Alteon Intelligent Traffic Management

Nortel Application Switch

2000 and 3000 Series > A high performance intelligent LAN Switch > Performs Layer 4-7 switching to balance, accelerate and secure traffic > Delivers application Availability, Performance and Security > Give IT Managers control over network usage > Intelligent, versatile feature set > Choice of five platforms
Integrated SSL acceleration and IPSec/SSL VPN option
Availability Availability Performance Performance

Security Security

Application Availability, Performance and Security

Application Switching Capabilities

Server Load Balancing

Application LB Application Health Checks, High Availability

Application Optimisation
Connection Pooling Cache App Intelligence Streaming Media

Content Intelligence
Layer 7 Inspect Cookie, URL, HTTP Header, User Agent (PDA, Browser)

Advanced Filtering
Layer 2-7 Attributes VLAN Filtering, Accept, Deny, NAT, Redirect

Global Load Balancing

Disaster Recover WAN Links Site Health Checks

Persistence Support
Source IP Cookies SSL Identifier

Network Services
NAT, VLAN Tagging Trunking, Layer 2/3 Compression/ Pooling

Embedded Security Svcs

DoS Attack Prevention Application Abuse Protection SSL Acceleration & VPN

Application Availability, Performance and Security

Intelligent Traffic Management

Network Optimisation for Application Performance > Inspects, classifies, controls and reports application traffic > Ability to analyse each flow at Layer 2 to Layer 7 to identify the application > Licenced Feature > Benefits

Report Report Improves network efficiency Enables QoS for different traffic types Reduces costs by conserving bandwidth Controls un-wanted application traffic e.g. P2P Protects against DoS and Application-layer attacks Enables effective management, monitoring and detailed network planning Enforce Enforce Inspect Inspect

Gives the Operator FULL control over their network traffic

4

ITM Features

Hardware and Software Requirements

How the Intelligent Traffic Management feature works

Processing Module: Alteon Application Switch

The Alteon Application Switch has a distributed processing architecture, based on network processors. There are multiple processors per switch and processing load is distributed between them. It can classify, limit, balance, etc. up to 2,000,000 simultaneous sessions. 1 The basic unit of traffic classification is the Filter. Up to 2,048 filters (layer 2 to layer 7) can be created on a single Alteon Application Switch. In the case of Layer 7 filters , these filters make reference to a series of strings or signatures used to identify traffic at an application level. Up to 512 different strings can be configured. 2 A Contract identifies and classifies a given application. For this purpose, a filter is usually not enough, especially for complex Peer to Peer applications. Therefore a Contract consists of a series of filters (one or more) that univocally identifies a particular application (or group of applications) - more precisely, a traffic class. Up to 256 different Contracts can be created. 3 A Policy (or action) is a Bandwidth Management profile, or any other action (drop, prioritize,etc). A Policy can be applied to one or more Contracts simultaneously. Up to 64 Policies can be active at the same time.

Processing Module: Alteon Application Switch

Rate Limit: Limits available bandwidth for a complete aggregate traffic class (as identified by the Contract). For each Contract, a maximum rate is defined in Kbps or Mbps, called Hard Limit. These actions can be applied independently for inbound and outbound traffic. Reserve: To guarantee the service level of a particular application, a specified amount of bandwidth can be reserved for the exclusive use of a traffic class. This policy is set by configuring the Reserved Limit parameter. Shaping: By using buffering techniques, it is also possible to shape (smooth) traffic of a given traffic class. Prioritize: It is possible to mark a traffic class with a particular DCSP code, to apply a certain level of QoS to the class. Block: A traffic class can also be dropped. This is achieved by using a Rate Limit policy with a Hard Limit of 0 (zero). Ignore: A traffic class can simply be ignored, i.e. No action will be taken for that traffic class. This is achieved by using a Rate Limit policy with a Hard Limit equal to the speed of the port. (e.g. 1Gbps) Monitor A traffic class can be monitored. Instead, the switch will only gather statistics on the traffic class, allowing the operator to analyze traffic and generate reports.
9

Management Module: ASEM

The ASEM is a software application for configuring Alteon Application Switches through a simple and intuitive GUI. It also provides monitoring of several operational variables (balanced sessions, throughput, CPU% use, memory, etc). To further simplify configuration, ASEM includes a series of Wizards to configure certain common tasks, For Intelligent Traffic Management, ASEM includes a Bandwidth Management Wizard, and the other like server load balancing, WAN link load balancing, etc. Before launching ASEM Client, the first thing that needs to be done in order to use the Nortel ASEM and ITM is establish connectivity between the client PC and the application switch. 1. Configure and enable the Out-of-Band Management Port IP address. 2. Set SNMP access mode to read-write 3. Installing the license 4. Verify if the license is installed

10

Configuring ITM
Configuring ITM involves: 1. Launching ASEM Client 2. Selecting the Physical Ports 3. Configuring ITM to Prevent DoSAttacks 4. Configuring ITM to Deny Bogon-based IP ranges 5. Selecting Applications to Classify 6. Configuring Bandwidth Management Contracts 7. Defining Traffic Policies 8. Creating Contract Groups 9. Configuring Time Policies 10. Applying and Saving Your Configuration

11

Launching ASEM Client

1. Launch ASEM Client by clicking on the ASEM Client icon. 2. Select the switch to manage traffic. 3. Select Nortel ASEM > Wizards > Traffic Management Wizard menu option.

4. Continue with configuring ITM by proceeding to the next step,

12

Selecting the Physical Ports

If you are configuring Nortel ITM for the first time and if trunks are not configured on the switch, then the screen shown in "ITM Wizard" is displayed.

13

ITM Wizard Configuration Steps

1 From this screen, select the ports for the inbound and outbound traffic.Click the browse button to display the list of port. 2 From this screen, you can configure ITM to prevent Denial of Service(DoS) attacks by selecting the check box and browsing through the list of DoS attacks. 3 You can also select the check box to prevent Bogus Network (Bogon) attacks. 4 Specify the Reporting Server IP Address and indicate by selecting from the drop-down menu whether the connection is through the Data Port or the Management Port. 5 A check box at the bottom on the screen indicates if a new bogon file is available. This checkbox is located to the left of the Bogon button and will be enabled if a new bogon file is available for use or be disabled if the bogon file is current. Select this checkbox to use the new bogon if one is available.

14

Configuring ITM to Prevent DoS Attacks

To turn on the DoS attack prevention feature, enable Denial of Service Attack on the ports as shown in "ITM Wizard" . This enables the switch to deny common predefined attacks, such as Smurf, Fraggle and so on. Here are some details on the embedded DoS attacks supported on the switch:

15

Configuring ITM to Deny Bogon-based IP ranges

The Bogon feature ("Bogon Settings" ) checks for newer bogon (bogus network) data and if found, will download it from the website and store it in the database. It will check the removed data to see if it can be transferred to the new bogon data. It will also check to see if any switches have been configured to receive bogon information and send the information to those switches. The Modify Bogon Data in Database button ("Modify Bogon" )allows the user to view the bogon data and select rows that the user does not want downloaded to the switches. It also allows the user to save the data back to the database or to a local file. The Load Bogon File to Database button allows the user to load a local bogon file, modify it and either send it to the database or store it back to a local file.

16

Selecting Applications to Classify

The available list shown in "Selecting Applications to Classify" is populated with all the applications specified in the Nortel supplied and user-defined (if it exists) XML files. Right-click on an application to display a description of the application. Applications that require an explanation are provided with a description. The description is retrieved from the XML files. Applications that were previously selected are populated in the selected list. Layer 2 through 4 filters are the most efficient while Layer 7 filters are the most taxing on the switch.

17

Configuring Bandwidth Management Contracts

"Pre-defined Bandwidth Management Contracts and Policies" shows the Bandwidth management contract relationship with the Applications (rules) in a hierarchical tree form. Applications can be dragged and dropped from one contract to another. Click on the Expand All button to see the applications sharing the contract. When the same application is displayed under different contracts, it shows that different parts of the applications are affected in different contracts. To reassign applications to a different contract simply select one or more applications (use the CTRL or SHIFT key to select multiple applications) and then drag those applications over top of the destination contract name or any applications within that contract.

18

Defining Traffic Policies

Define traffic policies for the BWM contracts. Click on the Action column in "Pre-defined Bandwidth Management Contracts and Policies" and select one of the policies. For more information on these policies, see "Traffic Policies". To customize your Rate Limit, Traffic Shaping, and User Limit policies, select the policy and modify the parameters. "Customizing Rate Limit Policy", "Customizing Traffic Shaping Policy", and "Customizing User Rate Limit Policy" show the basic and advanced dialog boxes to customize Rate Limit, Traffic Shaping, and User Limit policies.

19

Creating Contract Groups

This step is optional. Select the Contract Group icon to consolidate multiple contracts into a single group. Enter the Contract Group name and click OK. The newly created Contract Group is displayed along with the other contracts and applications with the icon denoting that it is a contract group in the Actions screen. You create a contract group to share the bandwidth among contracts. A contract group can hold up to 8 contracts. A contract group is always created in pairs, an IN_bound contract group and an OUT_bound contract group. The in-bound contracts are added to the IN_bound contract group and the out-bound contracts are added to the OUT_bound contract group. You can create up to 16 pairs of contract groups.

20

Configuring Time Policies

This step is optional. To configure a time policy for a contract you must first specify the time window to define when the policy should apply. Select a contract and click the Add Time Policies icon to add one or two time policies to the selected contract.

21

Applying and Saving Your Configuration

Once all GUI changes have been made, the Wizard issues SNMP commands to configure the switch to the new configuration. Then, the wizard remembers the changes it has made on the switch. It contains an XML representation of what is currently configured on that switch. Everytime you go through the screens of the ITM wizard, the wizard removes all the current information and issues the SNMP commands to configure the switch to the "new" configuration. Then, the wizard saves the new configuration .

22

ITM Job Schedules

Schedule Nortel Rule Updates
This dialog is used is to schedule updates to the ITM signatures. When enabled, this job will run daily at the specified time to check for newer ITM signatures. This dialog is accessible from the second window of the Traffic Management Wizard by clicking the Nortel Rule Schedule button.

23

ITM Job Schedules

Schedule Bogon Settings
This dialog is used to schedule the update of Bogon lists on the switch. When enabled, this job will run daily at the specified time to check for newer Bogon lists. This dialog is accessible from the first window of the Traffic Management Wizard by clicking the Bogon button.

24

ITM Job Schedules

Scheduling TFTP/FTP Jobs
1 Select Configure > Switch from the menu and select the TFTP/FTP tab. 2 In the Action drop down list, select the TFTP or FTP job to schedule. Only the following job types can be scheduled: get-image put-configuration put-tsdump 3 Click the Schedule TFTP/FTP Jobs button at the bottom of the screen. The Put Configuration dialog is used to schedule the backup of the switch configuration to a TFTP or FTP server.

25

ITM Reporting Module

The Traffic Reporting system allows you to generate reports based on: Applications You can run a report on individual or multiple application usage for total traffic or discarded traffic. Multiple switches You can run a report of the same elements across multiple switches. For example, you can generate a report to see how Application As usage compares across these three switches during the defined time period. Users You can run a report that includes individual or multiple user usage for one or more applications (total or discarded traffic). You can also find the top 10 users for a specific application. Aggregate of protocols Application Ranking reports and graphs can be generated based on total traffic and discarded traffic for each of the following categories: Top 5 applications, inbound Top 5 applications, outbound Top 5 users, inbound Top 5 users, outbound

26

Starting the Reporting Tool

You can run the Reporting Server using the following link: http://<server name (or) ip Address>/ReportServer/ The ITM Main menu or the Reporting Menu is displayed

27

Sample 1: Selecting Individual Application

The data for Sample report 1 is all inbound and outbound traffic at all times for Applications KaZa over a 1 day period. Sample report 1 shows three different ways of displaying the same information. The information can be displayed in the following three views: Graph format Excel/HTML format Table format

28

Sample 2: Selecting Traffic Groups

This sample report shows a graph for the top 5 inbound traffic groups. In this sample, the top five inbound applications are Applications 1, 2, 3, 5 and 6. The summary data shows a statistical summary for the top 5 inbound traffic groups.

29

Sample 3: Aggregating Traffic

In this sample report, all outbound traffic is averaged to a single line of data (sum) as shown in "Traffic Aggregates" . The traffic aggregates for inbound traffic over 6 days.

30

Sample 4: Selecting Multiple Applications

This sample compares three selections: inbound and outbound traffic for Application 3 and aggregated traffic for all inbound traffic.

31

Sample 5: Percent of Inbound Traffic

This is a sample of a relative graph that shows how much an application is being used compared to the total traffic.

32

Sample 6: Graphing Discarded Traffic

This sample lets you generate a report for outbound traffic for Application 3 and its discarded traffic.

33

Sample 7: Stacking Area and Bar Graphs

These samples demonstrate the benefits of generating reports that stack applications. Stacked graphs are graph generation options selected in the Chart Type drop down list as the STACKING AREA and STACKING BAR options.

34

Sample 8: Measuring Discarded Traffic

A relative report showing an applications discards as a percentage of the application traffic is very informative. "Measuring Discards" shows the percentage of outgoing Application 1 traffic and its discards.

35

Sample 9: Selecting Time

This sample shows the time selection for inbound traffic on Application 1. To provide more granularity for the graphs, ITM allows you to select the unit of time to the minute. "Selecting Time" shows a graph isolated to a single 24 hour period, as opposed to the other samples in this chapter which show a 6 day period. The graph size is always the same across the x-axis, but scales accordingly to the time parameters selected.

36

Sample 10: Generating User Reports

You can generate user reports to see: Top users for a specific application If you want to know the top users using the Web browser, then run a top user report and select the specific application. Top users for a group of applications If you want to know the top users for a few applications, then create a group with the selected applications and run a top user report on that group. Application usage for a specific user If you want to know the application usage for specific users, then enter the IP addresses of users and run the User Report.

37

Sample 11: Typical Reports

Typical reports are used to illustrate typical data values for an application across a given time period. Reports can be generated for a typical hour, day, or week based on the time period selected in the Time Selection area.

38

Sample 12: Averaging Data

This sample uses two graphs to illustrate the advantages of use the Average Data option during graph generation. "Graph With No Averaging" illustrates a graph that plots data for the top 5 inbound applications over a six day period using the Average Data option.

39