X
X
X
X
9-39
Ipanema System
PM (Performance Monitoring) Report template (is - pm -)
What is measured
site summary ag summary ag sum. per dir
Filters D S
T
K
S
G A
C
WAN-WAN & LAN-LAN Delay, Loss, Thput; ses.
X
X
X
X
X
X
X
D/J/L; RTT/SRT/TCP retrans.; total Thput, sessions, packet size
X
X
X
X
o
o
o
X
X
X
X
X
X
X
X
X
app. summary
X
app. sum. per dir
X
X
X
X
X
o
o
o
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
D S
T
K
S
G A
C
traffic topology
Total & qual. traffic, Traffic profile (kbps/%time), packet%/delay, Thput per site, ingress & egress
X
X
time evolution
D/J/L, Thput, ses.
X
X
detailed per ag
Throughput
X
X
detailed per app. top detailed per app. top host app on vol.
X
Host (IP address), app., vol., ses. This report does not appear in the hour, day, week and month folders, but in the “default” folder.
PM (Performance Monitoring) — Compression Report template (is - pm -)
What is measured
compression evolution
Total LAN Thput. (without compr.), total WAN Thput (with compr.), compressed Thput, saved Thput.
X
X
X
X
X
X
X
X
compression synthesis - ag
For each AG and each way: compressed, saved, total LAN, total compressible and total compressed volumes; compr. factor and ratio
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
compression synthesis application
Filters
ip|reporter’s wizard mode is not available for these reports.
9-40
Ipanema Technologies
October 2014
Reporting (ip|reporter)
SSL Optimization Report template (is - ssl optimization -)
What is measured
time evolution
SSL LAN Thput. (without compr.), SSL WAN Thput (with compr.), SSL Optimization Eligible sessions, SSL Optimized sessions.
Filters D S X
T
X
K
S
G A
C
X
X
X
X
X
ACC (TCP acceleration) Report template (is - acc -)
What is measured
acceleration evolution
Compr., TCP & Acceleration factors, nb of new & current sessions
Filters D S
T
K
S
G A
C
X
X
X
X
X
X
X
D S
T
K
S
G A
C
X
X
X
X
X
X
X
D S
T
K
S
G A
C
G A
C
X
CIFS (CIFS acceleration) Report template (is - cifs -)
What is measured
time evolution
Thput, CIFS verbosity, Acceleration factor, nb of active sessions
Filters X
SAM (Services Activity Monitoring) Report template (is - sam -)
What is measured
Filters
site summary
ingress & egress Application Control Activity, Duration, Evolution, Compr. ratio, saved bw; CIFS avg and max active ses.
X
X
X
time evolution
ingress & egress Application Control Activity and Duration, Compr. ratio and saved bw, CIFS active ses. and acc. factor
X
X
X
X
X
Report template (is - VoIP -)
What is measured
Filters T
K
S
synthesis
MOS distribution
X
X
X
X
time evolution
MOS, D/J/L, sessions
X
X
X
X
VoIP
October 2014
D S
Ipanema Technologies
9-41
Ipanema System
SA (Site Analysis) Report template (is - sa -)
What is measured
Filters
site summary ingress
Thput: To physical ip|e, No correlation, To virtual ip|e (= tele|e), To Out of Domain, Transit, Other, Locally rerouted, Non IPv4 WAN, Ignored LAN
X
L
X
site summary egress
Thput: From physical ip|e, No correlation, From virtual ip|e (= tele|e), From Out of Domain, Transit, Other, Locally rerouted, Non IPv4 WAN, Ignored LAN
X
L
X
site throughput
Thput: IPv4, Apple Talk, IPX, SNA, IPv6, Ignored LAN. IPv4 Thr.: To/From physical ip|e, No correlation, To/From virtual ip|e (= tele|e), To/From Out of Domain, Transit, Other, Locally rerouted
D S
T
K
S
G A
C
S
G A
C
G A
C
X
FI (Fault Isolation) Report template (is - fi -)
What is measured
availability evolution
Status down, Status up, synchro. loss, highest CPU load, WAN overload
Filters D S
availability overview
X
T
X
K X
X
With ip|reporter, FI reports can only be created using the unitary mode.
SP (Smart planning) Report template (is - sp -)
What is measured
profile
Throughput, Right Size
synthesis
Current, trend 3 months, trend 1 year
Filters D S
T
K
S
X X
L
X
This report is only available on a daily basis.
9-42
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 5. SLM (SERVICE LEVEL MONITORING) REPORTS 9. 5. 1. is - slm - service level evolution Service Level Monitoring Table
Service Level Monitoring - service level evolution
October 2014
Ipanema Technologies
9-43
Ipanema System
What can it do? Monitored resource
This template is available for the following MetaViews: A Domain . A Site or a list of sites. ■ A Key or a list of keys. ■ A Subnet or a list of subnets, ■ An Application or a list of applications, ■ An Application Group or a list of AGs, ■ A Criticality or a list of criticality levels. AQS, number of sessions (qualified and unqualified), throughput (qualified and unqualified), goodput (qualified and unqualified). From data collected every Short reporting period. ■ ■
What is measured How it is measured Type of report
Hourly
Daily
Weekly
Monthly
Display rate
Short reporting
5 minutes
1 hour
4 hours
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs present the following information: AQS graph This graph represents the evolution of the AQS over the period of time. Sessions graph This graph represents the evolution of the number of sessions over the period of time: ■ ■
number of qualified sessions, number of unqualified sessions (the top of the curve (that sits above the Qualified sessions) indicates the total sessions (qualified + unqualified)).
Throughput graph This graph represents the evolution of the Throughput over the period of time: ■
■ ■
■
9-44
Throughput: the surface indicates the non qualified throughput only, whereas the top of the curve (that sits above the Qualified throughput) indicates the total throughput (qualified + unqualified) Qualified throughput Goodput: the surface indicates the non qualified goodput only, whereas the top of the curve (that sits above the Qualified goodput) indicates the total goodput (qualified + unqualified) Qualified goodput
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 5. 2. is - slm - site summary Service Level Monitoring Table
Service Level Monitoring - site summary What can it do? Monitored resource
This template is available for the following MetaViews: A Domain , A Site or a list of sites, ■ A Key or a list of keys, ■ A Subnet or a list of subnets, ■ An Application or a list of applications, ■ An Application Group or a list of AGs, ■ A Criticality or a list of criticality levels. AQS, delay, jitter, packet loss, RTT, SRT, TCP retrans., sessions, throughput. From data collected every Long reporting period. ■ ■
What is measured How it is measured Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
October 2014
Executive officers
Ipanema Technologies
9-45
Ipanema System
The table The table presents the following information (note: for color and symbol explanation see the Color Management picture in Definitions): Site
Name of the Site (ip|engine).
Average AQS
Weighted average (in volume) of the ingress AQS and egress AQS of the site. In the following columns, ■ ■
=> represents the LAN => WAN - or ingress - direction, LAN - or egress - direction.
AQS
Application Quality Score of the site for one direction.
D/J/L
Symbolic representation of the quality of Delay, Jitter and packet Loss of the measured applications: ■ ■
■
“+”: the measured metric is good (i.e., it meets its objective), “0”: the measured metric is average (i.e., it is between its objective and maximum), “—”: the measured metric is bad (i.e., it exceeds its maximum).
(The metrics’ objective and maximum values are defined in the QoS profiles associated to the Application Groups containing the measured applications.) RTT/SRT/Retrans
Symbolic representation of the quality of RTT, SRT and TCP retransmission of the measured applications: ■ ■
■
“+”: the measured metric is good (i.e., it meets its objective), “0”: the measured metric is average (i.e., it is between its objective and maximum), “—”: the measured metric is bad (i.e., it exceeds its maximum).
(The metrics’ objective and maximum values are defined in the QoS profiles associated to the Application Groups containing the measured applications.)
9-46
Average sessions
Average number of sessions per second.
Average throughput (kbps)
Average number of kbits per second at IP level (on ip|engines and/or tele|engines).
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 5. 3. is - slm - application group summary Service Level Monitoring Table
Service Level Monitoring - application group summary What can it do? Monitored resource
This template is available for the following MetaViews: A Domain . An Application or a list of applications, ■ An Application Group or a list of Application Groups, ■ A Criticality or a list of criticality levels. AQS, delay, jitter, packet loss, RTT, SRT, TCP retrans., sessions, throughput. From data collected every Long reporting period. ■ ■
What is measured How it is measured Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The table The table present the following information (note: for color and symbol explanation see the Color Management picture in Definitions): Application Group
Name of the Application Group.
Criticality
Criticality level of the Application Group.
AQS
Application Quality Score of the Application Group.
October 2014
Ipanema Technologies
9-47
Ipanema System
D/J/L
Symbolic representation of the quality of Delay, Jitter and packet Loss of the measured applications: ■ ■
■
“+”: the measured metric is good (i.e., it meets its objective), “0”: the measured metric is average (i.e., it is between its objective and maximum), “—”: the measured metric is bad (i.e., it exceeds its maximum).
(The metrics’ objective and maximum values are defined in the QoS profiles associated to the Application Groups containing the measured applications.) RTT/SRT/Retrans
Symbolic representation of the quality of RTT, SRT and TCP retransmission of the measured applications: ■ ■
■
“+”: the measured metric is good (i.e., it meets its objective), “0”: the measured metric is average (i.e., it is between its objective and maximum), “—”: the measured metric is bad (i.e., it exceeds its maximum).
(The metrics’ objective and maximum values are defined in the QoS profiles associated to the Application Groups containing the measured applications.)
9-48
Average sessions
Average number of sessions per second for ingress and egress directions.
Average throughput (kbps)
Average number of kbits per second at IP level for ingress and egress directions.
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 5. 4. is - slm - application group summary per direction Service Level Monitoring Table
Service Level Monitoring - application group summary per direction What can it do? Monitored resource
This template is available for the following MetaViews: ■
A Domain. – Per Application or a list of applications. – Per Application Group or a list of Application Groups. – Per Criticality or a list of criticality levels.
■
A Site or a list of sites. – Per Application or a list of applications. – Per Application Group or a list of Application Groups. – Per Criticality or a list of criticality levels.
■
A Key or a list of keys. – Per Application or a list of applications. – Per Application Group or a list of Application Groups. – Per Criticality or a list of criticality levels.
■
What is measured How it is measured
A Subnet or a list of subnets.
– Per Application or a list of applications. – Per Application Group or a list of Application Groups. – Per Criticality or a list of criticality levels. AQS, delay, jitter, packet loss, RTT, SRT, TCP retrans., sessions, throughput (kbps). From data collected every Long reporting period.
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
October 2014
Executive officers
Ipanema Technologies
9-49
Ipanema System
The table The table presents the following information (note: for color and symbol explanation see the Color Management picture in Definitions): Application Group
Name of the Application Group.
Criticality
Criticality level of the Application Group.
Average AQS
Weighted average (in volume) of the ingress AQS and egress AQS. In the following columns, ■ ■
=> represents the LAN => WAN - or ingress - direction, LAN - or egress - direction.
AQS
Application Quality Score of the Application Group for one direction.
D/J/L
Symbolic representation of the quality of Delay, Jitter and packet Loss of the measured applications: ■ ■
■
“+”: the measured metric is good (i.e., it meets its objective), “0”: the measured metric is average (i.e., it is between its objective and maximum), “—”: the measured metric is bad (i.e., it exceeds its maximum).
(The metrics’ objective and maximum values are defined in the QoS profiles associated to the Application Groups containing the measured applications.) RTT/SRT/Retrans
Symbolic representation of the quality of RTT, SRT and TCP retransmission of the measured applications: ■ ■
■
“+”: the measured metric is good (i.e., it meets its objective), “0”: the measured metric is average (i.e., it is between its objective and maximum), “—”: the measured metric is bad (i.e., it exceeds its maximum).
(The metrics’ objective and maximum values are defined in the QoS profiles associated to the Application Groups containing the measured applications.)
9-50
Average sessions
Average number of sessions per second for ingress and egress directions.
Average throughput (kbps)
Average number of kbits per second at IP level for ingress and egress directions.
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 5. 5. is - slm - application synthesis Service Level Monitoring Table
Service Level Monitoring - application synthesis
October 2014
Ipanema Technologies
9-51
Ipanema System
What can it do? Monitored resource
This template is available for the following MetaViews: A Domain. A Site or a list of sites. ■ A Key or a list of keys. ■ A Subnet or a list of subnets. ■ An Application or a list of applications. ■ An Application Group or a list of Application Groups. ■ A Criticality or a list of criticality levels. Volume evolution per criticality, Quality evolution, Ingress throughput, Egress throughput, Volume per Application Group (percentage MB, evolution), Quality per Application Group (AQS, evolution), Volume per application (Top 10), site activity, global evolution. From data collected every Long reporting period. ■ ■
What is measured
How it is measured
Volume evolution and Quality evolution graphs Type of report
Hourly
Daily
Weekly
Monthly
Display rate
1 hour
1 day
1 week
1 month
Time Span
24 hours
1 week
5 weeks
12 months
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
LAN->WAN throughput and WAN->LAN throughput graphs Type of report
Hourly
Daily
Weekly
Monthly
Display rate
15 minutes
15 minutes
1 hour
4 hours
Time Span
2 hours
2 days
2 weeks
2 months
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
Application Group Volume, application volume Top 10, site activity and global evolution Tables Type of report
Hourly
Daily
Weekly
Monthly
Display rate
1 hour
1 day
1 week
1 month
Time Span
1 hours
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs The graphs present the following informations: Volume Evolution (GB) graph This graph shows the volume evolution on the last 24 hours, 7 days, 5 weeks or 12 months according to the periodicity level by criticality.
9-52
Ipanema Technologies
October 2014
Reporting (ip|reporter)
Quality Evolution (%) graph This graph represents quality evolution on the last 24 hours, 7 days, 5 weeks or 12 months according to the periodicity level in percentage of volume with different colors: ■ ■ ■ ■
% % % %
green volume yellow volume red volume grey volume when quality cannot be computed
LAN => WAN throughput (kbps) graph This graph shows the ingress throughput evolution on the last 2 hours, 2 days, 2 weeks or 2 months according to the periodicity level, for the following indicators: average throughput and maximum throughput. ■ ■
Average (Throughput) Number of Kbits per second at layer 3 level during a display rate. Max (Peak throughput) The peak throughput curve displays the maximum encountered value during a display rate.
WAN => LAN throughput (kbps) graph This graph shows the egress throughput evolution on the last 2 hours, 2 days, 2 weeks or 2 months according to the periodicity level, for the following indicators: average throughput and maximum throughput. ■ ■
Average (Throughput) Number of kbits per second at layer 3 level during a display rate. Max (Peak throughput) The peak throughput curve displays the maximum encountered value during a display rate. For LAN => WAN throughput (kbps) and WAN => LAN throughput (kbps), the average and maximum throughputs are calculated on the following periods:
Average (throughput)
Periodicity
Maximum (Peak throughput)
Hour
15 minutes
15 minutes
Day
15 minutes
15 minutes
Week
1 hour
15 minutes
Month
4 hours
15 minutes
The tables The tables present the following information: Application Group table Application Group
Name of the Application Group.
Criticality
Criticality level according to the Application Group name.
Volume (%)
Percentage of total volume used by the Application Group.
Volume (MB)
Volume used by the Application Group in Mega bytes.
Volume Evolution (++/+/0/-/- -)
Volume evolution for the 3 last periodicity levels.
AQS (0 to 10)
Application Quality Score.
Quality Evolution (++/+/0/-/- -)
Quality evolution for the 3 last periodicity levels.
October 2014
Ipanema Technologies
9-53
Ipanema System
Application TOP 10 table Application
Name of the Application.
Application Group
Application Group name corresponding to the application classification.
Volume (%)
Percentage of total volume used by the Application.
Site Activity table
9-54
Site activity
This indicator displays the percentage of time when traffic was measured.
Evolution (++/+/0/-/- -)
Availability evolution for the 3 last periodicity levels.
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 5. 6. is - slm - site synthesis Service Level Monitoring Table
Service Level Monitoring- site synthesis What can it do? Monitored resource
This template is available for the following MetaViews: A Domain. A list of Sites. ■ A list of Keys. ■ A list of Subnets. Volume evolution per criticality, Quality evolution, Total throughput, Volume per site (percentage, MB, evolution), Quality per site (AQS, evolution) From data collected every Long reporting period. ■ ■
What is measured How it is measured
October 2014
Ipanema Technologies
9-55
Ipanema System
Volume evolution and Quality evolution graphs Type of report
Hourly
Daily
Weekly
Monthly
Display rate
1 hour
1 day
1 week
1 month
Time Span
24 hours
1 week
5 weeks
12 months
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
Throughput graph Type of report
Hourly
Daily
Weekly
Monthly
Display rate
15 minutes
15 minutes
1 hour
4 hours
Time Span
2 hours
2 days
2 weeks
2 months
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
Site table Type of report
Hourly
Daily
Weekly
Monthly
Display rate
1 hour
1 day
1 week
1 month
Time Span
1 hours
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs The graphs present the following informations: Volume Evolution (GB) graph This graph shows the volume evolution on the last 24 hours, 7 days, 5 weeks or 12 months according to the periodicity level by criticality. Quality Evolution (%) graph This graph represents quality evolution on the last 24 hours, 7 days, 5 weeks or 12 months according to the periodicity level in percentage of volume with different colors: ■ ■ ■ ■
% % % %
green volume yellow volume red volume grey volume when quality cannot be computed
Throughput (kbps) graph This graph shows the total throughput evolution (ingress + egress) on the last 2 hours, 2 days, 2 weeks or 2 months according to the periodicity level, for the following indicators: average throughput and maximum throughput. ■
■
9-56
Average (Throughput) Number of kbits per second at layer 3 level during a display period. Max (Peak throughput) The peak throughput curve displays the maximum encountered value during a display period.
Ipanema Technologies
October 2014
Reporting (ip|reporter)
For the Throughput (kbps), average and maximum throughput are calculated on the following periods:
Periodicity
Average (throughput)
Maximum (Peak throughput)
Hour
15 minutes
15 minutes
Day
15 minutes
15 minutes
Week
1 hour
15 minutes
Month
4 hours
15 minutes
The table The Site table presents the following information: Site
Name of the Site (ip|engine).
Volume (%)
Percentage of total volume used by the site.
Volume (MB)
Volume used by the site in Mega bytes.
Volume Evolution (++/+/0/-/- -)
Volume evolution for the 3 last periodicity levels.
AQS (0 to 10)
Application Quality Score of the sites.
Quality Evolution (++/+/0/-/- -)
Quality evolution for the 3 last periodicity levels.
October 2014
Ipanema Technologies
9-57
Ipanema System
9. 6. SLA (SERVICE LEVEL AGREEMENT) REPORTS 9. 6. 1. is - sla - domain overview - graph Service Level Agreement Table
Service Level Agreement - Domain What can it do? Monitored resource
This template is available for the following MetaViews: A Domain . AQS per critical Application Group (Top and High), AQS per site for critical Application Groups, Over activity per site (%). From data collected every Long reporting period. ■
What is measured How it is measured
9-58
Ipanema Technologies
October 2014
Reporting (ip|reporter)
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs Used to display in a graph an overall view of the service level agreement supplied by the network. Presents the following information: Application Group graph This graph represents the AQS during no over activity, per critical Application Group (Top and High). Site graph This graph represents the AQS during no over activity of the 10 worst Sites, for the critical Application Groups (Top and High). Over activity per site (%) graph This graph represents the percentage of time when the Right Size (computed by Smart planning) is higher than the WAN access for “Top” and “High” traffic.
October 2014
Ipanema Technologies
9-59
Ipanema System
9. 6. 2. is - sla - domain overview - table Service Level Agreement Table
Service Level Agreement - Domain - overview What can it do? Monitored resource
This template is available for the following MetaViews: ■ A Domain . Volume, AQS, MOS, Over activity — per critical Application Group (Top and High), per site for critical Application Groups. From data collected every Long reporting period.
What is measured How it is measured Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The tables The tables present the following information:
9-60
Application Group
Name of the Application Group.
Criticality
Criticality of the Application Group (Top and High only).
Volume (%)
Percentage of volume represented by the Application Group.
AQS
Application Quality Score during no over-activity.
MOS
Mean Opinion Score during no over-activity.
Overactivity (%)
Percentage of time when the Right Size (computed by Smart planning) is higher than the WAN access for “Top” and “High” traffic.
Ipanema Technologies
October 2014
Reporting (ip|reporter)
Site
Name of the Site.
Volume (%)
Percentage of volume represented by the Site for the critical Application Groups (Top and High).
AQS
Application Quality Score during no over-activity.
MOS
Mean Opinion Score during no over-activity.
Overactivity (%)
Percentage of time when the Right Size (computed by Smart planning) is higher than the WAN access for “Top” and “High” traffic.
October 2014
Ipanema Technologies
9-61
Ipanema System
9. 6. 3. is - sla - domain - aqs summary Service Level Agreement Table
Service Level Agreement - Domain - AQS summary What can it do? Monitored resource
This template is available for the following MetaViews: A Domain . AQS, Over activity — per critical Application Group (Top and High), per site for critical Application Groups. From data collected every Long reporting period. ■
What is measured How it is measured
9-62
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Ipanema Technologies
Executive officers
October 2014
Reporting (ip|reporter)
The tables The tables present the following information: Application Group
Name of the Application Group.
Criticality
Criticality of the Application Group (Top and High only).
Overactivity (%)
Percentage of time when the Right Size (computed by Smart planning) is higher than the WAN access for “Top” and “High” traffic.
AQS > 5.0 (%)
Percentage of time when qualified AQS > 5.0 during no over-activity.
AQS > 7.0 (%)
Percentage of time when qualified AQS > 7.0 during no over-activity.
AQS > 8.0 (%)
Percentage of time when qualified AQS > 8.0 during no over-activity.
AQS > 9.0 (%)
Percentage of time when qualified AQS > 9.0 during no over-activity.
AQS > 9.5 (%)
Percentage of time when qualified AQS > 9.5 during no over-activity.
AQS > 9.8 (%)
Percentage of time when qualified AQS > 9.8 during no over-activity.
AQS > 9.9 (%)
Percentage of time when qualified AQS > 9.9 during no over-activity.
AQS = 10 (%)
Percentage of time when qualified AQS = 10 during no over-activity.
Site
Name of the Site.
Overactivity (%)
Percentage of time when the Right Size (computed by Smart planning) is higher than the WAN access for “Top” and “High” traffic.
AQS > 5.0 (%)
Percentage of time when qualified AQS > 5.0 during no over-activity.
AQS > 7.0 (%)
Percentage of time when qualified AQS > 7.0 during no over-activity.
AQS > 8.0 (%)
Percentage of time when qualified AQS > 8.0 during no over-activity.
AQS > 9.0 (%)
Percentage of time when qualified AQS > 9.0 during no over-activity.
AQS > 9.5 (%)
Percentage of time when qualified AQS > 9.5 during no over-activity.
AQS > 9.8 (%)
Percentage of time when qualified AQS > 9.8 during no over-activity.
AQS > 9.9 (%)
Percentage of time when qualified AQS > 9.9 during no over-activity.
AQS = 10 (%)
Percentage of time when qualified AQS = 10 during no over-activity.
9. 6. 4. is - sla - domain - ag aqs summary Service Level Agreement Table The report is a part of “is - sla - domain - aqs summary” described above: it shows its first table (Application Group).
9. 6. 5. is - sla - domain - site aqs summary Service Level Agreement Table The report is a part of “is - sla - domain - aqs summary” described above: it shows its second table (Site).
October 2014
Ipanema Technologies
9-63
Ipanema System
9. 6. 6. is - sla - domain - mos summary Service Level Agreement Table
Service Level Agreement - Domain - MOS summary What can it do? Monitored resource
This template is available for the following MetaViews: A Domain . MOS, Over activity — per critical Application Group (Top and High), per site for critical Application Groups. From data collected every Long reporting period. ■
What is measured How it is measured Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The tables The tables present the following information:
9-64
Application Group
Name of the Application Group.
Criticality
Criticality of the Application Group (Top and High only).
Overactivity (%)
Percentage of time when the Right Size (computed by Smart planning) is higher than the WAN access for “Top” and “High” traffic.
MOS > 2.6 (%)
Percentage of time when MOS > 2.6 during no over-activity.
MOS > 3.1 (%)
Percentage of time when MOS > 3.1 during no over-activity.
MOS > 3.6 (%)
Percentage of time when MOS > 3.6 during no over-activity.
MOS > 4.0 (%)
Percentage of time when MOS > 4.0 during no over-activity.
Ipanema Technologies
October 2014
Reporting (ip|reporter)
MOS > 4.3 (%)
Percentage of time when MOS > 4.3 during no over-activity.
MOS > 4.4 (%)
Percentage of time when MOS > 4.4 during no over-activity.
Site
Name of the Site.
Overactivity (%)
Percentage of time when the Right Size (computed by Smart planning) is higher than the WAN access for “Top” and “High” traffic.
MOS > 2.6 (%)
Percentage of time when MOS > 2.6 during no over-activity.
MOS > 3.1 (%)
Percentage of time when MOS > 3.1 during no over-activity.
MOS > 3.6 (%)
Percentage of time when MOS > 3.6 during no over-activity.
MOS > 4.0 (%)
Percentage of time when MOS > 4.0 during no over-activity.
MOS > 4.3 (%)
Percentage of time when MOS > 4.3 during no over-activity.
MOS > 4.4 (%)
Percentage of time when MOS > 4.4 during no over-activity.
October 2014
Ipanema Technologies
9-65
Ipanema System
9. 6. 7. is - sla - site summary Service Level Agreement Table
Service Level Agreement - Site summary What can it do? Monitored resource
This template is available for the following MetaViews: An Equipped site . AQS, MOS, Over activity per critical Application Group (Top and High). From data collected every Long reporting period. ■
What is measured How it is measured Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The tables The tables present the following information: ■
9-66
% of time with qualified AQS > value
Application Group
Name of the Application Group.
Criticality
Criticality of the Application Group (Top and High only).
Overactivity (%)
Percentage of time when the Right Size (computed by Smart planning) is higher than the WAN access for “Top” and “High” traffic.
Ipanema Technologies
October 2014
Reporting (ip|reporter)
AQS > 5.0 (%)
Percentage of time when qualified AQS > 5.0 during no over-activity.
AQS > 7.0 (%)
Percentage of time when qualified AQS > 7.0 during no over-activity.
AQS > 8.0 (%)
Percentage of time when qualified AQS > 8.0 during no over-activity.
AQS > 9.0 (%)
Percentage of time when qualified AQS > 9.0 during no over-activity.
AQS > 9.5 (%)
Percentage of time when qualified AQS > 9.5 during no over-activity.
AQS > 9.8 (%)
Percentage of time when qualified AQS > 9.8 during no over-activity.
AQS > 9.9 (%)
Percentage of time when qualified AQS > 9.9 during no over-activity.
AQS = 10 (%)
Percentage of time when qualified AQS = 10 during no over-activity.
■
% of time with qualified MOS > value
Application Group
Name of the Application Group.
Criticality
Criticality of the Application Group (Top and High only).
Overactivity (%)
Percentage of time when the Right Size (computed by Smart planning) is higher than the WAN access for “Top” and “High” traffic.
MOS > 2.6 (%)
Percentage of time when MOS > 2.6 during no over-activity.
MOS > 3.1 (%)
Percentage of time when MOS > 3.1 during no over-activity.
MOS > 3.6 (%)
Percentage of time when MOS > 3.6 during no over-activity.
MOS > 4.0 (%)
Percentage of time when MOS > 4.0 during no over-activity.
MOS > 4.3 (%)
Percentage of time when MOS > 4.3 during no over-activity.
MOS > 4.4 (%)
Percentage of time when MOS > 4.4 during no over-activity.
9. 6. 8. is - sla - site aqs summary Service Level Agreement Table The report is a part of “is - sla - site summary” described above: it shows its first table (% of time with qualified AQS > value).
9. 6. 9. is - sla - site mos summary Service Level Agreement Table The report is a part of “is - sla - site summary” described above: it shows its second table (% of time with qualified MOS > value).
October 2014
Ipanema Technologies
9-67
Ipanema System
9. 6. 10. is - sla - site exploitation Service Level Agreement Table
Service Level Agreement - site exploitation
9-68
Ipanema Technologies
October 2014
Reporting (ip|reporter)
What can it do? Monitored resource
This template is available for the following MetaViews:
What is measured
■ A Site or a list of sites. AQS, MOS, Volume, Sessions density, Over activity.
How it is measured
From data collected every Short reporting period.
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
Short reporting
5 minutes
1 hour
4 hours
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs The graphs present the following information: AQS graph This graph represents the Application Quality Score during no over activity, per critical Application Group (Top and High). MOS graph This graph represents the Mean Opinion Score during no over-activity, per Application Group. Volume (MBytes) graph This graph represents the volume of data (MBytes) exchanged by each critical Application Group (Top and High) and for all non critical ones (Medium and Low). Session density graph This graph represents the number of sessions for each critical Application Group (Top and High) and for all non critical ones (Medium and Low). Overactivity (%) graph This graph represents the percentage of time when the Right Size (computed by Smart planning) is higher than the WAN access for “Top” and “High” traffic.
October 2014
Ipanema Technologies
9-69
Ipanema System
9. 6. 11. is - sla - site customer Service Level Agreement Table
Service Level Agreement - site customer
9-70
Ipanema Technologies
October 2014
Reporting (ip|reporter)
What can it do? Monitored resource
This template is available for the following MetaViews:
What is measured
■ A Site or a list of sites. AQS, MOS, Volume, Sessions, Over activity
How it is measured
From data collected every Long reporting period.
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs The graphs present the following information: AQS graph This graph represents the Application Quality Score during no over activity, per critical Application Group (Top and High). MOS graph This graph represents the Mean Opinion Score during no over-activity, per Application Group. Volume (MBytes) graph This graph represents the volume of data (MBytes) exchanged by each critical Application Group (Top and High) and for all non critical ones (Low and Medium). Session density graph This graph represents the number of sessions for each critical Application Group (Top and High) and for all non critical ones (Low and Medium). Overactivity (%) graph This graph represents the percentage of time when the Right Size (computed by Smart planning) is higher than the WAN access for “Top” and “High” traffic. The table The table presents the following information: Application Group
Name of the Application Group.
Criticality
Criticality of the Application Group (Top and High only).
AQS
Application Quality Score during no over-activity.
MOS
Mean Opinion Score during no over-activity.
Overactivity (%)
Percentage of time when the Right Size (computed by Smart planning) is higher than the WAN access for “Top” and “High” traffic.
Volume (%)
Percentage of volume represented by the Application Group.
October 2014
Ipanema Technologies
9-71
Ipanema System
9. 7. CAM (CLOUD APPLICATION MONITORING) REPORTS 9. 7. 1. is - cam - clients overview Cloud Application Monitoring Table
Cloud Application Monitoring - Clients Overview
9-72
Ipanema Technologies
October 2014
Reporting (ip|reporter)
What can it do? Monitored resource
This template is available for the following MetaViews: ■ ■ ■ ■ ■ ■ ■
A Domain. A Site or a list of sites. A Key or a list of keys. A Subnet or a list of subnets. An Application or a list of applications. An Application Group or a list of Application Groups. A Criticality or a list of criticality levels. This template really makes sense for Applications and Application Groups.
What is measured
How it is measured
Number of Users (1 User = 1 IP address), Number of Transactions (1 Transaction = 1 PUSH packet sent by a client), Transaction Time, Server delay, Number of Transactions per second, Transaction size, Transaction efficiency. From data collected every Long reporting period.
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The pie chart The pie chart is used to display the number of Users per Site. The horizontal bar graphs The horizontal bar graphs are used to display the Transaction times per Site’s breakdown into three metrics: ■ ■ ■
Request time, Response time (should be renamed Server delay in the next software release), Transaction time (should be renamed Response time in the next software release).
These three metrics are illustrated below (with their new names):
October 2014
Ipanema Technologies
9-73
Ipanema System
The Transaction efficiency (in kbps) is defined as the Transaction size (in KB) divided by Transaction time (in ms) (multiplied by 8,192 to get the result in kbps). Note that for the same Transaction, the 3 steps Request / Server delay / Response can vary a lot, according to whether a proxy is used or not (and to its position, when used):
This does not matter, from the User’s perspective (the response time that they get is the same in either case – and so is the Transaction efficiency). Another consequence of proxies can be a difference in the number of Users: as 1 “User” = 1 IP address (= 1 device in fact), if there’s a proxy on the LAN side of the ip|engine, the latter will only “see” 1 “User” (In a VPN, the ip|engine generally sits behind the proxy).
9-74
Ipanema Technologies
October 2014
Reporting (ip|reporter)
The vertical table The vertical table is used to display the following indicators concerning the Domain traffic: Users
Number of Users (1 User = 1 IP address).
Max Users
Maximum number of Users measured during the period.
New sessions/s
Number of new TCP sessions established per second.
Transactions/s
Number of transactions per second (one TCP session can be made up of multiple transactions).
Response time (ms)
Server delay (this metric should be renamed Server delay in the next software release).
Transaction time (ms)
Transaction time (refer to the schemes above).
Transaction size (KB)
Average number of kilo bytes per transaction.
Transaction efficiency (kbps)
Transaction size (in KB) divided by Transaction time (in ms) multiplied by 8,192 (to get the result in kbps).
The vertical bar graphs The vertical bar graph is used to display the Response time (to be renamed Server delay in the next software release) breakdown per range of delays. The horizontal table The horizontal table is used to display the following indicators concerning the Sites traffic (same information as in the vertical table above, but Site by Site): Site
Name of the Site.
Users
Number of Users (1 User = 1 IP address).
Max Users
Maximum number of Users measured during the period.
New sessions/s
Number of new TCP sessions established per second.
Transactions/s
Number of transactions per second (one TCP session can be made up of multiple transactions).
Response time (ms)
Server delay (this metric should be renamed Server delay in the next software release).
Transaction time (ms)
Transaction time (refer to the schemes above).
Transaction size (KB)
Average number of kilo bytes per transaction.
Transaction efficiency (kbps)
Transaction size (in KB) divided by Transaction time (in ms) multiplied by 8,192 (to get the result in kbps).
October 2014
Ipanema Technologies
9-75
Ipanema System
9. 7. 2. is - cam - time evolution Cloud Application Monitoring Table
Cloud Application Monitoring - Time evolution
9-76
Ipanema Technologies
October 2014
Reporting (ip|reporter)
What can it do? Monitored resource
This template is available for the following MetaViews: ■ ■ ■ ■ ■ ■ ■
A Domain. A Site or a list of sites. A Key or a list of keys. A Subnet or a list of subnets. An Application or a list of applications. An Application Group or a list of Application Groups. A Criticality or a list of criticality levels. This template really makes sense for Applications and Application Groups.
What is measured How it is measured
Number of Users (1 User = 1 IP address), Transaction Time, Number of Sessions and Number of Transactions (1 Transaction = 1 PUSH packet sent by a client), Transaction efficiency. From data collected every Short reporting period.
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
Short reporting
5 minutes
1 hour
4 hours
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs The graphs present the following information: Users graph This graph represents the number of Users. Transaction Time (ms) graph This graph represents the average Transaction Time (in ms) with its breakdown: ■ ■ ■
Request time (in ms), Response time (in ms; should be renamed Server delay in the next software release), Transaction time (in ms; should be renamed Response time in the next software release).
Sessions and Transactions graph This graph represents the number of Sessions and the number of Transactions per second (1 Transaction = 1 PUSH packet sent by a client). Transaction efficiency (in kbps) graph This graph represents Transaction efficiency (in kbps) — Transaction efficiency = Transaction size (in KB) divided by Transaction time (in ms) multiplied by 8,192 (to get the result in kbps).
October 2014
Ipanema Technologies
9-77
Ipanema System
9. 8. AM (APPLICATION MONITORING) REPORTS 9. 8. 1. is - am - site summary - tcp Application Monitoring Table
Application Monitoring - Site Summary - TCP What can it do? Monitored resource
This template is available for the following MetaViews: A Domain. A Site or a list of sites. ■ A Key or a list of keys. ■ A Subnet or a list of subnets. ■ An Application or a list of applications. ■ An Application Group or a list of Application Groups. ■ A Criticality or a list of criticality levels. Packet retransmission, SRT, RTT, Non TCP sessions, TCP sessions, Goodput, Non TCP Throughput, TCP Throughput. From data collected every Long reporting period. ■ ■
What is measured How it is measured
9-78
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Ipanema Technologies
Executive officers
October 2014
Reporting (ip|reporter)
The table The table is used to display the following indicators concerning the Site traffic: Site
Name of the Site. In the following columns, ■ ■
=> represents the LAN => WAN - or ingress - direction, LAN - or egress - direction.
Packet retrans.
Percentage of retransmitted TCP segments.
SRT
Server response time (in ms).
RTT
Round trip time (in ms).
Non-TCP sess.
Number of non-TCP sessions per second.
TCP sess.
Number of TCP sessions per second.
Goodput
Number of kbits per second at layer 4 level.
Non-TCP Thput
Number of non-TCP segments kilobits per second, measured at IP layer.
TCP Thput
Number of TCP segments kilobits per second, measured at IP layer.
October 2014
Ipanema Technologies
9-79
Ipanema System
9. 8. 2. is - am - application group summary - tcp Application monitoring Table
Application Monitoring - application group summary - TCP What can it do? Monitored resource
This template is available for the following MetaViews: A Domain. An Application or a list of applications. ■ An Application Group or a list of Application Groups. ■ A Criticality or a list of criticality levels. Packet retransmission, SRT, RTT, Non TCP sessions, TCP sessions, Goodput, Non TCP Throughput, TCP Throughput. From data collected every Long reporting period. ■ ■
What is measured How it is measured Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
Application Groups table Used to display in a table the following indicators concerning the Application Group traffic. Application Group
Name of the Application Group. In the following columns, ■ ■
9-80
=> represents the LAN => WAN - or ingress - direction, LAN - or egress - direction.
Packet retrans.
Percentage of retransmitted TCP segments.
SRT
Server response time (in ms).
RTT
Round trip time (in ms).
Non-TCP sess.
Number of non-TCP sessions per second.
Ipanema Technologies
October 2014
Reporting (ip|reporter)
TCP sess.
Number of TCP sessions per second.
Goodput
Number of kbits per second at layer 4.
Non-TCP Thput
Number of non-TCP segments kilobits per second, measured at IP layer.
TCP Thput
Number of TCP segments kilobits per second, measured at IP layer.
October 2014
Ipanema Technologies
9-81
Ipanema System
9. 8. 3. is - am - application group summary - per dir. - tcp Application monitoring Table
Application Monitoring - application group Summary - per direction - TCP What can it do? Monitored resource
This template is available for the following MetaViews: A Site or a list of sites. A Key or a list of keys. ■ A Subnet or a list of subnets. Packet retransmission, SRT, RTT, Non TCP sessions, TCP sessions, Goodput, Non TCP Throughput, TCP Throughput. From data collected every Long reporting period. ■ ■
What is measured How it is measured Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
Application Groups table Used to display in a table the following indicators concerning the Application Group traffic. Application Group
Name of the Application Group. In the following columns, ■ ■
9-82
=> represents the LAN => WAN - or ingress - direction, LAN - or egress - direction.
Packet retrans.
Percentage of retransmitted TCP segments.
SRT
Server response time (in ms).
RTT
Round trip time (in ms).
Non-TCP sess.
Number of non TCP sessions per second.
TCP sess.
Number of TCP sessions per second.
Goodput
Number of kbits per second at layer 4 level.
Ipanema Technologies
October 2014
Reporting (ip|reporter)
Non-TCP Thput
Number of non-TCP segments kilobits per second, measured at IP layer.
TCP Thput
Number of TCP segments kilobits per second, measured at IP layer.
October 2014
Ipanema Technologies
9-83
Ipanema System
9. 8. 4. is - am - application summary - tcp Application monitoring Table
Application Monitoring - Application Summary - TCP What can it do? Monitored resource
This template is available for the following MetaViews: A Domain. An Application or a list of applications. ■ An Application Group or a list of Application Groups. ■ A Criticality or a list of criticality levels. Packet retransmission, SRT, RTT, Non TCP sessions, TCP sessions, Goodput, Non TCP Throughput, TCP Throughput. From data collected every Long reporting period. ■ ■
What is measured How it is measured
9-84
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Ipanema Technologies
Executive officers
October 2014
Reporting (ip|reporter)
Application table Used to display in a table the following indicators concerning the Application traffic. Application
Name of the Application. In the following columns, ■ ■
=> represents the LAN => WAN - or ingress - direction, LAN - or egress - direction.
Packet retrans.
Percentage of retransmitted TCP segments.
SRT
Server response time (in ms).
RTT
Round trip time (in ms).
Non-TCP sess.
Number of non-TCP sessions per second.
TCP sess.
Number of TCP sessions per second.
Goodput
Number of kbits per second at layer 4 level.
Non-TCP Thput
Number of non-TCP segments kilobits per second, measured at IP layer.
TCP Thput
Number of TCP segments kilobits per second, measured at IP layer.
October 2014
Ipanema Technologies
9-85
Ipanema System
9. 8. 5. is - am - application summary - per direction - tcp Application monitoring Table
Application Monitoring - Application Summary - per direction - TCP What can it do? Monitored resource
This template is available for the following MetaViews: A Site or a list of sites. A Key or a list of keys. ■ A Subnet or a list of subnets. Packet retransmission, SRT, RTT, Non TCP sessions, TCP sessions, Goodput, Non TCP Throughput, TCP Throughput. From data collected every Long reporting period. ■ ■
What is measured How it is measured
9-86
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Ipanema Technologies
Executive officers
October 2014
Reporting (ip|reporter)
Application table Used to display in a table the following indicators concerning the Application traffic. Application
Name of the Application. In the following columns, ■ ■
=> represents the LAN => WAN - or ingress - direction, LAN - or egress - direction.
Packet retrans.
Percentage of retransmitted TCP segments.
SRT
Server response time (in ms).
RTT
Round trip time (in ms).
Non-TCP sess.
Number of non-TCP sessions per second.
TCP sess.
Number of TCP sessions per second.
Goodput
Number of kbits per second at layer 4 level.
Non-TCP Thput
Number of non-TCP segments kilobits per second, measured at IP layer.
TCP Thput
Number of TCP segments kilobits per second, measured at IP layer.
October 2014
Ipanema Technologies
9-87
Ipanema System
9. 8. 6. is - am - time evolution - tcp Application monitoring Table
Application Monitoring - time evolution - tcp
9-88
Ipanema Technologies
October 2014
Reporting (ip|reporter)
What can it do? Monitored resource
This template is available for the following MetaViews: A Domain. A Site or a list of sites. ■ A Key or a list of keys. ■ A Subnet or a list of subnets. ■ An Application or a list of applications. ■ An Application Group or a list of Application Groups. ■ A Criticality or a list of criticality levels. SRT, RTT, packet retransmission, Throughput (TCP and non TCP), Goodput (TCP), sessions. From data collected every Short reporting period. ■ ■
What is measured How it is measured Type of report
Hourly
Daily
Weekly
Monthly
Display rate
Short reporting
5 minutes
1 hour
4 hours
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs The graphs present the following information: SRT (ms) graph This graph represents the average Server response time (in ms). RTT (ms) graph This graph represents the average Round trip time (in ms). Packet retransmission graph This graph represents the percentage of retransmitted TCP segments. Throughput graph This graph represents: ■ ■
■ ■
TCP: the number of TCP segments per second (in kbps, measured at IP level) (dark blue). non TCP: the number of non TCP segments per second (in kbps) measured at IP level) (light blue). Goodput: the number of kbits per second at layer 4 level (green). Peak: the maximum encountered value during a display period (red).
Sessions graph This graph represents: ■ ■
TCP: the number of TCP sessions per second (dark green). non TCP: the number of non TCP sessions per second (light green).
October 2014
Ipanema Technologies
9-89
Ipanema System
9. 9. PM (PERFORMANCE MONITORING) REPORTS 9. 9. 1. is - pm - site summary Performance Monitoring Table
Performance Monitoring - site summary What can it do? Monitored resource
This template is available for the following MetaViews: A Domain. A Site or a list of sites. ■ A Key or a list of keys. ■ A Subnet or a list of subnets. ■ An Application or a list of applications. ■ An Application Group or a list of Application Groups. ■ A Criticality or a list of criticality levels. LAN-to-LAN and WAN-to-WAN average delay, packet loss and throughput, total sessions. From data collected every Long reporting period. ■ ■
What is measured How it is measured Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
Site table Used to display in a table the following indicators concerning the Site traffic.
9-90
Ipanema Technologies
October 2014
Reporting (ip|reporter)
Site
Name of the Site. In the following columns, ■ ■
=> represents the LAN => WAN - or ingress - direction, LAN - or egress - direction.
LAN average delay (ms)
LAN-to-LAN average delay of packets (in ms).
WAN average delay (ms)
WAN-to-WAN average delay of packets (in ms).
LAN packet loss (%)
Percentage of IP packets lost between the LAN interfaces of the ip|engines.
WAN packet loss (%)
Percentage of IP packets lost between the WAN interfaces of the ip|engines.
LAN total throughput (kbps)
Number of kbits per second at the IP level measured on the LAN interface of the ip|engine.
WAN total throughput (kbps)
Number of kbits per second at the IP level measured on the WAN interface of the ip|engine.
Total sessions
Total number of sessions (on ip|engines and/or tele|engines).
October 2014
Ipanema Technologies
9-91
Ipanema System
9. 9. 2. is - pm - application group summary Performance Monitoring Table
Performance Monitoring - application group summary What can it do? Monitored resource
This template is available for the following MetaViews: A Domain. An Application or a list of applications. ■ An Application Group or a list of Application Groups. ■ A Criticality or a list of criticality levels. Total sessions, total throughput, packet size, delay, jitter, packet loss, packet retransmission, SRT, RTT From data collected every Long reporting period. ■ ■
What is measured How it is measured Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
Application Group table Used to display in a table the following indicators concerning the Application Group traffic.
9-92
Application Group
Name of the Application Group.
Total sessions
Total number of sessions (on ip|engines and/or tele|engines) for ingress and egress directions.
Total throughput (kbps)
Total number of kbits per second at IP level (on ip|engines and/or tele|engines) for ingress and egress directions.
Packet size (bytes)
Average packet size in bytes (on ip|engines and/or tele|engines) for ingress and egress directions.
Ipanema Technologies
October 2014
Reporting (ip|reporter)
Delay (ms)
Average delay of packets (in ms) for ingress and egress directions.
Jitter (ms)
Delay variation (in ms) for ingress and egress directions.
Packet loss (%)
Percentage of lost IP packets for ingress and egress directions.
Packet retrans. (%)
Percentage of retransmitted TCP segments for ingress and egress directions.
SRT (ms)
Average Server Response Time (in ms).
RTT (ms)
Average Round Trip Time (in ms).
October 2014
Ipanema Technologies
9-93
Ipanema System
9. 9. 3. is - pm - application group summary per direction Performance Monitoring Table
Performance Monitoring - application group summary per direction What can it do? Monitored resource
This template is available for the following MetaViews: ■
A Domain. – Per Application or a list of applications. – Per Application Group or a list of Application Groups. – Per Criticality or a list of criticality levels.
■
A Site or a list of sites. – Per Application or a list of applications. – Per Application Group or a list of Application Groups. – Per Criticality or a list of criticality levels.
■
A Key or a list of keys. – Per Application or a list of applications. – Per Application Group or a list of Application Groups. – Per Criticality or a list of criticality levels.
■
What is measured How it is measured
9-94
A Subnet or a list of subnets.
– Per Application or a list of applications. – Per Application Group or a list of Application Groups. – Per Criticality or a list of criticality levels. Delay, jitter, packet loss, qualified packet size, qualified sessions, total throughput, total packet size, total sessions, qualified throughput From data collected every Long reporting period.
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Ipanema Technologies
Executive officers
October 2014
Reporting (ip|reporter)
Application Group table Used to display in a table the following indicators concerning the Application Group traffic. Application Group
Name of the Application Group. In the following columns, ■ ■
=> represents the LAN => WAN - or ingress - direction, LAN - or egress - direction.
Delay (ms)
Average delay of packets (in ms).
Jitter (ms)
Delay variation (in ms).
Packet loss (%)
Percentage of lost IP packets.
Packet retrans. (%)
Percentage of retransmitted TCP segments.
SRT (ms)
Average Server Response Time (in ms).
RTT (ms)
Average Round Trip Time (in ms).
Packet size (bytes)
Average packet size in bytes (on ip|engines and/or tele|engines).
Total sess.
Total number of sessions (on ip|engines and/or tele|engines).
Total Thput (kbps)
(Total throughput) Total number of kbits per second at IP level (on ip|engines and/or tele|engines).
October 2014
Ipanema Technologies
9-95
Ipanema System
9. 9. 4. is - pm - application summary Performance Monitoring Table
Performance Monitoring - Application summary What can it do? Monitored resource
This template is available for the following MetaViews: A Domain. An Application or a list of applications. ■ An Application Group or a list of Application Groups. ■ A Criticality or a list of criticality levels. Total sessions, total throughput, packet size, delay, jitter, packet loss, packet retransmission; SRT, RTT From data collected every Long reporting period. ■ ■
What is measured How it is measured
9-96
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Ipanema Technologies
Executive officers
October 2014
Reporting (ip|reporter)
Application Group table Used to display in a table the following indicators concerning the Application Group traffic: Application
Name of the Application.
Total sessions
Total number of sessions (on ip|engines and/or tele|engines) for ingress and egress directions.
Total throughput (kbps)
Total number of kbits per second at IP level (on ip|engines and/or tele|engines) for ingress and egress directions.
Packet size (bytes)
Average packet size in bytes (on ip|engines and/or tele|engines) for ingress and egress directions.
Delay (ms)
Average delay of packets (in ms) for ingress and egress directions.
Jitter (ms)
Delay variation (in ms) for ingress and egress directions.
Packet loss (%)
Percentage of lost IP packet for ingress and egress directions.
Packet retrans. (%)
Percentage of retransmitted TCP segments for ingress and egress directions.
SRT (ms)
Average Server Response Time (in ms).
RTT (ms)
Average Round Trip Time (in ms).
October 2014
Ipanema Technologies
9-97
Ipanema System
9. 9. 5. is - pm - application summary per direction Performance Monitoring Table
Performance Monitoring - application summary per direction What can it do? Monitored resource
This template is available for the following MetaViews: ■
A Domain. – Per Application or a list of applications. – Per Application Group or a list of Application Groups. – Per Criticality or a list of criticality levels.
■
A Site or a list of sites. – Per Application or a list of applications. – Per Application Group or a list of Application Groups. – Per Criticality or a list of criticality levels.
■
A Key or a list of keys. – Per Application or a list of applications. – Per Application Group or a list of Application Groups. – Per Criticality or a list of criticality levels.
■
What is measured How it is measured
9-98
A Subnet or a list of subnets.
– Per Application or a list of applications. – Per Application Group or a list of Application Groups. – Per Criticality or a list of criticality levels. Delay, jitter, packet loss, packet retransmission, SRT, RTT, packet size, total sessions, total throughput From data collected every Long reporting period.
Ipanema Technologies
October 2014
Reporting (ip|reporter)
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
Application Group table Used to display in a table the following indicators concerning the Application Group traffic. Application
Name of the Application.
Criticality
Criticality level according to the Application Group name associated to the application. In the following columns, ■ ■
=> represents the LAN => WAN - or ingress - direction, LAN - or egress - direction.
Delay (ms)
Average delay of packets (in ms).
Jitter (ms)
Delay variation (in ms).
Packet loss (%)
Percentage of lost IP packets.
Packet retrans. (%)
Percentage of retransmitted TCP segments.
SRT (ms)
Average Server Response Time (in ms).
RTT (ms)
Average Round Trip Time (in ms).
Packet size (bytes)
Average packet size in bytes (on ip|engines and/or tele|engines).
Total sessions
Total number of sessions (on ip|engines and/or tele|engines).
Total throughput (kbps)
Total number of kbits per second at IP level (on ip|engines and/or tele|engines).
October 2014
Ipanema Technologies
9-99
Ipanema System
9. 9. 6. is - pm - traffic topology Performance Monitoring Table
Performance Monitoring - traffic topology
9-100
Ipanema Technologies
October 2014
Reporting (ip|reporter)
What can it do? Monitored resource
This template is available for the following MetaViews: A Domain. A Site or a list of sites. ■ A Key or a list of keys. ■ A Subnet or a list of subnets. ■ An Application or a list of applications. ■ An Application Group or a list of Application Groups. ■ A Criticality or a list of criticality levels. Total traffic, qualified traffic, Traffic profile (kbps/%time), packet%/delay threshold, sites and their ingress and egress throughputs. From data collected every Long reporting period. ■ ■
What is measured How it is measured Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The Tables The tables present the following information: Total traffic table Used to display in a table the following indicators concerning the ip|engine traffic or the Domain traffic: Packet size
Average packet size (in bytes).
Sessions
Number of sessions during a display period.
Throughput
Average throughput during a display period (kbps).
Volume
Total number of bytes (in MBytes).
Qualified traffic table Average delay
Average delay of total packets between ip|engines (in ms).
Jitter
Average delay variation (in ms).
Packet loss
Percentage of lost IP packets during a display period.
Packets size
Average packet size (in bytes).
Sessions
Number of qualified sessions during a display period.
Throughput
Number of qualified bits per second at IP level (kbps).
Volume
Total of number of qualified bytes during a display period (in MB).
The graphs The graphs present the following information: Traffic profile (kbps / % time) graph
October 2014
Ipanema Technologies
9-101
Ipanema System
Maximum bandwidth reached during the Time percentage: 10
Bandwidth reached during 90% of time during the display period.
30
Bandwidth reached during 70% of time during the display period.
50
Bandwidth reached during 50% of time during the display period.
67
Bandwidth reached during 33% of time during the display period.
80
Bandwidth reached during 20% of time during the display period.
90
Bandwidth reached during 10% of time during the display period.
95
Bandwidth reached during 5% of time during the display period.
98
Bandwidth reached during 2% of time during the display period.
99
Bandwidth reached during 1% of time during the display period.
100
Peak rate reached during the display period. This representation is very useful to get a view of the bandwidth usage. Case 1: If all values are about the same at 100 kbps this means that during time throughput is constant and always very close to 100 kbps. If the line is a leased line of 512 kbps, then this line is over dimensioned and can be reduced at least down to 256 kbps. Case 2: On the other hand, let us suppose that values are almost all equal to zero except the 100 value which is very close to 450 kbps: that means the line is used 1% of the time. We should check the reason of this peak usage. This representation is useful because it is still meaningful when observed over a long period of time. A time evolution representation could have masked the bursty behavior of the line in case 2.
Packet % / Delay threshold (ms) graph This graph shows the packet delay distribution: LAN Application Control Activity, Duration and Evolution, Compression ratio and Saved bandwidth; CIFS average and maximum active sessions From data collected every Long reporting period.
Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
October 2014
Ipanema Technologies
Executive officers
9-123
Ipanema System
Site table Used to display in a table the following indicators concerning the Sites traffic. Site
Name of the Site (ip|engine).
TRAFFIC CONTROL LAN => WAN Activity (%)
Percentage of time when the Application Control feature had to kick in to avoid congestion and protect the critical traffic emitted on all NAPs of the Site, in the LAN => WAN direction.
LAN => WAN Duration (sec)
Number of seconds when the Application Control feature had to kick in to avoid congestion and protect the critical traffic emitted on all NAPs of the Site, in the LAN => WAN direction.
LAN => WAN Evolution (++/+/o/-/--)
Evolution of the Application Control Activity in the LAN => WAN direction.
WAN => LAN Activity (%)
Percentage of time when the Application Control feature had to kick in to avoid congestion and protect the critical traffic emitted on all NAPs of the Site, in the WAN => LAN direction.
WAN => LAN Duration (sec)
Number of seconds when the Application Control feature had to kick in to avoid congestion and protect the critical traffic emitted on all NAPs of the Site, in the WAN => LAN direction.
WAN => LAN Evolution (++/+/o/-/--)
Evolution of the Application Control Activity in the WAN => LAN direction.
If there are several NAPs on a Site, the metrics are aggregated for all of them. So, for instance, on a Site with two NAPs, one permanently congested in the LAN => WAN direction (3600 seconds per hour) and the second one never congested (0 second), the ”LAN => WAN Duration” will be 3600 seconds (in an hourly report), but the “LAN => WAN Activity” will be 50% only. COMPRESSION LAN => WAN Comp. ratio (%)
Compression ratio for the emitted traffic (in the LAN => WAN direction).
LAN => WAN Saved bandwidth (kbps)
LAN => WAN Bandwidth saved thanks to Compression (= LAN-to-LAN ingress throughput — WAN-to-WAN ingress throughput).
WAN => LAN Decomp. ratio (%)
Decompression ratio for the received traffic (in the WAN => LAN direction).
WAN => LAN Saved bandwidth (kbps)
WAN => LAN Bandwidth saved thanks to Decompression (= LAN-to-LAN egress throughput — WAN-to-WAN egress throughput).
ACCELERATION
9-124
CIFS Active Sessions (Average)
Average number of CIFS accelerated sessions.
CIFS Active Sessions (Max)
Maximum number of CIFS accelerated sessions.
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 14. 2. is - sam - time evolution Services Activity Monitoring Table
Services Activity Monitoring - Time evolution
October 2014
Ipanema Technologies
9-125
Ipanema System
What can it do? Monitored resource
This template is available for the following MetaViews: A Domain. A Site or a list of sites. ■ A Key or a list of keys. ■ A Subnet or a list of subnets. LAN => WAN and WAN => LAN Application Control Activity and Duration, Compression ratio and Saved bandwidth, CIFS Active Sessions and Acceleration factor From data collected every Short reporting period. ■ ■
What is measured How it is measured Type of report
Hourly
Daily
Weekly
Monthly
Display rate
Short reporting
5 minutes
1 hour
4 hours
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs The graphs present the following information: Application Control Service graphs: ■
■
■
■
LAN => WAN Consolidated Congestion Control Activity (%): percentage of time when the Application Control feature had to kick in to avoid congestion and protect the critical traffic emitted on all NAPs of the Site, in the LAN => WAN direction. WAN => LAN Consolidated Congestion Control Activity (%): percentage of time when the Application Control feature had to kick in to avoid congestion and protect the critical traffic emitted on all NAPs of the Site, in the WAN => LAN direction. LAN => WAN Consolidated Congestion Control Duration (sec): number of seconds when the Application Control feature had to kick in to avoid congestion and protect the critical traffic emitted on all NAPs of the Site, in the LAN => WAN direction. WAN => LAN Consolidated Congestion Control Duration (sec): number of seconds when the Application Control feature had to kick in to avoid congestion and protect the critical traffic emitted on all NAPs of the Site, in the WAN => LAN direction. If there are several NAPs on a Site, the metrics are aggregated for all of them. So, for instance, on a Site with two NAPs, one permanently congested in the LAN => WAN direction (60 seconds per minute) and the second one never congested (0 second), the ”LAN => WAN Duration” will be 60 seconds during a given minute (in an hourly report), but the “LAN => WAN Activity” will be 50% only. ip|fast end-to-end activity is not considered.
Compression Service graphs: ■ ■ ■
■
Consolidated Compression Ratio (%): compression ratio for the emitted traffic. Consolidated Decompression Ratio (%): decompression ratio for the received traffic. LAN => WAN Consolidated Saved Bandwidth (kbps): bandwidth saved thanks to compression, ingress (= ingress LAN-to-LAN throughput — ingress WAN-to-WAN throughput). WAN => LAN Consolidated Saved Bandwidth (kbps): bandwidth saved thanks to compression, egress (= egress LAN-to-LAN throughput — egress WAN-to-WAN throughput).
CIFS Acceleration Service graphs: ■
9-126
Consolidated CIFS Active Sessions: number of CIFS active and accelerated sessions.
Ipanema Technologies
October 2014
Reporting (ip|reporter)
■
Consolidated CIFS Acceleration factor: CIFS acceleration factor (= number of SMB messages sent by clients divided by the number of SMB messages sent to servers).
October 2014
Ipanema Technologies
9-127
Ipanema System
9. 15. VOIP REPORTS Ipanema Technologies VoIP reports provide easy-to-use data for Voice over IP. Using information gathered from ip|engines performance measurement function, then aggregated by the ip|boss central management software, VoIP reports generate for Voice over IP per Codec specific metrics like the MOS (Mean Opinion Score).
MOS definition The data generated by the VoIP module is available throughout the whole Ipanema System. ip|boss makes them available through the SNMP interface, ip|reporter uses them to generate the appropriate easy to use reports.
9-128
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 15. 1. is - voip - synthesis VoIP Table
VoIP Synthesis What can it do? Monitored resource
This template is available for the following MetaViews:
What is measured
A Domain . A Site or a list of sites. ■ A Key or a list of keys. ■ A Subnet or a list of subnets, MOS distribution ingress and egress direction per Codec
How it is measured
From data collected every Long reporting period.
■ ■
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs The graphs present the following information: MOS distribution graph MOS range reached in percentage of Time.
October 2014
Ipanema Technologies
9-129
Ipanema System
[1,3]
MOS between 1 and 3 in percentage of time during the display period.
[3,3.5]
MOS between 3 and 3.5 in percentage of time during the display period.
[3.5,4]
MOS between 3.5 and 4 in percentage of time during the display period.
[4,4.5]
MOS between 4 and 4.5 in percentage of time during the display period.
[4.5,5]
MOS between 4.5 and 5 in percentage of time during the display period. This representation is very useful to get a view of Voice over IP quality.
MOS example
9-130
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 15. 2. is - voip - time evolution VoIP Table
VoIP Time Evolution
October 2014
Ipanema Technologies
9-131
Ipanema System
What can it do? Monitored resource
This template is available for the following MetaViews: A Domain. A Site or a list of sites. ■ A Key or a list of keys. ■ A Subnet or a list of subnets. MOS, delay, jitter, packet loss, sessions for ingress and egress direction From data collected every Short reporting period. ■ ■
What is measured How it is measured Type of report
Hourly
Daily
Weekly
Monthly
Display rate
Short reporting
5 minutes
1 hour
4 hours
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs The graphs present the following information: MOS graph: ■ ■ ■ ■
Maximum MOS: the maximum MOS (Red) per Codec. Average MOS: the average MOS (Blue) per Codec. Minimum MOS: the minimum MOS (Green) per Codec. Jitter: the average delay variation (in ms) (Yellow).
Delay (ms), Jitter (ms) graph: ■ ■
Delay (ms): the average delay (in ms) (Blue) per Codec. Jitter: the average delay variation (in ms) (Yellow) per Codec.
Packet loss (%) graph This graph represents the percentage of lost IP packets between ip|engines per Codec. Sessions graph: ■ ■
■
9-132
Sessions: the number of sessions per second in direction of tele|engines (light blue). Qualified sessions: the number of qualified sessions per second (between ip|engines) (dark Blue). Peak sessions: the peak sessions curve displays maximum encountered value during a display rate.
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 16. SA (SITE ANALYSIS) REPORTS This chapter is divided into sections that correspond to each report template. A report description includes an overview of the report features, a graphical representation of the report, a detailed description of the report, and finally a suggested way of using the report.
9. 16. 1. is - sa - site summary ingress Site Analysis Table
Site Analysis - site summary ingress What can it do? Monitored resource
This template is available for the following MetaViews:
What is measured
A Domain. A list of Sites. ■ A Key or a list of Keys. Throughput to (physical) ip|engines, no correlation, to (virtual) tele|engines, to Out of Domain, transit, other, locally rerouted, Non IPv4 WAN, ignored LAN From data collected every Long reporting period. ■ ■
How it is measured Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The table Used to display for ip|engines (in the Domain, list of sites, list of keys) the information concerning the following indicators: Site
Name of the Site.
To physical ipe (kbps)
Ingress throughput in kbps to equipped sites.
No correlation (kbps)
Ingress throughput in kbps with “No correlation”, if the throughput is a major part of the total traffic it may be a configuration error in the subnet, or some flows are not seen end to end between ip|engines.
To Virtual ipe (kbps)
Ingress throughput in kbps to tele-managed sites.
To out of Domain (kbps)
Ingress throughput in kbps to subnet “0.0.0.0/0” (Out Of Domain subnet).
October 2014
Ipanema Technologies
9-133
Ipanema System
9-134
Transit (kbps)
Ingress throughput in kbps for transit flows.
Other (kbps)
Ingress throughput in kbps for “Other” traffic; in fact “Other” traffic contains Multicast traffic, Broadcast traffic, local traffic.
Locally rerouted (kbps)
Ingress throughput in kbps for “rerouted” traffic.
Non ipv4 WAN (kbps)
Ingress throughput in kbps for “non IPv4” traffic (Apple Talk, IPX, SNA, IPv6).
Ignored LAN (kbps)
Ingress throughput in kbps for “Ignored LAN” traffic (BPDU, Spanning tree, loopback, ARP frames...).
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 16. 2. is - sa - site summary egress Site Analysis Table
Site Analysis - site summary egress What can it do? Monitored resource
This template is available for the following MetaViews:
What is measured
A Domain. A list of Sites. ■ A Key or a list of keys. Throughput from (physical) ip|engines, no correlation, from (virtual) tele|engines, from Out of Domain, transit, other, locally rerouted, Non IPv4 WAN, ignored LAN From data collected every Long reporting period. ■ ■
How it is measured Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The table Used to display for ip|engines (in the Domain, list of sites, list of keys) the information concerning the following indicators: Site
Name of the Site (ip|engine).
To physical ipe (kbps)
Egress throughput in kbps to equipped sites.
No correlation (kbps)
Egress throughput in kbps with “No correlation”; if the throughput is a major part of the total traffic may be a configuration error in the subnet, or some flows are not seen end to end between ip|engines.
To Virtual ipe (kbps)
Egress throughput in kbps to tele-managed sites.
To out of Domain (kbps)
Egress throughput in kbps to subnet “0.0.0.0/0” (Out Of Domain subnet).
Transit (kbps)
Egress throughput in kbps for transit flows.
Other (kbps)
Egress throughput in kbps for “Other” traffic; in fact “Other” traffic contains Multicast traffic, Broadcast traffic, local traffic.
Locally rerouted (kbps)
Egress throughput in kbps for “rerouted” traffic.
October 2014
Ipanema Technologies
9-135
Ipanema System
9-136
Non ipv4 WAN (kbps)
Egress throughput in kbps for “non IPv4” traffic (Apple Talk, IPX, SNA, IPv6).
Ignored LAN (kbps)
Egress throughput in kbps for “Ignored LAN” traffic (BPDU, Spanning tree, loopback, ARP frames...).
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 16. 3. is - sa - site throughput Site Analysis Table
Site Analysis - site throughput What can it do? Monitored resource What is measured
How it is measured
This template is available for the following MetaView: ■ An Equipped site. Ethernet throughput: IPv4, Apple Talk, IPX, SNA, IPv6, ignored LAN. IPv4 throughput: to/from (physical) ip|engines, no correlation, to/from (virtual) tele|engines, to/from Out of Domain, transit, other, locally rerouted, Non IPv4 WAN From data collected every Short reporting period.
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
Short reporting
5 minutes
1 hour
4 hours
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
October 2014
Ipanema Technologies
Executive officers
9-137
Ipanema System
The graphs Used to display for each ip|engine the information concerning the following indicators: Ethernet-Throughput (kbps) graphs: ■ ■ ■ ■ ■ ■
IPv4 (kbps): Ingress or egress throughput in kbps for “IPv4” traffic. Apple Talk (kbps): Ingress or egress throughput in kbps for “Apple Talk” traffic.. IPX (kbps): Ingress or egress throughput in kbps for “IPX” traffic. SNA (kbps): Ingress or egress throughput in kbps for “SNA” traffic. IPV6 (kbps): Ingress or egress throughput in kbps for “IPv6” traffic. Ignored LAN (kbps): Ingress or egress throughput in kbps for “Ignored LAN” traffic (BPDU, Spanning tree, loopback, ARP frames...).
IPv4 -Throughput (kbps) graphs: ■ ■
■ ■
■ ■
■
9-138
To physical ipe (kbps): Ingress or egress throughput in kbps to equipped sites. No correlation (kbps): Ingress or egress throughput in kbps with “No correlation”, if the throughput is a major part of the total traffic may be a configuration error in the subnet, or some flows are not seen end to end between ip|engines. To Virtual ipe (kbps): Ingress or egress throughput in kbps to tele-managed sites. To out of Domain (kbps): Ingress or egress throughput in kbps to subnet “0.0.0.0/0” (Out Of Domain subnet). Transit (kbps): Ingress or egress throughput in kbps for transit flows. Other (kbps): Ingress or egress throughput in kbps for “Other” traffic, in fact “Other” traffic contains Multicast traffic, Broadcast traffic, local traffic. Locally rerouted (kbps): Ingress or egress throughput in kbps for “rerouted” traffic.
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 17. FI (FAULT ISOLATION) REPORTS 9. 17. 1. is - fi - availability - evolution Fault Isolation Table
Fault Isolation - availability - evolution
October 2014
Ipanema Technologies
9-139
Ipanema System
What can it do? Monitored resource
This template is available for the following MetaViews: A Domain. A Site or a list of sites. ■ A Key or a list of keys. Status down, Status up, synchronization loss, highest CPU load, WAN overload (%). From data collected every Short reporting period. ■ ■
What is measured How it is measured Type of report
Hourly
Daily
Weekly
Monthly
Display rate
Short reporting
5 minutes
1 hour
4 hours
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The graphs Used to display for ip|engines the information concerning the following indicators: Status Down graph This graph represents the Unavailability status of the ip|engine seen by the management system: ■ ■ ■
100%: All ip|engines detected as unavailable. xx %: the percentage of ip|engines detected as unavailable. 0%: No ip|engine detected as unavailable.
Status Up graph This graph represents the Availability status of the ip|engine seen by the management system: ■ ■ ■
100%: All ip|engines detected as available. xx %: the percentage of ip|engines detected as available. 0%: No ip|engine detected as unavailable.
Synchronization loss graph This graph represents the Synchronization loss status of the ip|engine: ■ ■ ■
100%: All ip|engines not synchronized. xx %: percentage of ip|engines detected as not synchronized. 0%: All ip|engines synchronized.
Highest CPU load graph This graph represents the highest CPU load of all ip|engines in percent if the reports is instantiated on a list of ip|engines, or CPU load of the selected ip|engine in percent if the report is instantiated on a single ip|engine. WAN Overload graph This graph represents the Overload status of the ip|engine (the WAN throughput exceeds the capacity of the ip|engine): ■ ■ ■
9-140
100%: All ip|engines overloaded. xx %: percentage of ip|engines detected as overload. 0%: no overloaded ip|engine.
Ipanema Technologies
October 2014
Reporting (ip|reporter)
The availability and/or unavailability is linked to the manager’s ability to reach an ip|engine in the Domain.
October 2014
Ipanema Technologies
9-141
Ipanema System
9. 17. 2. is - fi - availability - overview Fault Isolation Table
Fault Isolation - Availability - Overview What can it do? Monitored resource
This template is available for the following MetaView: ■ A Domain . Site, Status down (%), Status up (%), synchronized (%), highest CPU load, WAN overload (%). From data collected every Long reporting period.
What is measured How it is measured Type of report
Hourly
Daily
Weekly
Monthly
Display Rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Executive officers
The table Used to display for each ip|engine the information concerning the following indicators: Site
Name of the Site (ip|engine).
Down Status (%)
Unavailability status of the ip|engine seen by the management system. ■
■
■
Up Status (%)
Availability status of the ip|engine seen by the management system. ■
■
■
9-142
100%: the ip|engine is detected as unavailable during a whole display period. xx %: the percentage of time during which the ip|engine is detected as unavailable during a display period. 0%: the ip|engine is not detected as unavailable during a display period.
100%: the ip|engine is detected as available during a whole display period. xx %: the percentage of time during which the ip|engine is detected as available during a display period. 0%: the ip|engine is not detected as available during a display period.
Ipanema Technologies
October 2014
Reporting (ip|reporter)
Synchronization loss (%)
Synchronization status of the ip|engine. ■ ■
■
100%: the ip|engine is not synchronized during a display period. xx %: the percentage of time during which the ip|engine is detected as not synchronized during a display period. 0%: the ip|engine is synchronized during a whole display period.
Highest CPU load
Highest CPU load of ip|engines in percent if the reports is instantiated on a list of ip|engines, or CPU load of an ip|engine in percent if the report is instantiated on a single ip|engine, during a display period.
WAN Overload (%)
Overload status of the ip|engine (the WAN throughput exceeds the capacity of the ip|engine) ■ ■
■
100%: the ip|engine is overloaded during a whole display period. xx %: the percentage of time during which the ip|engine is detected as overload during a display period. 0%: the ip|engine not overloaded during a display period.
The availability and/or unavailability is linked to the manager’s ability to reach an ip|engine in the Domain.
October 2014
Ipanema Technologies
9-143
Ipanema System
9. 18. SP (SMART PLANNING) REPORTS 9. 18. 1. is - sp - profile Smart planning Table
Smart planning Profile What can it do? Monitored resource
This template is available for the following MetaViews:
What is measured
An Equipped site with a single appliance, plus, if the site has several WAN accesses: each WAN access; Throughput (kbps), Right Size (kbps)
How it is measured
From data collected every Long reporting period.
■ ■
9-144
Type of report
Hourly
Daily
Weekly
Monthly
Display rate
1 hour
1 day
1 week
1 month
Time Span
1 hour
1 day
1 week
1 month
Life Time
24 hours
7 days
5 weeks
12 months
Audience
Network analysts
Ipanema Technologies
Executive officers
October 2014
Reporting (ip|reporter)
The graphs Used to display, for each site (ip|engine) in the Domain, for all traffic in the ingress and egress direction, the throughput (in kbps) and right size (in kbps), by criticality level (top, high, medium and low) per percentage of time. ■ ■ ■ ■
The bargraph ’top’ shows the bandwidth for top critical flows. The bargraph ’high’ shows the bandwidth for top and high critical flows. The bargraph ’medium’ shows the bandwidth for top, high and medium critical flows. The bargraph ’low’ shows the bandwidth for top, high, medium and low critical flows.
On a flow per flow basis, smart|plan takes into account the traffic demand (the per-session objective bandwidth, as set in corresponding Application Group), the actual network usage (from measurement function) and the existence, or not, of local or distant congestions (from the Application Control function). Flows elasticity is also estimated and taken into account.
Then smart|plan aggregates this data according to access and criticality, and produces the following information: ■ ■
the actual traffic usage (what has been exchanged on the network) per percentage of time; the right size value (estimated access size to match objectives, including correction for end-to-end congestions and flows elasticity) per percentage of time.
smart|plan generates two metrics: ■
■
The actual usage “Throughput” (in kbps) is carried out by the measurement module of the Ipanema System. The original data produced is processed to be aggregated by criticality level and by access. The access right size “Right Size” (in kbps) presents for the site per criticality refined estimate of the necessary access bandwidth to match the service level according to the percentage of time, taking into account the flow matrix, end-to-end congestions as well as characteristics of the flows. Depending on actual traffic nature and congestion status, it can be equal to or smaller than the traffic demand.
October 2014
Ipanema Technologies
9-145
Ipanema System
9. 18. 2. is - sp - synthesis Smart planning Table
Smart planning Synthesis
9-146
Ipanema Technologies
October 2014
Reporting (ip|reporter)
What can it do? Monitored resource
This template is available for the following MetaViews: A Domain. A list of sites equipped with a single appliance. ■ A Key or a list of keys. Throughput (kbps), Estimated bandwidth for the next 3 months (kbps), Estimated bandwidth for the next year (kbps) From data collected every Long reporting period. ■ ■
What is measured How it is measured Type of report
Daily
Display rate
1 day
Time Span
1 day
Life Time
1 day
Audience
Executive officers
The tables A table is provided per each level of criticality you want to take into account (top; top and high; top, high and medium; top, high, medium and low — that is, all the traffic). Used to display for each site (ip|engine) in the Domain, per selected level of criticality for all traffic in the ingress and egress directions, the throughput (in kbps), and the trends for the next 3 months and for the next year per percentile of time. For sites with multiple WAN accesses, it displays the information both at the WAN access level (for each individual WAN link) and at the site level (all WAN links, consolidated). For each criticality level, two tables are provided: ■ ■
The bandwidth and its trends for the next 3 months and next year, The right size and its trends for the next 3 months and next year,
On a flow per flow basis, smart|plan takes into account the traffic demand (the per-session bandwidth objective, as set in corresponding Application Group), the actual network usage (measured by ip|true) and the presence of local or remote congestions (controlled by ip|fast). Flows elasticity is also estimated and taken into account. Then smart|plan aggregates these data according to access and criticality, and produces the following information: ■
■
actual usage “Throughput” (in kbps): what has been exchanged on the network as a percentage of time, aggregated by criticality level, by WAN access and by site; estimated “Throughput” (in kbps): estimated WAN access size necessary to match objectives, including correction for congestions and flows elasticity, for the next 3 months (according to the network activity of the past 3 months) and for the next year (according to the network activity of the past year), as a percentage of time.
October 2014
Ipanema Technologies
9-147
Ipanema System
9. 19. EXPORTING THE REPORTS’ DATA WITH IP|EXPORT Installation: please refer to the System installation manual.
The goal of ip|export is to automate scheduled data exports from InfoVista Server Database. The process exports values from specified sets of existing indicators and instances and produces outputs files on a given regular period. All expected parameters by the process are given in input as an XML configuration file, which contains a list of tasks. Each task describes an export action with filter expressions on Domain, MediaView, Indicator names and many other parameters such as the type of output files, field separator, schedule period, etc. (Please refer to ip|export configuration below.) Reports displaying the requested indicators must by running at all time to allow ip|export to export them.
9. 19. 1. ip|export output files and directory All output files are stored in the directory indicated in ip|export XML configuration file’s block. If "sliptbydomain=true" then output files are classified under subdirectories that correspond to their domain names. All files are stored in this directory, so there are three things the user should do: ■ ■ ■
create the given output directory (ip|export process will not create it automatically), make sure that the disk space is always enough to store the new output files, clean or move old output files (ip|export process will not clean them automatically).
Output files are named with the following naming convention: ■ ■
”_." if "splitbyparams=false", or ”__." if "splitbyparams=true".
where:
9-148
taskname:
name of the task as described in the XML configuration file
params:
if "splitbyparams=true", then one file per detected parameter is generated. If more than one parameter is returned, they are concatenated with the underscore "_" character. If no parameter is returned then the filename is identical to the first expression. (optional)
epochtime:
GMT(UTC) date and time of the beginning of the analyzed period in number of seconds since January 1st 1970.
ext:
file extension depending on the output file format as described in the XML configuration file (txt, csv, xls or xml).
Ipanema Technologies
October 2014
Reporting (ip|reporter)
9. 19. 2. ip|export log file ip|export produces a historical log of all actions, warnings or failures that occur. This log file is named "ipm_export.log", located in the temporary directory (Windows: %TEMP%, Solaris: $TMP). The format of the log file is as fiollows: DateTime | Type | Description where: DateTime:
GMT(UTC) date and time with the following format: %Y/%m/%d-%H:%M:%S
Type:
Message type; it can take one of the following values: ■ ■ ■ ■ ■
Description:
INFO: for an informative message WARN: for a warning message ERROR: for an error message FATAL: for an unexpected error causing program to stop DEBUG: for debug message if debugging has been activated
A description (characters string)
9. 19. 3. ip|export command usage The ipm_export command syntax is as follows: ipm_export [-config file ] [-verbose] ipm_export -help|? ipm_export -version where: -configfile:
set the configuration file; by default it is looking for "ipm_export.xml”
-verbose:
enable the verbose mode (disabled by default)
-version:
display current version number
-help|?:
print this help usage
October 2014
Ipanema Technologies
9-149
Ipanema System
9. 19. 4. ip|export output file formats The possible output formats are text (.txt), csv, Excel (.xls) and eXtended Markup Language (.xml), as described in the XML configuration file, for each task. For text files, the field separator can be set in the XML configuration file; by default the pipe (“|”) is used. For all output formats, the columns order is always as follows: datetime:
date and time with the specified given format; if no format is provided then it uses the raw Epoch time (number of seconds since January 1st 1970)
domain:
name of the domain (if "splitbydomain=true" then this column does not appear) (optional)
metaview:
name of the MetaView.
indicator
name of the Indicator; if a rename entry is found for the indicator then the new indicator name is used
params:
parameters separated with comma (if "splitbyparams=true" then this column does not appear) (optional)
value:
value computed by the InfoVista Server
Examples ■
Example of text file
2010/05/04 15:00:00|default|Site: Paris|ingress throughput L3 - L4 - qualified||1340 2010/05/04 15:00:00|default|Site: Paris|ingress throughput L3 - L4 - unqualified||0 2010/05/04 15:00:00|default|Site: Paris|ingress throughput L4 - qualified||26660 2010/05/04 15:00:00|default|Site: Paris|ingress throughput L4 - unqualified||0 2010/05/04 14:59:00|default|Site: Paris|ingress throughput L3 - L4 - qualified||1340 2010/05/04 14:59:00|default|Site: Paris|ingress throughput L3 - L4 - unqualified||0 2010/05/04 14:59:00|default|Site: Paris|ingress throughput L4 - qualified||26660 2010/05/04 14:59:00|default|Site: Paris|ingress throughput L4 - unqualified||0 2010/05/04 14:58:00|default|Site: Paris|ingress throughput L3 - L4 - qualified||1340 2010/05/04 14:58:00|default|Site: Paris|ingress throughput L3 - L4 - unqualified||0 2010/05/04 14:58:00|default|Site: Paris|ingress throughput L4 - qualified||26660 2010/05/04 14:58:00|default|Site: Paris|ingress throughput L4 - unqualified||0 2010/05/04 14:57:00|default|Site: Paris|ingress throughput L3 - L4 - qualified||1340 2010/05/04 14:57:00|default|Site: Paris|ingress throughput L3 - L4 - unqualified||0 ....
■
Example of csv file
2010/05/04 15:00:00;default;Site: Paris;ingress throughput L3 - L4 - qualified;;1340 2010/05/04 15:00:00;default;Site: Paris;ingress throughput L3 - L4 - unqualified;;0 2010/05/04 15:00:00;default;Site: Paris;ingress throughput L4 - qualified;;26660 2010/05/04 15:00:00;default;Site: Paris;ingress throughput L4 - unqualified;;0 2010/05/04 14:59:00;default;Site: Paris;ingress throughput L3 - L4 - qualified;;1340 2010/05/04 14:59:00;default;Site: Paris;ingress throughput L3 - L4 - unqualified;;0 2010/05/04 14:59:00;default;Site: Paris;ingress throughput L4 - qualified;;26660 2010/05/04 14:59:00;default;Site: Paris;ingress throughput L4 - unqualified;;0 2010/05/04 14:58:00;default;Site: Paris;ingress throughput L3 - L4 - qualified;;1340 2010/05/04 14:58:00;default;Site: Paris;ingress throughput L3 - L4 - unqualified;;0 2010/05/04 14:58:00;default;Site: Paris;ingress throughput L4 - qualified;;26660 2010/05/04 14:58:00;default;Site: Paris;ingress throughput L4 - unqualified;;0 2010/05/04 14:57:00;default;Site: Paris;ingress throughput L3 - L4 - qualified;;1340 ...
9-150
Ipanema Technologies
October 2014
Reporting (ip|reporter)
■
Example of xml file
2010/05/04 15:00:00 default Site: Paris ingress throughput L3 - L4 value>1340 2010/05/04 15:00:00 default Site: Paris ingress throughput L3 - L4 value>0 2010/05/04 14:59:00 default Site: Paris ingress throughput L3 - L4 value>26660 2010/05/04 14:59:00 default Site: Paris ingress throughput L3 - L4 value>0 ... ■
qualified
unqualified
unqualified
unqualified
Example of xls file A
B
C
D
E F
1
2010/05/04 default 15:00:00
Site: Paris
ingress throughput L3 - L4 - qualified
1340
2
2010/05/04 default 15:00:00
Site: Paris
ingress throughput L3 - L4 - unqualified
0
3
2010/05/04 default 15:00:00
Site: Paris
ingress throughput L4 - qualified
26660
4
2010/05/04 default 15:00:00
Site: Paris
ingress throughput L4 - unqualified
0
5
2010/05/04 default 14:59:00
Site: Paris
ingress throughput L3 - L4 - qualified
1340
6
2010/05/04 default 14:59:00
Site: Paris
ingress throughput L3 - L4 - unqualified
0
7
2010/05/04 default 14:59:00
Site: Paris
ingress throughput L4 - qualified
26660
...
...
...
... ...
October 2014
...
Ipanema Technologies
9-151
CHAPTER 10. SOFTWARE LICENSE AGREEMENT Document organization
10. 1. IPANEMA SOFTWARE LICENSE AGREEMENT Important - Please read carefully this license agreement (the “License”) before continuing. By installing and using the Software (as defined below), you accept all the terms and conditions of this License. To use the Ipanema software modules (the “Software”) part of the Ipanema’s Autonomic Networking System® (“Ipanema System”), the End User must be granted a License directly by Ipanema Technologies SA (“Ipanema”) or through a duly authorized partner (the “Partner”). This License is defined by the following terms:
10. 1. 1. Grant – Right of Use 1. Ipanema grants to the End User (the “Licensee”) a non-exclusive and non-transferable right of use of the Software under the following terms and provided the payment of the fees. 2. The right of use is restricted to the use of the Software for the exclusive purpose of installation and operation of the Ipanema System in accordance with the recommendations and instructions of Ipanema, issued in any form including the Ipanema technical documentation (the “Documentation”). 3. According to Software modules, the right of use is associated either with either a specific Ipanema System configuration or by a certain number of ISUs (“Ipanema Software Units”) as described in the commercial proposal or the contract. The right to use Software modules bound to ISUs within an Ipanema System can be transferred by the End User to other such modules in the same Ipanema System as long as the corresponding total number of ISUs is not exceeded. Any other modification of the configuration will modify the already granted right to use and must be described in a subsequent commercial proposal or contract. 4. The Licensee is not allowed hereunder to copy, modify, disassemble, decompile, decode, translate, analyze, and perform reverse engineering. The End User is not authorized to sell, lease, sublicense or distribute the Software in any form whatsoever. End User has no right to use the Software for performing comparisons or other "benchmarking" activities and to publish corresponding results without written authorization of Ipanema. Ipanema expressly reserves the right to intervene in the Software to enable it to be used for its intended purpose and in particular to correct the errors, and that under conditions of support service offered independently hereof. The Licensee may make one copy of the Software for back-up or archival purposes. This copy may be used only in case of failure of the copy of the Software provided to Licensee.
10. 1. 2. Intellectual Property 1. Ipanema owns and shall retain all rights in particular the intellectual property rights, title and interest in and to the Software and the Documentation, including any copies, customized versions, corrections, bug fixes, updates, enhancements, new versions, or other modifications to the Software. Except for the license rights granted herein, no intellectual property rights are transferred. 2. Some components of the Software may be covered under one or more of the open source licenses below. The Ipanema warranty for these modules apply as they are used embedded in
October 2014
Ipanema Technologies
10-1
Ipanema System
the Ipanema System. For licenses that require it, machine readable copies of modifications made by Ipanema are available upon request. List of open source software used in the Software and related copyright or license is available on the License Information page at the following address: https://support.ipanematech.com/.
10. 1. 3. Term and Termination 1. The License is effective on the shipment date of the Software license key for the duration of the intellectual property rights protection granted by French law, subject to the payment of the Initial Software License Fee and of Software support fees. 2. Should the End User fail to comply with any of the terms and conditions of this License, Ipanema or its Reseller shall be entitled to terminate the License. Such termination shall be effective fifteen (15) days after formal demand requiring correction of the breach shall have been sent by registered post with return receipt requested without the breach having been so corrected. In the event of termination of this license, the End User shall: ■ ■ ■
Cease immediately all use of the Software; De-install the Software within eight calendar days; Pay to Ipanema or its Reseller all sums remaining due as at the date of termination.
10. 1. 4. Warranty 1. Ipanema warrants that the Software performs substantially according to its documentation for a period of thirty (30) days date of shipment of the Software license key. If the Software does not function as warranted during the Warranty Period, the End-User remedy shall be, at Ipanema’s option, to correct the Ipanema Software or to replace it free of charge with a corrected version. The warranty shall not apply to any non-conformity that is caused by: (a) the End User’s misuse or improper use of the Software, including, without limitation, the use or operation of the Software with an application or in an environment other than that specified by Ipanema, or introduction of data into any data structures or tables used by the Software by any means other than use of the Software; (b) any third party software or hardware; (c) any modifications or additions to the Software performed by parties other than Ipanema; or (d) the End User’s failure to implement all problem corrections and new releases. 2. EXCEPT FOR THE WARRANTIES SET FORTH IN SECTION 1. ABOVE, NEITHER IPANEMA NEITHER ANY PERSON ON IPANEMA’S BEHALF HAS MADE OR MAKES ANY OTHER WARRANTIES OR CONDITIONS, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, SATISFACTORY QUALITY, NON-INTERRUPTION OF USE OR FREE OF BUGS, ERRORS OR OTHER DEFECTS, TITLE, AND OF NON-INFRINGEMENT.
10. 1. 5. Liability 1. The Licensee is responsible for selecting the Software, for the use that is made and the results that will be obtained. It assumes all liabilities relating to the qualification and competence of its staff. The Licensee and End User must take all precautions to prevent the loss or destruction of its data, including, but not limited, backups and regular audits. Licensee shall comply with all export laws and regulations in particular but not limited to French and United States export restrictions. 2. IN NO EVENT SHALL IPANEMA, ITS AFFILIATES OR PARTNERS (OR THEIR REPRESENTATIVES) BE LIABLE FOR CONSEQUENTIAL, INDIRECT, INCIDENTAL, SPECIAL DAMAGES, LOST PROFITS, LOSS OF DATA OR CLIENTS ARISING OUT OF OR RELATING TO ANY BREACH OF THIS LICENSE OR THE USE OF IPANEMA SYSTEM, EVEN IF SUCH DAMAGES WERE FORESEEABLE. IN NO EVENT SHALL IPANEMA, ITS AFFILIATES OR PARTNERS (OR THEIR REPRESENTATIVES) AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO ANY BREACH OF THIS LICENSE, TORT (INCLUDING NEGLIGENCE OR OTHERWISE, EXCEED (i) 250.000€ OR (ii) THE AMOUNT PAID TO IPANEMA PURSUANT TO THIS LICENSE IN THE TWELVE MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM, WHICHEVER IS LESS.
10-2
Ipanema Technologies
October 2014
Software License Agreement
10. 1. 6. Miscellaneous 1. This License may be amended only by written agreement of the parties. 2. If any provision hereof is held invalid, the remainder shall continue in full force and effect. 3. A failure or delay in exercising any right, power or privilege in respect of this License will not be presumed to operate as a waiver, and a single or partial exercise of any right, power or privilege will not be presumed to preclude any subsequent or further exercise, of that right, power or privilege or the exercise of any other right, power or privilege. 4. Parties expressly agree that this License is governed by French law and any proceedings arising out of or in connection with this license shall be submitted to the court of Paris, France.
10. 2. LICENCE D’UTILISATION DU LOGICIEL IPANEMA (FRENCH) Avertissement : Lisez attentivement ce contrat de Licence avant de poursuivre. En installant et utilisant le logiciel tel que défini ci-après, vous acceptez les conditions et dispositions de cette License. Pour avoir le droit d’utiliser tout ou partie des modules logiciels Ipanema (le « Logiciel ») composant l’« Autonomic Networking System »® d’Ipanema, (« Système Ipanema »), l’Utilisateur Final doit obtenir une licence d’utilisation (la “Licence”) soit directement auprès d’Ipanema Technologies (« Ipanema ») soit auprès d’un revendeur agréé par Ipanema (le « Revendeur »).
10. 2. 1. Etendue des Droits Concédés 1. Par le présent contrat de Licence, Ipanema concède à l’Utilisateur Final (le Licencié) le droit d’usage non exclusif et non cessible du Logiciel, dans les conditions ci-après développées en contrepartie du paiement du prix. 2. Le droit d’usage concédé à l’Utilisateur Final pour le Logiciel est restreint à l’utilisation du Logiciel Ipanema dans le but exclusif de faire fonctionner le Système Ipanema suivant les recommandations et instructions d’Ipanema, émises sous quelque forme que ce soit, y compris le manuel d’utilisation (la « Documentation »). 3. La proposition commerciale ou le contrat précise l’association du droit d’usage de certains modules du Logiciel à la configuration spécifique du Système Ipanema, et celui des autres modules du Logiciel à un certain nombre d’ISUs (« Ipanema Software Units »). Le droit d’utiliser les modules du Logiciel associés à des ISUs au sein d’un même Système Ipanema peut être modifié par l’utilisateur final au profit d’autres modules du Logiciel également associés à des ISUs au sein du même Système Ipanema, pourvu que le nombre total d’ISUs dans le Système Ipanema ne soit pas dépassé. Toute autre modification de configuration doit entraîner la modification du droit d’utilisation déjà concédé tel que décrit dans la proposition commerciale ou le contrat. 4. En dehors des droits concédés ci-dessus et sans préjudice de ceux-ci, le Licencié n’est pas autorisé au titre des présentes à copier, modifier, désassembler, dé-compiler, décoder, le traduire, l’analyser, procéder à l’ingénierie inverse vis-à-vis du Logiciel à moins d’y avoir été expressément autorisé par une disposition légale d’ordre public. L’Utilisateur Final n’est pas autorisé à vendre, louer, sous-licencier ou distribuer le Logiciel sous quelque forme que ce soit. L’Utilisateur Final n’a pas le droit d’utiliser le Logiciel dans le but de mener des comparaisons ou d’autres activités de « benchmarking » ni d’en publier les résultats sans un accord formel préalable d’Ipanema. Ipanema se réserve expressément le droit exclusif d’intervenir sur le Logiciel pour lui permettre d’être utilisé conformément à sa destination et notamment pour en corriger les erreurs, et ce dans des conditions de la prestation de maintenance offerte indépendamment des présentes. Le Licencié est autorisé à effectuer une unique copie du Logiciel à usage de sauvegarde. Cette copie ne pourra être utilisée qu’en cas de défaillance de l’exemplaire du Logiciel remis au Licencié.
October 2014
Ipanema Technologies
10-3
Ipanema System
10. 2. 2. Propriété Intellectuelle 1. Tous les droits de propriété industrielle et intellectuelle relatifs au Logiciel (incluant les copies, adaptations, modifications, améliorations et toute future version), la Documentation demeurent la propriété entière et exclusive d’Ipanema. 2. Le droit d’usage de certains composants du Système Ipanema est accordé par une ou plusieurs des licences « Open Sources » suivantes. La garantie Ipanema s’applique pour ces modules dans le cadre de leur utilisation au sein du Système Ipanema. Pour les licences qui le stipulent, Ipanema fournira sur simple demande les modifications qui ont pu être réalisées. Liste des logiciels open source utilisés ainsi que les licences y afférentes est disponible à l’adresse suivante https://support.ipanematech.com/.
10. 2. 3. Durée 1. La Licence prend effet à compter de mise à disposition de la clé de licence Logiciel et ce pour la durée de protection légale des droits d’auteur pour les logiciels. Elle est soumise au paiement de la redevance initiale du Logiciel et de la maintenance du Logiciel pendant toute la durée d’effet. 2. En cas de manquement de l’Utilisateur Final aux obligations mentionnées dans la Licence, Ipanema ou le Revendeur pourra résilier la Licence. Cette résiliation sera effective quinze (15) jours après envoi avec Accusé Réception d’une demande de correction du manquement aux obligations restée sans effet. En cas de résiliation de la licence, l’utilisateur final devra : ■ ■ ■
Cesser immédiatement d’utiliser le Logiciel, Désinstaller le Logiciel dans les huit jours calendaires, Payer à Ipanema ou à son Revendeur toute somme restant due à la date de résiliation.
10. 2. 4. Garantie 1. Ipanema garantit que le Logiciel se comporte conformément à la Documentation pendant une période de trente (30) jours suivant la mise à disposition de la clé de licence Logiciel. Dans le cas où le Logiciel ne se comporterait pas selon la Documentation, la garantie correspond uniquement, au choix d’Ipanema, à la correction des problèmes rencontrés ou à l’envoi d’une version corrigée du Logiciel. Cette garantie ne s’applique pas aux problèmes causés par : a) la mauvaise utilisation du Logiciel, incluant entre autre l’utilisation du Logiciel avec une application ou dans un environnement autre que celui spécifié par Ipanema ou l’introduction de données dans les tables utilisées par le Logiciel par un autre moyen que le Logiciel ; b) tout autre logiciel ou matériel externe à Ipanema ; c) toute modification ou addition au Logiciel non effectuée par Ipanema; d) la non installation par l’Utilisateur Final d’une solution de contournement ou d’une version corrigée. 2. LA GARANTIE ENONCEE CI-DESSUS EST LA SEULE GARANTIE A LAQUELLE LE LICENCIE ET L’UTILISATEUR FINAL PEUVENT PRETENDRE. AUCUNE GARANTIE D’EVICTION, AUCUNE GARANTIE RELATIVE A L’ADEQUATION DU LOGICIEL A UN BESION SPECIFIQUE, DE NON CONTREFACON DE DROITS DE PROPRIETE INTELLECTUELLE, D’ABSENCE D’ANOMALIES OU D’ERREUR, OU DE FONCTIONNEMENT ININTERROMPU N’EST ACCORDE.
10. 2. 5. Responsabilité 1. Le Licencié est responsable du choix du Logiciel, de l’utilisation qui en est faite et des résultats qui en seront obtenus. Il assume toutes les responsabilités en ce qui concernent la qualification et la compétence de son personnel. L’Utilisateur Final doit prendre toutes les précautions pour éviter la perte ou la destruction de ses données, incluant notamment des sauvegardes et vérifications régulières. Par ailleurs, il est de la responsabilité du Licencié de respecter les lois et règlements en matière d’exportation en vigueur notamment en France et aux Etats-Unis. 2. LES PARTIES CONVIENNENT EXPRESSEMENT QUE LA PERTE DE PROFIT, PERTE DE CLIENTELE OU D’ECONOMIE ESCOMPTEES, PERTE DE COMMANDE, PERTE
10-4
Ipanema Technologies
October 2014
Software License Agreement
OU DETERIORATION DE DONNEES SUBIES PAR L’UTILISATEUR FINAL SUITE A L’INSTALLATION OU L’UTILISATION D’UN SYSTEME IPANEMA CONSTITUE DES DOMMAGES INDIRECTS DONT IPANEMA NE POURRA ETRE TENU RESPONSABLE. EN TOUT ETAT DE CAUSE, LA RESPONSABILITE D’IPANEMA POUR QUELQUE RAISON QUE CE SOIT ET QUEL QUE SOIT SON FONDEMENT JURIDIQUE, SERA EXPRESSEMENT LIMITEE A LA PLUS FAIBLE DES DEUX SOMMES SUIVANTES : (i) 250.000 EUR OU (ii) LE TOTAL DES SOMMES PAYEES AU TITRE DE LA LICENCE DE LOGICIEL PAR L’UTILISATEUR FINAL A IPANEMA OU AU REVENDEUR DURANT LES 12 DERNIERS MOIS PRECEDANT LA DATE DE L’EVENEMENT CAUSE DU DOMMAGE.
10. 2. 6. Dispositions Générales 1. Les présentes ne peuvent être modifiées que par voie d’avenant signé par les deux parties. 2. Si l’une quelconque des stipulations du contrat est nulle au regard d’une règle de droit ou d’une loi en vigueur, elle sera réputée non écrite, mais n’entraînera pas la nullité des présentes. 3. Le fait pour l’une des parties de ne pas se prévaloir ou de tarder à se prévaloir de l’application d’une clause du présent contrat ne saurait être interprété comme une renonciation à ladite clause ou comme une modification du présent contrat. 4. De convention expresse entre les parties, la présente Licence est soumise au droit français. Tous les litiges relatifs à l’exécution ou à l’interprétation de cette Licence seront soumis au tribunal compétent de Paris, France.
October 2014
Ipanema Technologies
10-5
CHAPTER 11. TECHNICAL SUPPORT Document organization Do not attempt to repair the equipment yourself. Do not remove ip|engine covers and casings. This would void any warranty.
Please refer to the support and maintenance contract for specific information about these services. Should you have any problem with your system, please contact your supplier for technical assistance. In any case, you can get support and information by logging on Ipanema’s Support web site: https://support.ipanematech.com/, where you can access the Public Knowledge Database, find Technical notes and FAQs, be informed of the latest developments and updates, download all the Ipanema software, create and track tickets, and find other relevant information relating to the Ipanema System. An account will be created on demand. Other contact information: E-mail:
[email protected] Phone: +(33)1 55 52 15 22 Fax: +(33)1 55 52 15 01 In the event of a technical problem, please supply as much information as possible, in particular: ■ ■ ■ ■ ■ ■
your name, address, telephone number and the name of your company, your Ipanema Technologies license number, see window “about” in ip|boss field “reference”, the names, versions and serial numbers of the products you are using, the version of ip|boss server’s Operating System, a description of the installed configuration and the configuration files, a detailed description of the problem you have encountered.
October 2014
Ipanema Technologies
11-1
