You are on page 1of 100

PRX Traffic Manager User Guide

PRX-1100 | PRX-1G | PRX-2G | PRX-5G | PRX-10G | PRX 2.8.4 [2010-10-18] $Revision: 9485 $ www.ipoque.com

Contents | 3

Contents
Preface: About This Guide..........................................................5
Audience.........................................................................................................................5 Whats in This Guide........................................................................................................5 Conventions....................................................................................................................6 Whats New in Version 2.8.4.............................................................................................6 Related Resources............................................................................................................7 About ipoque...................................................................................................................8

Chapter 1: Key Concepts..........................................................9


Network Integration and Management.............................................................................11 Traffic Analysis................................................................................................................11 Logging..............................................................................................................11 Reporting and Subscriber-based Accounting...........................................................12 Traffic Management........................................................................................................12 Limit and Block Applications.................................................................................12 Allocate Bandwidth and Prioritize Applications........................................................13 Block VoIP Calls...................................................................................................14 Rule Sets (Profiles)................................................................................................14 Subscriber Management.................................................................................................14 Fixed IP Address Networks....................................................................................15 Dynamic IP Address Networks...............................................................................15

Chapter 2: User Interface Reference........................................17


Front Panel....................................................................................................................18 User Preferences.............................................................................................................18 Dashboard....................................................................................................................19 Settings.........................................................................................................................23 Basic Settings.......................................................................................................23 Expert Settings.....................................................................................................27 Memory Configuration.........................................................................................29 SNMP.................................................................................................................31 Ethernet Interfaces................................................................................................31 Link Settings........................................................................................................32 Protocol Detection................................................................................................33 Protocol Logging..................................................................................................34 Reporting and Logging.........................................................................................35 Accounting..........................................................................................................39 Profiles................................................................................................................42

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

4 | Contents

SSL Web Services.................................................................................................43 Custom-Defined Protocols....................................................................................44 Networks.............................................................................................................48 Classes...............................................................................................................49 Phone Books.......................................................................................................52 BitTorrent Tracker.................................................................................................54 Subscriber Management.................................................................................................54 Managing Subscribers..........................................................................................56 Managing Class Associations................................................................................57 Associating Subnets With Classes..........................................................................57 Resetting Subscriber Statistics................................................................................58 Traffic Management........................................................................................................58 Creating a Bandwidth Limit Rule............................................................................60 Creating a Bandwidth Prioritization Rule.................................................................61 Creating a Rule to Block VoIP Calls.......................................................................62 Configuration Management............................................................................................63 Statistics........................................................................................................................65 System Statistics...................................................................................................65 DPI Application Statistics.......................................................................................74 Subscriber Statistics by Transferred Volume.............................................................79 Protocol Statistics by Transferred Volume................................................................80 IP Host Statistics...................................................................................................82 Reboot / Power Off.........................................................................................................84 Help..............................................................................................................................85

Chapter 3: Configuration Examples.........................................87


LAN Bandwidth Settings..................................................................................................88 Example 1...........................................................................................................88 Profiles..........................................................................................................................88 Example 1...........................................................................................................88 Example 2...........................................................................................................88 Traffic Management........................................................................................................89 Example 1 Oversubscription...............................................................................89 Example 2 Tiered Volume P2P Service.................................................................89 Example 3 Prioritization......................................................................................89 Subscriber Management.................................................................................................90 Example 1...........................................................................................................90

Chapter 4: Troubleshooting.....................................................93
Troubleshooting via the Serial Console.............................................................................94 Hardware Bypass...........................................................................................................94 Known Issues.................................................................................................................95 Customer Portal.............................................................................................................96

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

Preface About This Guide


The PRX Traffic Manager User Guide describes ipoques comprehensive and cost-effective traffic management solution that enables operators to monitor and control network traffic per application and per subscriber. Note: See the topics below for more information about this document.

Audience
This guide is for the networking or computer technician responsible for installing and configuring PRX Traffic Manager. To use this publication effectively, you should have the following skills depending on your responsibilities: To install and configure the hardware, you should be familiar with telecommunications equipment and installation procedures. You should also have good experience as a network or system administrator.

Whats in This Guide


The contents of this guide are designed to assist you in installing and configuring PRX Traffic Manager. This guide includes the following chapters: 1. Key Concepts on page 9 This chapter introduces PRX Traffic Manager and explains some of the basic concepts that will help you to understand how the product works. 2. User Interface Reference on page 17 The sections in this chapter describe the components of the PRX Traffic Manager user interface. 3. Configuration Examples on page 87 The sections in this chapter provide examples for various common configuration scenarios. 4. Troubleshooting on page 93 The sections in this chapter offer solutions to common problems that may occur when using PRX Traffic Manager.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

6 | Preface

Conventions
This topic explains the typographic conventions and other notations used to represent information in this guide. Elements of the Web-based graphical user interface (GUI) are indicated as follows: Buttons, checkboxes, list names and other controls appear in bold. For example: Click Save to create the new rule. A sequence of menu commands is indicated as follows: Statistics User Statistics In this case, select User Statistics from the Statistics menu. List options and literal text both appear in a fixed-width font. For example: The default file name is set to config.tar.gz. Terms that require extended definitions or explanations are indicated in italics. For example, while the term application is often used to refer to a software program, in this guide it usually means the Layer 7 protocol used by the program on the Application Layer of the OSI Reference Model. With Skype traffic, for example, the terms application and protocol are used interchangeably. Notes The following types of notes are used in this guide to indicate information which expands on or calls attention to a particular point. Note: This is a note.

Tip: This is a little tip that will make your work easier.

Important: This note is important.

Caution: Care is required when proceeding.

Whats New in Version 2.8.4


This section describes the changes and enhancements included in PRX Traffic Manager 2.8.4. PRX Traffic Manager 2.8.4 The latest release of PRX Traffic Manager includes the following enhancements: Policy Control and Traffic Management for SSL/TLS-Encrypted Web Services Policy Control and Traffic Management at Physical Link Level New and Improved Operational System Statistics Improved System Configuration and Tuning Options

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

Preface | 7 Not-for-Resale License Support DPI Engine Update 1.21.1 Key DPI Engine Improvements: 1. 2. 3. 4. 5. 6. improved Skype, support for Skype on iPhone to iPhone added improved Gtalk classification, support for GTalk on Android and GTalk over TCP improved Yahoo Chat when Yahoo Proxy is enabled improved RTP: outgoing SIP calls are now detected improved RTP/RTCP-to-RTSP/SIP correlation further improved protocols and applications: QQ, Sopcast, IRC, Hamachi, WAP , rFactor, STUN, SIP , MSN File Transfer, BitTorrent, OpenVPN, Jabber Nimbuzz Voice, SSL, PPLive, EDonkey, Oscar

PRX Traffic Manager 2.8.3 The previous release of PRX Traffic Manager (2.8.3) included the following enhancements: Real-Time IP Host and TCP/UDP Connection Statistics DPI Subprotocol Support (MSN Voice, Skype Out) RADIUS Policy Management Interface Performance Improvement DPI Engine Update 1.14 Key DPI Engine Improvements: 1. 2. 3. 4. Skype2Skype and Skype Out Traffic Classification BlackBerry Traffic Classification Fring Traffic Classification Non-Classifiable Traffic Classification

Related Resources
This section describes additional documentation and other resources for information on PRX Traffic Manager. Refer to these resources for more information on PRX Traffic Manager: The ipoque website at www.ipoque.com provides a wealth of information about our products and solutions and the latest ipoque news and events. The ipoque Customer Portal at portal.ipoque.com provides access to additional information including: support resources such as changelogs and firmware updates, additional documents such as datasheets and manuals, ipoque Online Academy videos with step-by-step explanations on how to set up and configure PRX Traffic Manager via the web interface. For information on how to request an account, see Customer Portal on page 96. Note: For additional documents such as technical specifications, please contact support@ipoque.com.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

8 | Preface

About ipoque
ipoque is the leading European provider of Internet traffic management solutions. Designed for Internet service providers, enterprises and educational institutions, ipoques PRX Traffic Manager allows to effectively monitor, shape and optimize network applications. These include the most critical and hard-to-detect protocols used for peer-to-peer file sharing (P2P), instant messaging (IM), Voice over IP (VoIP), tunneling and media streaming, but also many legacy applications.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

Chapter

1
Key Concepts
Topics: Network Integration and Management Traffic Analysis Traffic Management Subscriber Management
This chapter introduces PRX Traffic Manager and explains some of the basic concepts that will help you to understand how the product works. In todays IP networks, a wide variety of applications is used. Your customers are browsing the web and sending emails, watching a movie or calling a friend and they are doing all that simultaneously. These applications have different requirements in bandwidth, request-response times and latency. While it is acceptable if it takes a while to send an email, latency above a certain threshold is unacceptable during a voice call. You may want to control your network traffic based on time of day or weekday at different levels of granularity based on a DiffServ codepoint (ToS field in the IP packet), a VLAN tag, MPLS tag, a particular subnet, a subscriber and a particular application. ipoques PRX Traffic Manager uses the concept of traffic classes. A class describes a particular partition of your network links traffic. With each class you can associate a number of rules that allow to control the traffic of that class. Traffic can be prioritized, limited or blocked, and you can set up groups of rules based on time of day, weekday, etc. in so-called profiles. Classes, rules and profiles form a powerful set of tools for implementing both simple as well as more complex traffic policies. You can: offer tiered pricing models to your customers, restrict bandwidth-consuming or non-business-critical applications during business hours, give business-critical applications high priority. Under perfect conditions with unlimited free bandwidth available, there would be no need for active traffic management. However, link utilization is driven by economics. Smaller and medium-sized operators have to pay to their upstream service provider. In such a situation, a fine granular bandwidth management helps get the most out of the existing resources. PRX Traffic Manager allows to control the bandwidth and data volume consumption for each individual application and network subscriber. Even if your link is not currently congested, there are other good reasons for an active traffic management. One lies in the nature of the Internets transport protocol TCP . In case of a congestion, TCP flow control mechanisms will normally enforce an equal bandwidth share for the competing applications. This, however, does not work for most P2P file sharing applications anymore as they often open hundreds of simultaneous connections for maximum download rates from many different peers. Thus they are using more than their fair share of the available bandwidth and have an adverse impact on the performance of all applications using TCP in the common manner.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

10 | Key Concepts UDP does not have its own flow control and has to rely on the application using it. With ever more real-time audio and video transmitting applications, control of UDP applications might be necessary as well. Important applications such as Internet telephony, whose end user experience suffers if too many packets are dropped, can be provided with a bandwidth guarantee and higher priority to ensure that less important packets get dropped first.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

Key Concepts | 11

Network Integration and Management


PRX Traffic Manager operates as a transparent bridge on OSI Layer 2. Each packet received by a bridge port is analyzed and handled according to the implemented policy. If no bandwidth limit is to be applied, the packet is forwarded to the second bridge port. Otherwise, the packet is dropped. This way PRX Traffic Manager can be easily integrated in any existing network infrastructure. Simply connect the internal bridge port (INT or IN) to your internal network and the external bridge port (EXT or OUT) to your Internet router, for example. All rack versions are equipped with an integrated hardware bypass for the copper bridge ports, ensuring uninterrupted network connectivity in case of a hardware or firmware failure. Note: Bypass solutions for fiber links are available on request. Contact support@ipoque.com for more information.

Traffic Analysis
PRX Traffic Manager offers a range of options that can be used to analyze network traffic. PRX Traffic Manager can be used with a network tap to passively analyze traffic. When the inbound direction from the tap is connected to the EXT port and the outbound direction of the tap to the INT port, PRX will properly detect and analyze the protocols and applications.

Logging
PRX Traffic Manager provides connection-based logging information via syslog messages. Whenever a user opens a connection using a supported application, a message will be generated and sent to a syslog server (requires Advanced Reporting module). The message contains: source and destination IP addresses, source and destination ports, connection start and end times, transferred bytes and packages, protocol/application and other information (depending on the application or protocol).

Based on DPI and behavioral traffic analysis, the log messages will provide useful information about which applications are being used and which services are running inside the network. For instance, web servers running on a port other than 80 are easily detected.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

12 | Key Concepts

Reporting and Subscriber-based Accounting


For each subscriber in the database, PRX Traffic Manager maintains counters that track the usage of supported protocols and applications. The counters can be exported and then processed by an external accounting and billing system. That way subscribers can be charged for upload or download volume on an individual application basis. In addition, the counters are used for a volume-based traffic management that permits the application of bandwidth limitation rules based on the data volume a class or subscriber has consumed during the last month, for example.

Traffic Management
Traffic classes and rules form the core of ipoques traffic management model. A class is the means to describe a particular share of a network links traffic either directly by adding a DSCP or VLAN class or indirectly by adding a subscriber class and associating a number of subscribers with that class. A DSCP class can be used to manage all traffic labeled with a certain DiffServ codepoint. A VLAN or MPLS class does the same for VLAN- or MPLS-tagged traffic. Subscriber classes are used to manage the traffic of a particular subscriber group. In a very simple scenario this will be a fixed IP address network. In more complex scenarios, a class may consist of a list of subscriber names from an external RADIUS server. Please refer to Subscriber Management on page 54 for more details about this. There is one special class named link that covers the complete link traffic. Rules associated with that class are applied to the traffic irrespective of its source or destination IP address. The configuration of subnet exceptions prevents traffic from or to these subnets from getting analyzed, and link rules are never applied to this traffic. By configuring rules, the class traffic can be handled in different ways. An application can be prioritized over another applications by allocating a certain share of bandwidth, it can be limited to a certain maximum bandwidth, or it can even be fully blocked. Traffic of subscriber classes can be handled on a per-class or per-subscriber basis. For example, traffic of a particular application can be limited for the whole class or for each subscriber separately. The latter is the better approach if you want to treat subscribers equally. The complete list of supported protocols and applications is available at www.ipoque.com/products/protocol-support. The following topics describe the actions that can be performed with rules.

Limit and Block Applications


PRX Traffic Manager can be used to limit the bandwidth consumed by certain applications, or block them entirely. In case of a congestion, TCPs flow control mechanisms tries to ensure that user or application gets a fair share of the link bandwidth by reducing the TCP congestion window and thus throttling the speed of the sending application. However, this mechanisms is hampered by most P2P applications as they often open hundreds of concurrent connections much more than a normal application such as web browsing thus demanding more than their fair share of the available bandwidth. For UDP , there is no such built-in flow control at all. The bandwidth used by an application or group of applications can be limited by adding a policy rule and assigning it to a traffic class. To block an application, set the upload and download parameters to 0 kbit/s. A rule can be applied based on time of day by using the scheduler to activate a profile (i.e. a set of rules). In any case, the most restrictive rule is applied to the traffic. If there are two rules for a class, one that limits traffic to

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

Key Concepts | 13 a certain amount and another that blocks traffic, the latter is the one that will be applied. The same is true if a subscriber belongs to two classes and there are different rules for those classes. The most restrictive rule will be applied. Packets will be dropped when the defined upload or download limit is reached. Bandwidth limitation rules can be combined with a data transfer volume. This way the rule is applied only when the class or user has consumed more than the given traffic during the last day, week or month. Important: Configuring a rule with only one direction (either upload or download), set to 0 kbit/s still operates like a block rule as control information such as TCP acknowledgments cannot be transmitted.

Note: The number of available protocols depends on the licensed Protocol Modules. A summary of all enabled modules and the system state is available in the Dashboard on page 19.

Allocate Bandwidth and Prioritize Applications


On a congested link, all packets are equally likely to get dropped, which is no problem for an application downloading a file as the packet will be retransmitted. It is unacceptable, however, for applications like VoIP , where packet loss and retransmission degrades the quality of the voice call. Bandwidth allocation is used to control the amount of bandwidth an application can occupy when the link is congested. A bandwidth share is combined with a priority value that indicates which packets to drop first in case of congestion. Each packet is labeled with a default priority. For important business-critical applications, bandwidth has to be allocated at the high or very high priority level. For applications that are less important, bandwidth should be allocated at the low or very low priority level. For every incoming packet, PRX checks for available bandwidth in decreasing order of priority using a token bucket mechanism. If there is no bandwidth share configured for a packet, it remains at default priority. If there is more than one bandwidth share value defined for an application, the packet is labeled with the highest priority possible. Now, in case of a congestion, packets are dropped beginning with the lowest priority making all bandwidth available for applications with higher priority. If the link is not congested, bandwidth can be used by all applications irrespective of any configured share. By allocating a bandwidth share with high or very high priority, for example, delay- and loss-sensitive VoIP applications such as SIP or Skype can be given a high priority on a congested link. In the same way, P2P applications can be assigned a low priority on a link by allocating a bandwidth share at low or very low priority. For examples, see Traffic Management on page 89. Important: Do not set up a high priority rule that allocates the complete link bandwidth for a particular application. If this application grabs all the bandwidth, it will virtually disable the link because packets of other important protocols like DNS will get dropped first.

Note: If a subscriber belongs to two classes and there are different priority rules for those classes, the highest priority will be applied. If both a bandwidth limitation rule and a prioritization rule are defined for a subscriber, the limitation rule takes precedence. A summary of all enabled modules and the system state is available in the Dashboard on page 19.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

14 | Key Concepts

Block VoIP Calls


In addition to controlling VoIP applications on a protocol basis by limiting, blocking, or prioritizing the corresponding traffic, you can also block voice calls based on the call direction (incoming or outgoing) and specific telephone numbers for the caller and/or called party. With the protocol-based approach, you create a limitation or blocking rule (as described under Creating a Bandwidth Limit Rule on page 60), which can be used to completely block any supported VoIP protocol. This approach does not distinguish the direction of the call, nor allow you to define specific phone numbers or prefixes you want to block. All traffic using the specified protocol is affected by rules of this type (Limit Bandwidth). However, the PRX supports two other methods which may be used. More specific (direction-based) blocking can be done using a call control rule. To use this approach, set up a rule of type Block VoIP Calls. This type of rule can be applied to the link class and to any class of type Manage Traffic of Subscribers. as described under Creating a Rule to Block VoIP Calls on page 62. VoIP calls based on H.323, SIP or IAX can be controlled in this manner. The most specific approach is to control calls based on the caller or called party number. A phone number list (or phone book) must be defined for either incoming or outgoing calls and associated with the class or link as described under Phone Books on page 52. Once associated, the block rule is applied immediately without requiring any extra rules in the traffic management section. Subscribers must be associated with the class in order to apply the block rule to the subscriber traffic. Phone books can be attached to the predefined link class and to any class of type Manage Phone Calls.

Rule Sets (Profiles)


Profiles are sets of rules that can be automatically activated at specific times by a scheduler or manually enabled. The profile dialog allows you to activate profiles by hand, create new profiles, edit (rename) and delete existing profiles, and configure the profile scheduler. Profiles can either be manually enabled, or scheduled for automatic activation in regular intervals as described under Profiles on page 42. When you create a Traffic Management rule, you can assign the rule to a profile to determine when the rule will be applied. Note: If you do not create new profiles, all traffic rules are assigned to the Default profile.

Subscriber Management
PRX Traffic Manager supports subscriber-based traffic management for both fixed and dynamic IP address networks. PRX maintains an integrated subscriber database. A subscriber is identified by a fixed IP address, an Ethernet MAC address or an arbitrary subscriber name from an external RADIUS server. The subscriber database needs to be populated first by configuring the IP networks the PRX should monitor. To apply traffic management rules to a subscribers traffic, the subscriber must be associated with one or more classes. If a default class is specified under Classes on page 49, this policy will apply to all subscribers for which no other classes are explicitly defined.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

Key Concepts | 15

Fixed IP Address Networks


Managing users with fixed IP addresses is the simplest scenario. Adding a fixed IP address network to the subscriber database makes the IP addresses available in the subscriber management automatically.

Dynamic IP Address Networks


PRX Traffic Manager supports three methods to uniquely identify a subscriber in networks with dynamically assigned IP addresses. 1. The simplest scenario is the MAC mapping where the PRX uses the MAC address of the Ethernet frame as the subscriber name and automatically creates an entry in the subscriber database with the corresponding IP address using the latter for accounting and subscriber-based traffic management. There are several restrictions to this method. It only works on layer 2. Basically, PRX and the subscribers need to be connected to the same layer-2 switch. As soon as there is any router between the subscribers and the PRX, it will always see the MAC address of the router. Also, the MAC mapping is vulnerable to MAC spoofing. Subscribers can easily bypass any restrictions by using the MAC address of another subscriber that has fewer restrictions, such as a higher data volume allowance or more bandwidth. 2. A more advanced scenario is the passive DHCP authentication where the PRX intercepts DHCP requests and acknowledgments to maintain the entry in the subscriber database again using the MAC address as subscriber name. Note that the PRX must be installed between the DHCP servers and the subscribers to capture the DHCP messages. Using DHCP proxying, this method can be used even if there are routers between the subscribers and the PRX. 3. The most flexible way to manage subscribers is the RADIUS authentication method. The built-in RADIUS service listens for RADIUS accounting messages providing at least the following information: the username, usually via the RADIUS attribute User-Name and the IP address assigned to the subscriber usually by the RADIUS attribute Framed-IP-Address. In addition, vendor-specific attributes named ipoque-class can be configured on the RADIUS side to tell the PRX which classes the subscriber should be assigned to. With this method, there are almost no restrictions on where the PRX can be installed. The RADIUS server must only be able to forward the necessary information to the PRX management interface.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

Chapter

2
User Interface Reference
Topics: Front Panel User Preferences Dashboard Settings Subscriber Management Traffic Management Configuration Management Statistics Reboot / Power Off Help
The sections in this chapter describe the components of the PRX Traffic Manager user interface. On high-end (G-series) PRX models, the LC display provides access to basic settings. The first section describes the information and settings that are accessible from the Front Panel on page 18. The remaining topics correspond to the top-level menu items in the web interface. For information on the available options, see the corresponding section.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

18 | User Interface Reference

Front Panel
This topic describes the options available on the front panel of the high-end (G-series) PRX models. The front panel of the rack-mount PRX models include an LC display that provides access to various information and settings: Status IP: Shows the current IP address of the PRX Traffic Manager as configured under Network Settings on page 23 (set to 192.168.0.1 by default). Bypass: Shows whether the hardware bypass is currently ON or OFF. Gateway: Shows the current gateway IP address (undefined by default). Netmask: Shows the current netmask (set to 255.255.255.0 by default). Configuration Reset IP: Revert the IP address, gateway and netmask settings to the factory default values. Reset Password: Revert the password for the admin user to the factory default value ipoque. Reset Configuration: Revert the PRX configuration and IP settings to the factory default values, but preserve the password and any statistics data.

Figure 1: Sample Front Panel (PRX-1G) You can navigate between the options using the up () and down () arrow keys on the front panel. Press the return key () to select a menu option, or press ESC to return to the previous menu level. Important: The factory default password for the admin user should be changed immediately.

User Preferences
The icons in the upper right corner of the screen allow you to set your preferences for the web interface.

Figure 2: Language preferences, change password and logout

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 19 You can toggle the language setting by clicking on the flags. To log out of the web interface, click the door icon. Note: Users are automatically logged out after 30 minutes unless they are currently viewing the dashboard or statistics. To change your password, click the person icon and enter a new password in the resulting dialog.

Figure 3: Changing the password The PRX Traffic Manager ships with two standard logins, admin and operator, each with the factory default password ipoque. The admin user has full access to the system, whereas the operator user only has access to the dashboard and the statistics menu. When logged in as operator, you cant change any settings, only view existing information. Important: The password for the admin user should be changed immediately.

Dashboard
The dashboard provides an overview of the activity on your network. The dashboard includes a series of charts that show the subscribers and protocols that are using the most bandwidth, along with packet rate and throughput statistics, temperature information and system load.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

20 | User Interface Reference

Figure 4: Sample Dashboard The Top Subscribers panel provides an overview of the subscribers that are using the most bandwidth. Click the bar next to an IP address in the chart to show a popup window with a breakdown of the subscriber's bandwidth utilization by protocol.

Figure 5: Subscriber Protocol Info popup The Top Protocols panel provides an overview of the protocols with the highest traffic volume (not necessarily the protocols that are used most often). Click a protocol in the diagram to show protocol statistics for the last day. The information shown here is the same as that displayed under Statistics Protocol Statistics Last Day.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 21

The L2 Packet Throughput panel shows the transfer rates during the last 15 minutes aggregated for all links. Separate lines in the chart indicate the upstream and downstream transfer rates. Click the diagram to view the corresponding graph under Statistics. The L2 Throughput panel shows the volume of data transferred in the last 15 minutes aggregated for all links. Separate lines in the chart indicate the upstream and downstream throughput. Click the diagram to view the corresponding graph under Statistics. Each connection is represented in the connection tracking table by a combination of source IP:port and destination IP:port. The TCP/UDP Connection Tracking Utilization diagram shows the current percentage of system memory used by the connection tracking table. Tip: As this value approaches 100%, little memory will be left for new connections, resulting in more unclassified traffic, since connections cannot be classified without an entry in the table. You can increase the memory available to the connection tracking table by reducing the amount of memory reserved for the internal subscriber database as described under Memory Configuration on page 29. The TCP/UDP New Connection Rate panel shows the average connection rate for the last 15 minutes. The Temperature Sensors panel shows the internal temperature readings for each hardware sensor during the last 15 minutes. The system load chart displays the load for each of the Link Processing Units (LPUs) and Packet Processing Units (PPUs). The PPUs are responsible for detection. When new connections are established, all corresponding packets pass the Deep Packet Inspection routines until the traffic can be classified. Traffic is marked as unclassified traffic if the protocol detection routines finish without result. The LPUs are responsible for sending and receiving packages to and from the interfaces and handing them over to the PPUs. LPUs forward or discard packages according to the configured traffic management rules. The Status table shows PRX status information such as the current system time, uptime, license and bandwidth information, active profile and link status information.

Figure 6: Status Table on the Dashboard In the status table, link status is indicated by icons. Active links are indicated with a green icon, and a red icon appears next to any deactivated links. For details on the current status of a link, click the corresponding icon in the Status table. The Link Status panel shows information on the speed and settings of each link.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

22 | User Interface Reference

Figure 7: Link Status Information For additional information on the current license status and available modules, click the icon in the License row of the Status table. The License Information panel shows the maximum bandwidth that your PRX is licensed for, along with the type of license (full or evaluation), license validity in days and a list of the optional modules included in the current license (a red icon appears next to any unavailable options).

Figure 8: License Information Note: The Bandwidth value reflects the maximum allowed Layer-2 throughput per direction. For example, if you have a 20 Mbps license, you have 20 Mbps maximum allowed bandwidth per direction and 20 + 20 = 40 Mbps of total bandwidth. For information on the available licensing options, see License Upgrade on page 25.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 23

Settings
This section describes the configuration options available from the Settings menu. When PRX settings are changed in the user interface, a banner appears to call your attention to the unsaved changes.

Figure 9: Unsaved configuration changes When you click Apply , your changes are activated in the running configuration and used to manage traffic. You can click Discard at any time to revert to the previously stored configuration (see Configuration Management on page 63 for more information).

Basic Settings
Use these settings to configure the PRX for your local environment.

Network Settings
The Network Settings allow you to assign an IP address and netmask to the PRX management interface (MGT port) and set the default gateway and DNS server address.

Figure 10: Network Settings The Gateway entry is optional. Omitting it restricts access to the web interface to the local subnet, thus significantly increasing security. To enable access from remote networks, a correct gateway needs to be specified. The DNS entry is required to resolve DNS host names to IP addresses. You must enter an IP address for the DNS server if you want to use host names for the NTP Server under Time Settings on page 24 or the Syslog Server under Log Settings. To change your network settings, fill all required fields and click Save.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

24 | User Interface Reference

Time Settings
Use the Time Settings to set the system date and time, specify a time server and select a time zone. The system clock can be synchronized automatically with a Network Time Protocol (NTP) server or manually by pressing Synchronize Now. If the time server is specified using a DNS name (instead of a plain IP address), a DNS server and Gateway to the outer networks must be specifed under Network Settings on page 23. Important: System date and time and time zone should be set properly to ensure that statistics data reflect the actual time of each event. If the system time is earlier than the last entry in the statistics database, a warning appears indicating that the statistic databases are out of sync. In this case, no data can be written to the statistics database until you reset the database or adjust the system time.

Figure 11: Time Settings Note: After updating from an older firmware version, you will be prompted to set the time zone. Follow the link in the message, select your time zone from the list and click Save.

Figure 12: New time zone warning

Firmware Update
The Firmware Update settings allow you to upload new software to PRX Traffic Manager. To download the current firmware, you need to login to the ipoque customer portal at portal.ipoque.com. A user name and password are provided as part of the support agreement. If you have any questions, please contact support@ipoque.com.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 25 During the firmware update process, all PRX settings are retained. The firmware update will not change the licensing-related properties of the device (such as bandwidth, modules, etc.). These capabilities can be updated through the license upgrade process. 1. Download the current firmware from portal.ipoque.com and save it to the local hard disk. 2. Click Browse to select the downloaded file (typically named firmware_2_8_x.iso), and click Upload.

Figure 13: Firmware Update The file will be uploaded to your PRX Traffic Manager. Note: After a firmware installation, a system reboot is required to enable the new version. The last running firmware can be recovered during a reboot with a terminal attached to the console port. See Troubleshooting via the Serial Console for details.

Note: Starting with version 2.8.0.0, PRX firmware updates are shipped as an ISO image. The image can be installed in the usual way. For downgrades, an ISO image of the previous firmware is available from the ipoque customer portal. To downgrade from version 2.8.0.0 to 2.7.0.5 for example, you must install the 2.7.0.5 ISO image first.

License Upgrade
A License Upgrade allows you to activate new license options such as reporting or traffic management, or upgrade the maximum bandwidth for existing options. The PRX Traffic Manager licensing scheme consists of a Base License that covers Deep Packet Inspection and Classification and provides DPIC application statistics at the system level. The base license includes unlimited bandwidth. Two optional licensing modules provide additional options: The Reporting option covers TCP/UDP connection-level reporting to the ipoque Net Reporting System and is limited to a certain bandwidth. The Traffic Management option provides DPI Service Control and Traffic Management capabilities on three levels: system level (link, DSCP/VLAN/MPLS traffic) IP/Subscriber Group level IP/subscriber level These additional options can be activated with a valid upgrade key that you receive from ipoque support. The upgrade process requires the current device key listed here. After the upgrade key is verified, a reboot is required to activate the new options or modules.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

26 | User Interface Reference

Note: The device key is an alphanumeric string that is generated by each PRX to uniquely identify its current state. This key is a prerequisite for the license upgrade process and changes each time a new upgrade key is uploaded to a device. The (license) upgrade key is an alphanumeric string that ipoque provides to the customer to change certain system properties such as bandwidth, protocol modules, feature modules, and to change the duration of an evaluation license or the license type.

Caution: A device key should never be entered as an upgrade key! 1. Copy and paste the upgrade key into the form field and click OK.

Figure 14: License Upgrade 2. Click Activate to enable the shown extensions. 3. Click Reboot and confirm the prompt to complete the license upgrade. The system will be restarted. For details on the license options the PRX is currently using to manage traffic, click the License row of the Status table on the Dashboard on page 19. The License Information panel lists the modules that are included in the current license (a red icon appears next to any deactivated modules). An overview of the available options and the supported protocol list can be found on the ipoque homepage. To purchase optional licensing modules or upgrade the maximum bandwidth for existing options, contact support@ipoque.com and be sure to have your 6-digit serial number handy. (The serial number appears on a sticker on the back of each device and on the packaging materials.) Note: Special Licenses ipoque offers evaluation licenses with the full feature set and unlimited bandwidth for a limited period of time. A Not-for-Resale (NFR) License with the full set of features and unlimited bandwidth for an unlimited period of time is also available to qualified partners. For further information, contact support@ipoque.com.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 27

Expert Settings
Use these settings to adjust several advanced PRX features.

LAN Bandwidth Settings


Assigns a maximum bandwidth to the bridge ports (INT/IN and EXT/OUT). If your network link uses a maximum bandwidth of less than the maximum interface data rate, enter the correct values here. This is important for prioritization. If this value is too high, PRX will not be able to detect congestion. Note that this value limits the maximum possible throughput accordingly. For a multi-link device, it is important to know that the LAN bandwidth setting must be seen for all links together. Prioritization rules may not work if you dont state an additional limitation rule for a class that is associated with the network(s) belonging to this link.

Figure 15: LAN Bandwidth Settings Note: For effective traffic management, PRX must be the bottleneck in the path between subscribers. If any other device is the bottleneck and thus dropping packets, bandwidth rules may not work as expected.

Note: The Bandwidth values are based on OSI layer2 without the layer 2 framing overhead this may lead to small differences. Other systems, including those by your uplink provider, often include layer 2 framing overhead. This may account for small differences. If you are not sure if the uplink bandwidth reported by your uplink provider is expressed as a gross or net value, check Example 1 on page 88.

Command Line Interface


Enables access to the command line interface via SSH. Along with the web interface, PRX Traffic Manager also includes a Command Line Interface (CLI). The command line interface can be accessed via the serial console, or via a secure shell (SSH). To enable SSH access to the command line interface, set the radio button to On and click Change.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

28 | User Interface Reference

Figure 16: Activate Command Line Interface To log in via the command line interface, use the following command syntax (where <PRX-MGMT-IP> is the IP address of the PRX management interface):
ssh admin@<PRX-MGMT-IP>

Supported commands include:


ip

change the IP address, netmask, gateway and DNS settings for the PRX management interface.
ip

Syntax:

<PRX-MGMT-IP> <netmask> [gateway] [DNS]

Note: The < > entries are mandatory, whereas the [ ] components are optional. display help exit the program passwd change the password reboot reboot the device shutdown shut down the device
help quit

Note: When the command line interface is activated, you can connect to it using the same password you use for the web interface login. The same features are available in the command line interface whether you access it from the serial console or via SSH.

TCP FIN Handling


Specify how to handle TCP FIN packets indicating that no more data is to be expected from the sender. In TCP communications, FIN packets are used to end a TCP connection. If the PRX is configured to block or shape certain TCP-based protocols, some or all of the packets will be dropped. In this case, the other end of the connection may want to terminate the connection with a FIN packet, but usually this is blocked too because of a rule. Some networks suffer from a lot of these packages.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 29

Figure 17: Pass TCP FIN Packets With the Pass TCP FIN Packets option, you can set the PRX to allow TCP FIN packets to pass through, even if a blocking rule is defined. This lets the other side know that the connection was successfully ended and there is no need to send any more packages. Use this option if your network suffers from TCP FIN packet flood.

Sliding Token Bucket


Enable the token bucket to smooth out bandwidth usage, yet still allow bursts of data to be sent. PRX Traffic Manager includes a so-called Token Bucket mechanism, which can be used to control the bandwidth used for a protocol or group of protocols. If you are connected to a Gbit link, your network adapter will send packages with this speed. If a traffic rule is set in the PRX to limit the bandwidth, you cannot tell the interface to transmit data with a lower speed. The PRX will send a short Gbit peak and then wait before sending more traffic so that the desired average bandwidth limit is reached. But these peaks may be undesirable in certain environments where the following routers or upstream providers may drop the traffic above a certain bandwidth.

Figure 18: Sliding Token Bucket When the Enable Sliding Token Bucket option is selected, the peak bandwidth values will be automatically adjusted (sliding) to the link speed and the specified bandwidth limit. This approach emulates the specified bandwidth over the long term, yet still allows for short-term bursts that are higher than the specified bandwidth. To avoid excessive traffic bursts, the PRX defines the permissible burst size (or bucket size in terms of a token bucket) inversely proportional to the configured transmission rate. So, the smaller the limitation the bigger the allowed burst size is.

Memory Configuration
The Memory Configuration settings allow you to customize and fine-tune the allocation of system resources to meet the needs of your specific environment. The PRX Traffic Manager has a predefined amount of memory that is used for various purposes, including the subscriber database, connection tracking database, IP host database, and external IP host statistics.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

30 | User Interface Reference For each of these purposes, the system uses predefined maximum values and preallocates a certain amount of initial memory. The settings in this panel allow you to adjust the default memory configuration to provide more resources for a particular purpose or less for another. For example: your PRX may be configured to support up to 100,000 subscribers, but in your environment, no more than 10,000 need to be tracked. In this case, you could change the memory configuration to decrease the number of subscribers and free additional memory for other features.

Figure 19: Memory Configuration Table 1: Memory Configuration options Option Enable External IP Host Statistics Number of External IP Hosts Enable Subscriber Database Number of Subscribers Description Activates real-time statistics for external IP hosts. The maximum number of external IP hosts for which the system maintains real-time statistics. Activates the database used to track subscribers (only available if supported by your license) The maximum number of subscribers the system should maintain.

Number of TCP/UDP Connections The number of TCP/UDP connections per internal IP host that the system per internal IP Host keeps track of.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 31

SNMP
With the SNMP settings, you can activate support for the Simple Network Management Protocol (SNMP). Management Information Bases (MIBs) and SNMP versions 1 and 2c are supported. To enable SNMP support, set the radio button to On and click Save. The following options are available when SNMP is enabled.

SNMP read-only access


Enter the Community string for SNMP read access. Default SNMP community strings include public and private, but these should generally be changed to something less common. For additional security, you can specify an IP address that should be allowed to make SNMP connections under Community src IP. Connections from other IP addresses will be rejected if an IP address is specified here.

Ethernet Interfaces
The interface settings allow you to specify the speed, duplex and flow control options for each Ethernet interface on your PRX. The individual interfaces are listed in the submenu under Ethernet Interfaces. Separate entries appear for the INT/IN and EXT/OUT ports of each link and for the management port (MNGT). The Speed determines the physical speed of the network interface. The default setting is Auto mode, which enables Ethernet auto-negotiation. It may be useful in specific environments to choose the correct fixed settings at either side of the link in the PRX and in all attached devices such as switches and routers. The following values are possible: auto auto-negotiate the speed 10000-FD 10Gbps full-duplex, (for 10GbE NICs only) 1000-FD 1Gbps full-duplex, (for 1GbE NICs only) 100-FD 100Mbps full-duplex 100-HD 100Mbps half-duplex 10-FD 10Mbps full-duplex 10-HD 10Mbps half-duplex Note: It is strongly recommended to use the same settings for INT/IN and EXT/OUT for the hardware bypass to work properly in case of a device failure. All rack-mount PRX models enable the integrated hardware bypass when a link is deactivated under Link Settings on page 32.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

32 | User Interface Reference

Figure 20: Interface settings for the management port Use the Flow Control options to specify the desired settings for each INT/IN and EXT/OUT port. You can enable or disable the auto-negotiation of flow control for the interface and activate or deactivate it for the receiving and transmitting directions. Note: Flow Control settings are disabled by default for the datalink interfaces. Enabling flow control on the data link interfaces can adversely affect the system throughput.

Link Settings
Use the link settings to switch entire links on or off.

Figure 21: Basic Settings for a link When the Activate Link option is selected, the PRX manages traffic according to the configured rules. If a link is deactivated, the hardware bypass is automatically enabled and an electromechanical connection is created between the INT/IN and EXT/OUT ports. (No detection or monitoring is available if the link is deactivated.) Note: Because many of the protocol detection routines depend on traffic direction, the managed or internal network must be connected to the internal port (INT/IN) , and the uplink to the public IP network (Internet) must be connected to the external port (EXT/OUT).

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 33

Protocol Detection
The Protocol Detection options allow you to adjust the settings for the DPI and classification engine. You can exclude certain addresses from traffic management, enable tunnel decapsulation and advanced detection options and set timeouts.

Exceptions
Specify any hosts that require special treatment.

Figure 22: Protocol Detection Exceptions In the text entry field, specify any IP or subnet addresses that you dont want to treat. Internal and external addresses can be specified as exceptions. Both dot-decimal mask and CIDR mask notations are supported. For a single IP address, use /255.255.255.255 or /32 as a mask. Separate multiple entries by a carriage return or a space. All addresses you specify here are excluded from Protocol Detection, Traffic Management, Accounting and Logging. Related packages will be directly forwarded. Note: The bandwidth the PRX is licensed for applies to the Traffic Management. All traffic related to specified exceptions is forwarded with the maximum possible speed of the physical link (independent of the licensed bandwidth).

Tunnel Decapsulation
PRX Traffic Manager can decapsulate certain unencrypted tunnels and apply traffic management rules to the data streams they contain. Supported tunneling methods include GPRS Tunneling Protocol (GTP), Generic Routing Encapsulation (GRE) and IP-in-IP , which is sometimes called ipencap.

Figure 23: Tunnel Decapsulation

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

34 | User Interface Reference

Without decapsulation, tunnel traffic is effectively invisible to traffic management mechanisms. When Enable Tunnel Decapsulation is active, PRX Traffic Manager can look inside tunnels to determine what kind of traffic is being relayed through the tunnel and apply traffic rules accordingly. When decapsulation is enabled, the PRX treats any tunneled TCP or UDP connections as the actual tunneled protocol/application, not as the protocol or application of the tunnel they are transported in. The PRX can decapsulate up to 10 nested tunnels. For example, if an unencrypted tunnel X is used to transport traffic of application A, the underlying TCP/UDP connection is classified as: X when tunnel decapsulation disabled, and as A when tunnel decapsulation is enabled. If the Reporting or Traffic Management license options are enabled, tunneled protocols/applications are counted for the top-level tunnel IP address.

Advanced Detection
Enable advanced statistical methods to enhance detection of encrypted protocols. Advanced Detection mode uses statistical methods to reliably detect encrypted traffic, which helps to reduce missdetections and improve detection results for protocols that heavily rely on encryption like BitTorrent, Freenet and OpenVPN.

Figure 24: Advanced Protocol Detection This mode requires additional system resources and may have a noticable effect on performance, so it should only be activated if sufficient resources are available on the PRX, such as in the high-end rack-mount systems.

Protocol Logging
Specify whether syslog messages should be sent when connections are opened or closed (requires the Reporting license option). If you have enabled and configured a syslog server to receive log messages (under General Log Settings on page 36), you can use the options in the Protocol Logging dialog to control which events are logged. Depending on the settings in this dialog, syslog messages can be generated when connections start and/or end for each protocol group.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 35

Figure 25: Protocol Logging If both options are active for a protocol group, one log message will be generated at the beginning of each connection and another at the end. The default setting is Off for both connection start and end. Important: The Protocol Logging options are only applied when logging events via syslog messages. If the PRX sends data to an ipoque Reporting Center, these options are ignored.

Reporting and Logging


Use these options to specify where reports and syslog messages are sent (requires the Reporting license option).

Reports
Specify the server to which reports and accounting data should be sent. The traffic manager generates statistics for all subscribers/users within the configured subnets, which can be either manually retrieved or automatically exported. For static networks, the IP address serves as the user ID. For dynamic networks, the Ethernet MAC address is used as the user ID for MAC-based and DHCP user mapping, and the RADIUS user name for an external RADIUS-based subscriber mapping.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

36 | User Interface Reference

Figure 26: Reports settings Enable Export Accounting Data and select the types of data you wish to export (link and class accounting and/or user accounting). To reset accounting data whenever data is exported, select the corresponding option. Enter the required information for your FTP server, including the path to the directory where received data should be saved. Click Test to verify the connection to the specified FTP server. Note: The specified directory must already exist on the server, it is not created by the PRX.

Important: If no FTP server is provided, accounting data will be lost after the specified Accounting Interval on page 40 expires.

General Log Settings


Specify the syslog and/or reporting center servers to which log messages should be sent. PRX Traffic Manager provides connection-based logging of network events and system status logging. Whenever a subscriber opens a connection with a supported application, a message can be generated and sent to a syslog server. Based on DPI and behavioral traffic analysis, the log messages provide information about what applications are being used and what services are running inside your network. That way you could, for example, detect web servers running on a port other than 80. Reporting information can be sent to a standard syslog server, an ipoque Net Reporting System (NRS), or both.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 37

Figure 27: Log Settings To send messages to a syslog server and/or Reporting Center: Select Enable reporting. In the default settings, only connections from defined subscribers are reported (as defined explicitly via IP address or RADIUS ID in Subscriber Management on page 54, or included implicitly via networks). To report all connections (including those from undefined subscribers), enable the Log all connections option. If messages from several PRX units are sent to a common reporting server, specify the PRX Device Name to help distinguish messages from each device. The Attach IP to device name option can be used to include the IP address of the management device along with the device name in syslog messages or NRS messages. It is not recommended to activate this option, because the IP address is already part of both the syslog message format and NRS format. Specify an IP address and port for the server(s) in the corresponding fields. To enable reporting to both a syslog server and a reporting center, enter an IP address and port for both server types. To use UDP for syslog data transfer, select the corresponding option (default and recommended). Note: Data will be sent out via the PRX management interface. There must be a route from the PRX to the server(s) and you may have to set a gateway under Network Settings on page 23.

Syslog Message Contents and Server Configuration Important: When logging events via syslog messages, the options under Protocol Logging on page 34 determine which specific protocols and connection events are logged. The syslog messages contain the following information, separated by pipe symbols (|): year month day time machine_ip (may vary depending on server configuration) source_ip:port destination_ip:port rfc_layer4_protocol message_type (detect,call,end,host,mail)

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

38 | User Interface Reference protocol_string start_year start_month start_day start_hour start_minute start_second end_year end_month end_day end_hour end_minute end_second from_address (also used for smtp mail and host) to_address packet_up packet_down byte_up byte_down

Example: protocol logging message


Jul 11 11:09:06 172.20.5.99 172.20.5.99|172.20.5.219:3818|172.20.0.200:80|6| end|HTTP|2008|7|11|10|59|6|2008|7|11|10|59|6|||7|13|584|1061|

system message
Jun 15 16:34:34 172.20.6.8 IP traffic||||||||||||| Syslog Service is stopping||||||

Note: The ipoque message part starts after the first pipe symbol in the syslog message. The first message part (year month day time machine_ip) is output of the syslog server itself and may differ depending on your server settings. You will need to configure your syslog server in order to receive the syslog messages sent by the PRX. The following sample shows an excerpt from a configuration file for the syslog-ng server. If you are using a different syslog server implementation, please refer to your syslog server documentation for configuration instructions.
###### # sources source s_prx { udp(ip(0.0.0.0) port (514)); }; ###### # destinations destination df_ipoque {file("/var/log/ipoque/connections");}; ###### # logs log { source(s_prx); destination(df_ipoque); };

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 39

Note: You may have to restart the syslog server before your configuration changes take effect.

Accounting
Define subscriber-related settings and accounting periods (requires the Traffic Management license option). The Accounting settings allow you to manually reset the accounting data and provide access to the RADIUS settings, subscriber database size and accounting intervals.

Figure 28: Accounting settings You can manually delete the statistics for all subscribers at any time via the Reset accounting data now button. This will reset the counters for each subscriber independent of the interval specified under Accounting Interval on page 40. Note: To delete statistics for individual subscribers, select the Reset option from the Actions list under Subscriber Management on page 54 or click the Reset button on the Accounting tab for the subscriber.

RADIUS Service
Enable RADIUS user name to IP address mapping. To Enable Radius, select the corresponding option, enter the Shared Secret used by your RADIUS server and click Save. (The shared secret is used during calculation of the MD5 sum authenticator field.)

Figure 29: RADIUS Service Once the RADIUS service is enabled, you can send RADIUS accounting messages to the management port of the PRX. With this there is no need to associate subscribers with classes manually because this is done by the RADIUS message. These accounting messages contain the following attributes:

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

40 | User Interface Reference User-Name Framed-IP-Address Acct-Status-Type ipoque-class

The items above have the following meanings:


User-Name is a symbolic name for the user that connects to the network, usually provided by a third-party system.

Once the message was sent to the PRX, traffic is accounted for the user name.
Framed-IP-Address

is the IP address that was assigned to the user.

Note: A corresponding network of type extern has to be created first under Networks on page 48.
Acct-Status-Type

is either Start when a user connects or Stop when the user disconnects.

Note: For an accounting stop message, only User-Name and Accounting-Status-Type="Stop" are required. is the name of the class the user is associated with. This class needs to be created first on the PRX (see Classes on page 49 for more information).
ipoque-class

Note: The class type should be set to Manage Traffic of Subscribers. The user can be associated with multiple classes by adding multiple ipoque-class attributes to the message. To send this message from a RADIUS server, the vendor-specific attribute ipoque-class needs to be populated first by creating a dictionary file on the RADIUS system and including this in the main dictionary file of the RADIUS server. Please refer to the manual of your RADIUS server for more information. The ipoque dictionary file contains:
VENDOR ipoque 30012 BEGIN-VENDOR ipoque ATTRIBUTE ipoque-class 1 string END-VENDOR ipoque

Accounting Interval
Configure the counters that are used to keep track of service usage by each subscriber (requires the Reporting license option). For each subscriber in the database, PRX Traffic Manager maintains a counter for each supported and activated protocol/application (see Subscriber Statistics under Statistics on page 65). The IP address needs to be in a configured subnet. The counters can be manually downloaded or automatically exported to an FTP server and processed by an external accounting and billing system on a regular basis. This way subscribers can be charged by upload or download volume and per application. In addition, the counters are used for a volume-based traffic management where you can apply bandwidth limitation rules based on the volume a class or subscriber has consumed during the configured time period. (See Traffic Management on page 58.)

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 41

Figure 30: Accounting Interval To Activate Accounting, select the corresponding option and specify the frequency at which reports should be generated and exported. The statistics are reset after every interval at the following times: Hourly: at the beginning of every hour Daily: at midnight (00:00) every day Weekly: on Mondays at 00:00 Monthly: on the first day of each month at 00:00 Note: To export accounting data to an FTP server, specify the connection details under Reports on page 35 and activate the Export Accounting Data option. If no FTP server is specified, accounting data will be lost when the interval expires. You can manually delete accounting data at any time via the Reset accounting data now button (see Accounting on page 39). This will reset the counters for each subscriber independent of the interval specified here. Important: The Reset button in this form does not reset the accounting data, but rather allows you to cancel any changes you have made to the accounting interval settings.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

42 | User Interface Reference

Profiles
Traffic management profiles are rule sets that can be automatically activated by a scheduler to apply rules at pre-defined times or manually enabled as necessary (requires the Traffic Management license option).

Figure 31: Profile settings The profile dialog allows you to activate profiles by hand, create new profiles, edit (rename) and delete existing profiles, and configure the profile scheduler. The active profile has only an Edit link in the Actions column. There is one preconfigured profile called Default. All new traffic rules that you set up under Traffic Management on page 58 are associated with this profile by default. If additional profiles are configured, you can select the profile to associate with the new rule. Important: If a profile is deleted, all associated Traffic Management rules will be lost. Changes to the active profile become effective immediately. If profiles and the scheduler are not required, only use the default profile. The scheduler can automatically switch between different profiles. Provide a time the profile should be activated, select daily, Mon-Fri, Sat-Sun or every single weekday as the interval and assign the appropriate profile. Repeat this step for at least one more profile by clicking Add line. Click Change to save.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 43

SSL Web Services


An SSL web service description allows you to group SSL traffic using a combination of attributes from the SSL server certificate.

Figure 32: SSL Web Services list To create a new SSL web service description, select Settings SSL Web Services and click the Add New SSL Web Service button.

Figure 33: Adding an SSL Web Service Specify a name for the new web service and enter information in at least one of the remaining fields. Table 2: SSL Web Service Attributes Attribute Common Name (CN) Example Description

login.salesforce.com Usually the is the key attribute of a certificate and is always set. It usually matches the DNS name of the server to which it was issued. There are examples however, where the CN attribute matches the top-level domain of an organization. For example, Google's encrypted web service on https://www.google.com is redirected to https://encrypted.google.com. Salesforce.com, Inc. The name of the organization to which the certificate was issued. Similar to the CN attribute, the ON attribute is set most of the time. It is more powerful however as it can be used to describe all web services of an organization at the same time, assuming of

Organization Name (O)

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

44 | User Interface Reference

Attribute

Example

Description course, that all certificates that belong to an organization hold the same organization name.

Country Name (C) US

The name of the country in which the organization resides. It is not always set in a certificate.

Click Save to store your changes. Create Web Service Groups To apply policy rules to SSL traffic described by SSL web services, define an SSL Web Service group under Custom-Defined Protocols on page 44:

Figure 34: Adding an SSL Web Service Set Up Policy Rules Once an SL Web Service group has been defined, it can be selected like any other DPI protocol, application or custom defined protocol in the policy rule protocol chooser: Note: For more information on creating rules, see Traffic Management on page 58.

Custom-Defined Protocols
Custom protocols provide a flexible and powerful yet easy-to-use method of traffic management. By defining a series of custom criteria, you can describe traffic in a fine-grained manner and take action on the packets that meet these criteria. This approach can be used to limit or block traffic to or from certain URLs or HTTP hosts. A custom protocol is a special filter comprised of a combination of any of the following criteria: a transport layer protocol, TCP or UDP , a list of source ports or port ranges of the transport layer protocol, a list of destination ports or port ranges of transport layer protocol, a flow direction (inbound or outbound), a list of Layer 7 protocols supported by the ipoque DPI engine (such as BitTorrent, eDonkey, Flash, etc.), and a list of HTTP hosts or URLs for HTTP-based Layer 7 protocols (such as Flash).

Custom protocols can be used to manage non-standard TCP/UDP-based protocols or protocols that are not yet supported by ipoque, but are simple to describe by a combination of a transport layer protocol and a port list. You can define a custom protocol for a scenario, which specifies particular source and destination ports, a

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 45 port list or the range of ports used by the protocol. This can be combined with the flow direction to control either inbound or outbound connections only. Custom protocols can be used to limit or block embedded website content like flash videos in particular without blocking the entire website. Sites like youtube.com and googlevideo.com use a lot of bandwidth by streaming video content to users. These videos can be easily embedded in virtually any web site. With custom protocols, you can easily limit or block YouTube-hosted flash videos by defining a filter named youtube-flash, for example, with the HTTP hostname criteria set to youtube.com and googlevideo.com and the Layer 7 protocol criteria set to flash. Once defined youtube-flash shows up in the traffic management section and can be limited or blocked as necessary.

Figure 35: Custom-Defined Protocols To create a new custom protocol, click Add a new protocol, set the desired options and click Save. To edit or delete an existing protocol, click the corresponding links in the list. To download a list of HTTP hosts or URLs associated with a custom protocol, you can click the corresponding link in the List Type column or click the Edit link, scroll down and click Export HTTP Hosts or Export URL List. To remove an existing list, click the Edit link in the overview table, scroll to the end of the settings and click Delete HTTP Hosts or Delete URL List.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

46 | User Interface Reference

Figure 36: Capture Flash Content In order to upload a list of HTTP hosts or URLs, first create and save a custom protocol filter. The new protocol will appear in the Custom Defined Protocols table. When you click the Edit link, the upload options appear at the end of the filter settings. You will be prompted to upload a list.

Figure 37: List upload prompt When you click Upload a List in the banner prompt, the Upload List dialog will be shown, allowing you to specify a list file and type (either HTTP Hosts or URLs). Click the Browse button, select the desired file and click the Upload button.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 47

Figure 38: Upload List dialog After the list is uploaded, a new line appears at the end of the edit dialog for the custom filter, allowing you to export the current list, delete the contents, or replace the current list by uploading a new one.

Figure 39: Export, delete or replace a list To change an existing list, click Upload and Replace List. Only one list can be associated with a custom protocol. If more than one custom protocol filter matches the same traffic flow, the first filter to match will capture the flow. (Statistics will show the flow as matching for the first filter, but not for the others.) For example: If you have defined a custom protocol with the Layer-7 protocol set to HTTP and another with the destination port 80, the second filter will match earlier, because a packet with destination port 80 will be recognized before the flow is marked as an HTTP flow. Important: HTTP host lists are more restrictive than URL lists. For example: If you block an HTTP host (such as youtube.com), all content on this host is no longer reachable. To block specific content on a host, use a URL filter with entries such as youtube.com/video?=UT34678tz. (In this case, only this particular video will be blocked, but all other YouTube content will still be available.) If you enter youtube.com/ in a URL list, the opposite is true only the site root (http://youtube.com) would be blocked. (Other content such as http://youtube.com/video?=UT34678tz would still be accessible.)

Note: Consider the following when defining lists of HTTP hosts or URLs: To specify a host in a URL list, you must append a trailing slash (/) to the host name. For example, the URL of host ipoque.com is ipoque.com/ Do not include the http:// protocol information when specifying hosts or URLs (only the actual host name and the top-level domain such as .com). Host names are resolved in reverse order, so it is important to specify a top-level domain along with each host name to ensure that traffic is matched as intended. A custom protocol filter with a URL list will only match if one of the URLs in the list matches exactly with the URL the user is attempting to reach (without the http:// part). HTTP host lists should contain no more than 100 entries. URL lists are limited by the available system memory.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

48 | User Interface Reference

URLs in a HTTP host list will never match. The number sign # should not be included in URLs. If you want to add a URL that contains this character to a list, omit this symbol and any characters that follow it. All lists should end with a closing line break; otherwise the last entry in the list may be truncated.

Networks
PRX Traffic Manager allows you to specify individual networks, which form the basis of the classes to which traffic management rules can be applied (requires either the Traffic Management or Reporting license option). There are four different types of networks: static, mac, dhcp and extern. Network Type
static

Description Each subscriber is defined by an IP address. This is usually used in environments where each computer has its own fixed IP . All hosts in the configured subnet will show up in Subscriber Management on page 54, no matter if they are present or not. Accounting is based on these fixed IP addresses. Each subscriber is defined by a MAC address. When defining a network based on MAC, then the IP is mapped to the same MAC every time an IP/MAC pair passes through the device. The mapping is updated as soon as the same IP originates from a different MAC address. This feature is usually used in dynamic environments where no DHCP is available. Each subscriber is defined by a DHCP request. Each time a DHCP server response for a DHCP client request is detected, the MAC address is mapped to the IP address. It is important that DHCP client and server are located on different sides of the PRX device. Each subscriber is defined by the User-Name attribute in a RADIUS accounting message. This option provides true dynamic user management based on RADIUS user names. Provide the shared secret of the RADIUS server under Accounting on page 39.

mac

dhcp

extern

Figure 40: Networks list The number of configured and available networks is shown above the list of networks. The number of available networks differs by PRX model and is listed on the product datasheet as Subnets. Click Add a new network, specify a name and the appropriate IP addresses and netmask, and select the type as described above.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 49 When you enter a network with a name, type, IP address and netmask, PRX treats the information as a collection of IP addresses and not as an actual network with network address and broadcast address. The network mask is used to simplify the creation of smaller or larger network portions. You can define ranges of IP addresses by using different netmasks as shown in the following examples: A single class C subnet: 192.168.0.0/255.255.255.0 256 IP addresses 2 class C networks: 192.168.0.0/255.255.254.0 512 IP addresses The last 32 addresses of a class C net: 192.168.0.224/255.255.255.224 (224255) The Network table shows all configured networks. Click a network name for details. For dynamic networks (mac, dhcp or extern), every time a subscriber connects, its ID (MAC or RADIUS user name) is mapped to the current IP address. Important: Deleting a static network will remove all corresponding subscribers from the associated classes. The classes and associated rules themselves will be preserved. All IP statistics for this network will be lost. When a dynamic network is deleted, the accociations between IP addresses and MAC addresses are lost, but the accounting data for each MAC address is retained.

Caution: Defining mac and dhcp networks may have an impact on performance due to the underlying learning mechanism.

Classes
Define classes to group traffic into units for more efficient management (requires either the Traffic Management or Reporting license option). Classes are groups of network subscribers that simplify the subscriber management process. A subscriber, ranges of subscribers or whole subnets can be aggregated to one or more classes and the rules for these classes apply to all these subscribers instantly. With classes, there is no need to create management rules for each subscriber separately. Traffic classes and rules form the core of the ipoque traffic management model. A class is the means to describe a particular share of your link traffic, either: directly, by creating a DSCP (DiffServ codepoint) class or a VLAN class; an MPLS class; or indirectly by adding a subscriber class and associating a number of subscribers with that class, or a phone call class and associating a phone book that contains a list of telephone numbers with that class. Click Add a new Class and select the type of traffic you want to manage with this class. The following class types are available:

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

50 | User Interface Reference

Class Type Manage DSCP-marked Traffic

Description A DSCP class allows you to manage traffic labeled with a DiffServ codepoint. Provide a name for the class and select the DSCP tag you want to manage with this class. A subscriber class can be used to manage the traffic of a particular subscriber group (such as all subscribers on a certain network). In a very simple scenario, this will be a fixed IP address network. In more complex scenarios, this can be a number of arbitrary user names from an external RADIUS server (see Networks on page 48 for details). A VLAN class allows you to manage VLAN-tagged traffic. Provide a name and the VLAN tag you want to manage with this class. An MPLS class allows you to manage MPLS-tagged traffic. Provide a name and the MPLS tag you want to manage with this class. A phone call class allows you to manage VoIP calls to and from numbers defined in Phone Books on page 52. Specify a name for the class and select the pre-defined phone books that contain the numbers for the caller and called parties.

Manage Traffic of Subscribers

Manage VLAN-tagged Traffic Manage MPLS-tagged Traffic Manage Phone Calls

Figure 41: New Phone Call Class The table shows all configured classes, lists the type of class and provides an option to specify a default class. The links in the Actions column allow you to edit or delete existing classes.

Figure 42: List of classes

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 51 There is one special factory-installed class named Link that comprises the complete link traffic. The traffic rules (defined under Traffic Management on page 58) that are associated with that class are applied to the whole traffic irrespective of its source or destination IP address. You can configure subnet Exceptions on page 33 to exclude traffic to or from these subnets from analysis, and link rules are never applied to this traffic. This class cannot be deleted. Each class will show up as a section under Statistics on page 65. If one of the user-defined classes is selected as default, this policy will apply to all subscribers for which no other classes are explicitly defined. As soon as subscribers are associated with another class, they are automatically removed (deassociated) from the default class. If the default checkbox is cleared, all subscribers previously associated with this class will be automatically deassociated. Important: If an existing class containing subscriber associations is later set as the default class, any prior (static) subscriber associations will become dynamic associations. If you then set a different class as default, the subscribers associated with the first class will be removed (deassociated).

Adding a Class
To add a new class, complete the following steps: 1. Click Add a new Class.

Figure 43: List of classes 2. Select the desired Class Type as described under Classes on page 49.

Figure 44: Adding a new class

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

52 | User Interface Reference 3. Enter a name for your new class. Note: If you are creating a class to manage DSCP marked traffic, you must also specify the DSCP .

Figure 45: New DSCP class 4. Click Save to add the new class. The new class is shown on the classes list.

Renaming a Class
To rename a class, complete the following steps: 1. Choose the requested class and click Edit. 2. Enter the new name and click Save. The renamed class is shown in the classes list.

Deleting a Class
To delete a class, complete the following steps: Choose the requested class and click Delete. The class will be deleted.

Phone Books
Define lists of incoming or outgoing VoIP telephone numbers to be blocked for a group of users. PRX Traffic Manager can block VoIP calls including SIP , H.323 and IAX calls. Incoming and outgoing calls can be handled separately. In order to block these calls, you first specify the telephone numbers that you want to block by creating a phone book file, which is a simple text file that contains a series of telephone numbers (in plain text). The steps below describe how to block VoIP calls based on phone numbers.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 53 1. On your desktop, create a text file with the telephone numbers you would like to block. Separate the telephone numbers in the file with spaces or line breaks. It is not necessary to state complete numbers. Blocking also works with suffixes, prefixes or parts of the numbers. Only use numbers. Any other non-digit characters such as A z + . - ( ) [ ] / will be removed. 2. On the PRX, create a new phone book by clicking the Add a new Phone Book button under Settings Phone Books. Enter a name for the phone book in the resulting field and click Save. If you want to handle incoming and outgoing calls separately, you have to create separate phone books. Your new phone book appears in the list of defined phone books.

Figure 46: Phone Books list 3. Associate the text file containing the telephone numbers with the new phone book: a) Under Settings Phone Books, select a phone book name and click the List of Phone Numbers tab. b) Click Browse and select the text file with the list of telephone numbers you created earlier. c) Click Upload to associate the file with the phone book. You can upload only one text file for each phone book. Uploading a new file will overwrite the existing phone book. To see which numbers are in a phone book, click Download List of Numbers on the List of Phone Numbers tab. 4. Create a Phone Call Class via Settings Classes Add a new class and select Manage Phone Calls. Provide a name for the class and select the phone book that contains the called and/or the caller numbers. If you want to block the numbers in the phone book for both directions, select the same phone book for caller and called numbers. 5. Associate subscribers with the Phone Call Class. See Subscriber Management on page 54 A Phone Call Class is simply a Subscriber Class with the option to add user-defined Phone Books. Blocking user-defined numbers only takes effect if there are subscribers associated with the class. All SIP , H.323 and IAX-based calls for the caller/called numbers defined in the corresponding phone books are blocked for all subscribers associated with the Phone Call Class. Tip: To block defined numbers for all connected subscribers rather than only for a certain Phone Call Class, you can associate phone books with the link class. In the list of classes, click Edit for the Link class and select the previously created phone books.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

54 | User Interface Reference

BitTorrent Tracker
Add BitTorrent trackers to the whitelist. PRX Traffic Manager can distinguish between different types of BitTorrent downloads using three groups: BitTorrent", positive BitTorrent and unknown BitTorrent traffic. The first selects all BitTorrent traffic, the second selects BitTorrent traffic of trackers in the positive list (or whitelist) and the last one selects BitTorrent traffic of any trackers that are not in the whitelist. With these three groups, you can apply different traffic rules for different types of BitTorrent downloads. For example, you can block traffic of unknown trackers completely while allowing BitTorrent traffic of trackers that are used for distributing the latest Linux distributions or any other open source content. In order to manage BitTorrent traffic, you need to create a new prioritization or limitation rule as described under Traffic Management on page 58. When defining the new rule, choose whitelisted BitTorrent to manage BitTorrent traffic for the trackers in the whitelist, or BitTorrent to manage all other torrents. The table shows all trackers on the whitelist and you can delete a tracker if it is no longer required. To add a tracker URL to the whitelist, enter the address in the field and click Add.

Figure 47: BitTorrent tracker list Note: Do not include the http:// protocol information in the tracker URL. The PRX will add this automatically. If you do not know the tracker names, you can use an alternative way to add trackers based on your actual BitTorrent traffic. Refer to the BitTorrent Downloads section under Statistics on page 65.

Subscriber Management
The Subscribers table provides an overview of the users in each network (requires either the Traffic Management or Reporting license option). If static networks are configured under Networks on page 48, you will see all IP addresses that belong to the network, whether the particular subscriber is present or not. For dynamic networks (mac and dhcp) you will only see the subscribers that are actually present. Subscribers from networks of type extern will apear once a RADIUS message was sent to the PRX.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 55

Figure 48: Subscriber Management The options above the table allow you to search the list of subscribers by ID, or filter the list to show only subscribers of a certain type, network, or class. Click the Add a new Subscriber button to quickly define a single subscriber. This option provides a shortcut for ad-hoc additions to the subscriber list, without the need to modify settings on the RADIUS server or under Networks on page 48. Specify your filter criteria in the corresponding field(s) and click Search. To remove any filter criteria and revert to the full list, click Reset. The table includes the following information for each subscriber: Subscriber ID The format of the ID depends on the type of network. In static networks, the IP address serves as subscriber ID. For MAC or DHCP-based networks, the MAC address is used as subscriber ID. If an external RADIUS mapping is used, the user name is shown. IP Address The IP address that is mapped to the Subscriber ID. For dynamic mappings, an ID can be mapped to different IPs at different times, for example, when the DHCP lease expires. Type Shows the type of network configured under Networks on page 48 (static for static, dynamic for mac, dhcp or extern). The options below the table allow you to select subscribers from the filtered list shown in the table and adjust the class associations via the options in the Action list. When you have marked the desired subscribers and selected an action from the list, click Submit to apply the changes to the selected subscribers. Note: All subscribers from a dynamic network (such as a mac network) that are associated with a class will be dynamically associated with this class. All other associations you create manually with the deassociate action or by RADIUS are static associations.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

56 | User Interface Reference

Note: To remove a static association, use the action deassociate. To remove a dynamic association, use the exclude action. To undo an exclusion, use the include action. Click on a Subscriber ID for more information. A tabbed panel appears with details on the selected subscriber including the current IP address, a list of classes with which the subscriber is currently associated and an overview of accounting statistics showing usage data by protocol.

Figure 49: Subscriber Accounting The Reset button on the Accounting tab allows you to delete statistics for an individual subscriber. (To reset accounting data for all subscribers at once, use the Reset accounting data now button under Accounting on page 39.) For information on changing settings or resetting accounting data for multiple subscribers and assigning subscribers to classes, see the topics below.

Managing Subscribers
Adjust settings for individual subscribers. If classes are defined, you may choose to select only the subscribers for a certain class. 1. Select a class from the list above the table and click Search to display the list of subscribers in the corresponding class. 2. Use the left << and right >> buttons to browse through the list of subscribers. 3. Click on a Subscriber ID for more information on the subscriber. A dialog appears with details on the selected subscriber. 4. Click the various tabs for: Details ID and IP address of the subscriber Associated classes Show all classes a subscriber is assigned to. See Managing Class Associations on page 57 for information on assigning groups of subscribers to a class.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 57 To change the class associations for an individual subscriber: a) On the Associated classes tab, click Associate with another class. A list of available classes appears. b) Select the desired class from the list. c) Click Save.

Managing Class Associations


Adjust which classes each subscriber belongs to. In order to manage traffic for a group of users, you need to associate subscribers from the configured Networks on page 48 with classes. Subscriber association is only available for classes of type Manage Traffic of Subscribers and Manage Phone Calls. 1. Under Subscriber Management on page 54, search for the subscribers you want to associate with a class by using one or more filter options. The table shows only the subscribers matching the filter criteria. 2. Manually select individual subscribers on the current page by checking them, or click Select all. To perform an action on all filtered subscribers (including those on other pages), set the Scope to All Filtered. 3. Select the desired Action from the list. Choose Associate, to assign the selected subscribers to a class. Choose Deassociate , to remove class associations. A new list appears with the available classes of the corresponding type. 4. From the class list, select the class for which you want to change associations. 5. Press Submit. To verify the association, reset the filter criteria and select only the class as filter. Note: The Select all option only selects all subscribers on the current page.

Note: In the ipoque class model, subscribers can belong to more than one class. If you assign different traffic rules to different classes under Traffic Management on page 58 and if a subscriber belongs to more than one class, the most restrictive rule will apply to this subscriber in case of limitation rules, and the highest priority will apply in case of prioritization rules. A limitation rule always takes precedence over a priority rule, even if the priority is set to very high.

Associating Subnets With Classes


Associate groups of subscribers to classes by subnet. Individual subscribers can be associated with classes as described under Managing Subscribers on page 56, and groups of subscribers can be associated as described under Managing Class Associations on page 57. To assign an entire subnet to a class, follow the steps below. 1. Click Subscriber Management in the top-level menu and select IP Subnets from the submenu on the left. The IP Subnets settings appear. 2. From the Classes list, select the class for which you want to change associations.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

58 | User Interface Reference

Note: Subscriber association is only available for classes of type Manage and Manage Phone Calls.

Traffic of Subscribers

If the class already contains subnet associations, the defined subnets appear in the List of Subnet IPs. 3. Enter or edit the subnets in the text entry field. Both dot-decimal mask and CIDR mask notations are supported. Separate multiple entries by a carriage return or a space. 4. Select the desired Action from the list. Choose associate to assign the specified subnets to the class. Choose deassociate to remove the specified subnets from the selected class. 5. Press Save.

Resetting Subscriber Statistics


Accounting data for groups of subscribers can be reset under Subscriber Management. The PRX maintains accounting data for each subscriber. The accounting data for all subscribers is reset automatically at the end of each accounting interval (see Accounting Interval on page 40) or manually via the corresponding option under Accounting on page 39. If necessary, you can also reset accounting data for individual subscribers or a group of subscribers. 1. Under Subscriber Management on page 54, search for the subscribers you want to reset by selecting one or more filter options. The table shows only the subscribers matching the filter criteria. 2. Manually select individual subscribers on the current page by checking them, or click Select all. To perform an action on all filtered subscribers (including those on other pages), set the Scope to All Filtered. 3. Select Reset from the Action list. 4. Press Submit.

Traffic Management
Use these settings to view and specify the traffic rules (or filters) which are used to manage network traffic based on pre-defined filter criteria (requires the Traffic Management license option). The tabs at the top of the page show all configured traffic management rule sets (as described under Profiles on page 42). The currently active profile is shown on the Dashboard on page 19 and indicated in the profile tab with an asterisk (*). For each profile, the number of defined and available rules are shown. The rules associated with each profile are grouped in tables by type: 1. Bandwidth Limitation 2. Bandwidth Prioritization 3. Control Voice Calls

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 59 Any combination of these rule types are possible, no matter which protocols or protocol groups they apply to. The order of rules has no effect on traffic management or performance. Important: Depending on the protocol, the PRX needs a certain number of packets to classify the traffic. A PRX that has just been inserted into a link may need some time to classify all traffic.

Figure 50: Traffic Management Profiles A rule is always linked to a profile and a class (as described in Profiles on page 42 and Classes on page 49). If no other classes are defined, rules are associated with the Link class, that is applied to all traffic that passes through the system. If no custom profiles are defined, the rule is automatically associated with the default profile. Each rule is represented by a table row that shows the class to which the rule applies along with the affected protocols. For Bandwidth Limitation rules, the following additional information is shown: the upload and download data rate limits the volume threshold beyond which these rate limits apply the protocols that are counted towards this volume threshold whether the rule is subscriber-based

The Bandwidth Prioritization table also includes the following columns: the upload and download data rate limits the priority (very low, low, default, high or very whether the rule is subscriber-based
high)

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

60 | User Interface Reference

Note: If the Subscriber-based option is enabled for a rule, its upload, download and volume limits will be applied to each individual user of the class. Subscriber-based rules only take effect for classes of Networks/Users as described under Classes on page 49. For each configured rule, there are three possible actions available: Edit allows you to change the rule properties using the same configuration page that is used to create a rule. Copy creates a copy of the rule and jumps directly to the rule configuration page allowing you to change the properties of the copy. You can assigning it to a different profile, to another class or even to the same profile and class but with different values and/or protocols. Click Save to store your changes to the copied rule and return to the rule table view. Delete deletes a rule immediately (you are prompted to confirm the deletion). To Add a new Rule, click the corresponding button above the rule table and select the type of rule you wish to create. To edit, copy, or delete an existing rule, click the icons in the Actions column.

Figure 51: Adding a new rule For more information on the options available when adding rules of each type, see the topics below.

Creating a Bandwidth Limit Rule


Bandwidth limit rules apply an upper limit on traffic of certain types and can be used to shape and block traffic flows. To create a new bandwidth limitation rule, complete the following steps: 1. Under Traffic Management on page 58, click Add a new Rule. 2. Select Limit Bandwidth and click Next. 3. Enter a name for the new rule in the space provided. 4. From the lists at the top of the dialog, select the Profile and Traffic Class to which this rule should apply. 5. In the text entry fields, specify data rate limits for Download and Upload (in kilobits per second); if set to zero, traffic is completely blocked. Oversubscription is possible. See Example 1 Oversubscription on page 89. 6. Enter a data Volume threshold (in megabytes) beyond which the data rate limits become effective. A value of 0 means the data rate limits are effective immediately. Select which directions should count towards the volume threshold: Upload, only Download or both directions combined (Up- and Download). See Example 2 Tiered Volume P2P Service on page 89.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 61 The time period for the volume threshold is related to the currently selected Accounting Interval on page 40. Volume counters will be reset automatically after each elapsed accounting interval. Select Subscriber-based to apply the specified volume and data limits to each network user/subscriber individually. 7. In the color-coded table under Protocol Selection, specify the protocols or protocol groups to which the rule should be applied. You can select any combination of protocols and protocol categories. Complete traffic really means all traffic, whether it is detectable by the PRX or not. The all protocols category means all protocols that are currently known to the system. If new protocols are supported in the future, a rule with all protocols will only match the old protocols. To update the list with the latest protocols, edit the rule, disable the all protocols option and re-select it. The Unclassified category matches means all traffic which cannot be detected by the PRX, either due to license restrictions or because it is not currently supported. If you prefer to select individual protocols (or sub-protocols) rather than protocol groups, select the desired protocols in the Inactive Protococols list on the lower left, and click the >> button to move the selected protocols to the Active Protocols list on the right (or double-click a protocol). The Inactive Protococols list includes any custom-defined protocols. The data rate and volume limits specified above will be applied to all protocols in the Active Protocols list. 8. Click Save to create the new rule and return to the rule table view under Traffic Management on page 58.

Creating a Bandwidth Prioritization Rule


Bandwidth prioritization rules change the priority value of traffic. The priority is used by a corresponding limit rule (a limit rule that matches the same traffic) to decide which packets to drop first. The lower the priority, the more likely a packet is dropped. Bandwidth prioritization rules allow you to reserve a guaranteed available bandwidth for individual applications and users by assigning one of five priorities (very low, low, default, high or very high) to traffic, where default means the default priority of all link traffic. Initially, all traffic each packet has the default priority. The priority of traffic can be either raised or lowered using a prioritization rule. Packets belonging to a protocol with a very high priority will be served first according to the configured guaranteed bandwidth displacing any lower-priority traffic if the link is congested. Traffic that exceeds the bandwidth value will be treated as default priority traffic. Packets with high priority will be served next, and so on. Packets with the same priority will compete for bandwidth. If a protocol or protocol group configured in a rule is not using all of its assigned guaranteed bandwidth, other (lower-priority) packets can use this free capacity. Tip: A priority rule only changes the priority of the packets that match the rule and are within the defined guaranteed bandwidth. A corresponding limitation rule must always be configured that evaluates the priority and decides what packet to drop first. To create a new bandwidth prioritization rule, complete the following steps: 1. Under Traffic Management on page 58, click Add a new Rule. 2. Select Prioritize Bandwidth and click Next. 3. Enter a name for the new rule in the space provided. 4. From the lists at the top of the dialog, select the Profile and Traffic Class to which this rule should apply. 5. In the text entry fields, specify data volume values for Download and Upload (in kilobits per second).

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

62 | User Interface Reference These values define the amount of bandwidth that should be treated with the selected priority. All traffic that exceeds these values will be treated as default priority. 6. Select the Priority. 7. Select Subscriber-based to apply the specified bandwidth guarantees and priorities to each network user/subscriber individually. 8. In the color-coded table under Protocol Selection, specify the protocols or protocol groups to which the rule should be applied. You can select any combination of protocols and protocol categories. Complete traffic really means all traffic, whether it is detectable by the PRX or not. The all protocols category means all protocols that are currently known to the system. If new protocols are supported in the future, a rule with all protocols will only match the old protocols. To update the list with the latest protocols, edit the rule, disable the all protocols option and re-select it. The Unclassified category matches means all traffic which cannot be detected by the PRX, either due to license restrictions or because it is not currently supported. If you prefer to select individual protocols (or sub-protocols) rather than protocol groups, select the desired protocols in the Inactive Protococols list on the lower left, and click the >> button to move the selected protocols to the Active Protocols list on the right (or double-click a protocol). The Inactive Protococols list includes any custom-defined protocols. The data rate and volume limits specified above will be applied to all protocols in the Active Protocols list. 9. Click Save to create the new rule and return to the rule table view under Traffic Management on page 58. Note: All traffic exceeding the data rate value for a prioritization rule will be assigned the default priority, even if the traffic was configured to have a lower priority (such as low or very low). This has the slightly confusing effect that exceeding traffic will be given a higher priority than traffic below the data rate limit. Usually, this effect is only desired for traffic with a higher-than-default priority. In fact, for lower-than-default priority traffic, bandwidth guarantees do not make much sense. This option will disappear in future versions, but until then, a simple work-around is to enter the full link speed as the guaranteed data rate for all lower-than-default priorities. This will ensure that such traffic will be discarded before any default-priority packet is discarded.

Important: Never assign a guaranteed data rate close to the link capacity to a rule with priority high or very high. In this case, no other application will be able to communicate if the prioritized application is fully using its assigned data rate.

Creating a Rule to Block VoIP Calls


VoIP blocking rules are used to prevent a group of users (a class) from placing and/or receiving calls. The Block VoIP Calls rule is different from the phone call handling described under Phone Books on page 52. With a VoIP rule, you cannot define specific phone numbers or prefixes to block. Rather you can block VoIP calls for a group of users (a class) based on the direction of the call. 1. Under Traffic Management on page 58, click Add a new Rule. 2. Select Block VoIP calls and click Next. 3. Choose a profile (if applicable) and select an appropriate class of type Manage you created previously or the link class.
Traffic of Subscribers

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 63

Figure 52: New rule to block VoIP calls Choose the direction and type of calls you want to handle with the rule by selecting the corresponding options for incoming and outgoing calls of each type (SIP , H.323, IAX). 4. Click Save to store the new rule. All VoIP calles to or from the specified class are blocked for the selected protocols and directions.

Configuration Management
PRX stores settings in configuration files which are automatically created whenever settings are changed in the web interface. The Configuration Management panel allows you to restore previous configurations. The Configuration Slots table shows a list of recent configurations and the date and time they were stored. Up to five configurations are automatically rotated in a round robin fashion. When a new configuration is stored, the oldest configuration in the list is removed.

Figure 53: Configuration Management

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

64 | User Interface Reference In addition to the five configuration backups, the running configuration appears in the list. This is the configuration PRX is currently using to manage traffic. When PRX settings are changed in the user interface, a temporary session configuration is updated in memory and a banner appears to call your attention to the unsaved changes.

Figure 54: Unsaved configuration changes When you click the Apply link in the banner, a new entry is added to Configuration Slots table. If all five slots are currently in use, your session configuration replaces the running configuration and the running configuration is copied to the last slot. You can click Discard at any time to revert to the previously stored configuration. Important: If you are logged out automatically after 30 minutes of inactivity, any uncommited changes will be lost. If another user applies configuration changes while you are editing a configuration, a similar banner appears.

Figure 55: Newer configuration available When you click the Update link in the banner, your session configuration is updated to reflect the revised configuration. If you select Ignore and later apply your changes, your session configuration will overwrite the other users changes. The edit link in the Configuration Slots table loads a configuration backup from the list into your temporary session configuration, allowing you to adjust the settings in the configuration. To re-activate the configuration, click Apply in the banner prompt. This allows you to undo up to five previous configuration changes by selecting an entry from the list and re-applying the settings it contains. Click the export link in the Actions column to save a configuration to your hard disk. You will be prompted to choose a location. The default file name is set to config.tar.gz, but you can rename the file as necessary (for example, if you want to store several prior configurations in the same folder). Note: If you choose to rename the file, you should still use the .tar.gz extension to ensure that the gzip compressed archive can be properly extracted. To import a previously saved configuration, click the Choose File button above the table and select a valid configuration file from your hard disk. Click the Import button to upload the configuration file to the PRX. PRX validates the uploaded configuration and prompts you to select which settings you want to import from the configuration file: Password Database restore the password for the admin user to get access to the user interface Network Settings all settings related to the management interface (IP , mask, gateway, DNS) Traffic Management networks, classes, profiles, rules, BitTorrent trackers and all settings related to accounting and logging Select the settings you would like to update, and click Continue. An Import Summary describes the changes that will be applied on import. To activate the selected settings, click Import.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 65

Statistics
The Statistics section provides detailed information on system and network activity. PRX Traffic Manager records statistics which are used to generate utilization graphs and tables, top-talker lists and complete protocol-specific user statistics. To view statistics data, click Statistics in the top-level menu and select the desired category from the menu on the left. For each category, a series of tabs are available to display the statistics for different time periods, such as the last hour/day/week/month/year. These tabs are available in all sub-pages listed below. These time periods are relative to the current time. For example, the Last day tab shows data for the past 24 hours, not only for yesterday. The Last week tab shows statistics for the past seven days, etc. Each chart is dynamically updated as new statistics data is received. To freeze the chart display, select the No chart refresh option.

Figure 56: Common Statistics tabs Note: Statistics data can be reset in several different ways: You can reset protocol statistics for a specific category only or all protocol statistics at once. When you click the Reset button on a diagram, you will be prompted to choose whether you want to reset only the statistics for the current selection or Reset all statistics. To reset just the subscriber statistics but for all subscribers use the Reset accounting data now button under Accounting on page 39. To reset the statistics for a single subscriber, navigate to the Statistics User Statistics category, click the subscriber ID and then the Reset button.

For more information on the data displayed for each of the statistics categories, see the topics below.

System Statistics
The System statistics section provides detailed information related to the operation of the system. PRX Traffic Manager records operational statistics which are used to generate utilization graphs and tables. To view system statistics data, click Statistics in the top-level menu and select the desired category from the System menu on the left. The table below shows the resolution at which the system statistics are maintained.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

66 | User Interface Reference Table 3: System statistics resolution Aggregation Level 1 2 Time Period 1h 1d Resolution 15 s 5m Description 1 hour in 15-second averages 1 day in 5-minute averages

For more information on the data displayed for each of the system statistics categories, see the topics below.

System Load
The System Load statistics show the average and maximum system load for all packet processing units. To view system load statistics, click Statistics in the top-level menu and select System Load from the System submenu on the left.

Figure 57: System Load statictics Tip: These statistics provide key indicators of system performance and should be regularly monitored, considering the following points: 1. On a well-balanced system, the average and maximum system load values should be roughly in sync. 2. If the maximum load is significantly higher than the average load, this suggests that at least one processing unit is more loaded and that the system is not in balance.

Important: If either the maximum load or both average and maximum loads hit the 100% load threshold, there is a high risk that packets will be dropped.

Note: The System Load chart on the dashboard shows the average load per LPU and PPU.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 67

L2 Throughput
The L2 Throughput statistics show the amount of Layer-2 data passing through the system aggregated over all physical links. To view Layer-2 throughput statistics, click Statistics in the top-level menu and select L2 Throughput from the System submenu on the left.

Figure 58: L2 Throughput statistics The chart shows data for both inbound and outbound directions in bits per second (bps).

L2 Packet Throughput
The L2 Packet Throughput statistics show the number of packets passing through the system on Layer 2, aggregated over all physical links. To view Layer-2 packet throughput statistics, click Statistics in the top-level menu and select L2 Packet Throughput from the System submenu on the left.

Figure 59: L2 Packet Throughput statistics

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

68 | User Interface Reference The chart shows data for both inbound and outbound directions in packets per second (pps).

L2 Packet Size
The L2 Packet Size statistics show the average Layer-2 packet size aggregated over all physical links. To view Layer-2 packet size statistics, click Statistics in the top-level menu and select L2 Packet Size from the System submenu on the left.

Figure 60: L2 Packet Size statistics The chart shows data for both inbound and outbound directions in bytes.

L2 Errors
The L2 Errors statistics show the number of Layer-2 errors aggregated over all physical links. To view Layer-2 error statistics, click Statistics in the top-level menu and select L2 Errors from the System submenu on the left. The chart shows data for both inbound and outbound directions in packets per second (pps).

TCP/UDP New Connection Rate


The TCP/UDP New Connection Rate statistics show the number of new TCP/UDP connections per second. To view flow rate statistics, click Statistics in the top-level menu and select TCP/UDP New Connection Rate from the System submenu on the left.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 69

Figure 61: TCP/UDP New Connection Rate statistics The chart shows data in connections per second (cps).

TCP/UDP Connection Tracking Utilization


The TCP/UDP Connection Tracking Utilization statistics show the average and maximum utilization of the connection tracking table over all packet processing units. To view connection tracking statistics, click Statistics in the top-level menu and select TCP/UDP Connection Tracking Utilization from the System submenu on the left.

Figure 62: TCP/UDP Connection Tracking Utilization statistics Tip: These statistics provide key indicators of system performance and should be regularly monitored, considering the following points: 1. On a well-balanced system, the average and maximum utilization values should be roughly in sync. 2. If the maximum utilization is significantly higher than the average, this suggests that at least one processing unit is more heavily used and that the system is not in balance.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

70 | User Interface Reference

Important: If either the maximum utilization or both average and maximum utilization hit the 100% threshold, there is a high risk that the quality of the DPI classification will decrease significantly.

Subscriber Database Utilization


The Subscriber Database Utilization statistics show the average and maximum utilization of the subscriber database over all packet processing units. To view subscriber tracking statistics, click Statistics in the top-level menu and select Subscriber Database Utilization from the System submenu on the left.

Figure 63: Subscriber Database Utilization statistics Tip: These statistics provide key indicators of system performance and should be regularly monitored, considering the following points: 1. On a well-balanced system, the average and maximum utilization values should be roughly in sync. 2. If the maximum utilization is significantly higher than the average, this suggests that at least one processing unit is more heavily used and that the system is not in balance.

Important: If either the maximum utilization or both average and maximum utilization hit the 100% threshold, there is a high risk that the quality of the DPI classification will decrease significantly.

Internal IP Host Tracking Utilization


The Internal IP Host Tracking Utilization statistics show the average and maximum utilization of the internal IP host tracking table over all packet processing units. This table keeps a record of all IP addresses that are known to be on the local (internal) monitored network. To view internal host tracking statistics, click Statistics in the top-level menu and select Internal IP Host Tracking Utilization from the System submenu on the left.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 71

Figure 64: Internal IP Host Tracking Utilization statistics Tip: These statistics provide key indicators of system performance and should be regularly monitored, considering the following points: 1. On a well-balanced system, the average and maximum utilization values should be roughly in sync. 2. If the maximum utilization is significantly higher than the average, this suggests that at least one processing unit is more heavily used and that the system is not in balance.

Important: If either the maximum utilization or both average and maximum utilization hit the 100% threshold, there is a high risk that the quality of the DPI classification will decrease significantly.

External IP Host Tracking Utilization


The External IP Host Tracking Utilization statistics show the average and maximum utilization of the external IP host tracking table over all packet processing units. This table keeps a record of all IP addresses that are known to be on the external network. To view external host tracking statistics, click Statistics in the top-level menu and select External IP Host Tracking Utilization from the System submenu on the left.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

72 | User Interface Reference

Figure 65: External IP Host Tracking Utilization statistics Tip: These statistics provide key indicators of system performance and should be regularly monitored, considering the following points: 1. On a well-balanced system, the average and maximum utilization values should be roughly in sync. 2. If the maximum utilization is significantly higher than the average, this suggests that at least one processing unit is more heavily used and that the system is not in balance.

Important: If either the maximum utilization or both average and maximum utilization hit the 100% threshold, there is a high risk that the quality of the DPI classification will decrease significantly.

Active Connections per Internal IP Host


The Active Connections per Internal IP Host statistics show the average number of active connections per internal IP address. To view connection statistics for each internal IP address, click Statistics in the top-level menu and select Active Connections per Internal IP Host from the System submenu on the left.

Figure 66: Active Connections per Internal IP Host statistics

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 73

DPI Engine Classification Ratio


The DPI Engine Classification Ratio statistics show the amount of DPI-classified traffic compared to the total traffic volume aggregated over all physical links. To view statistics on the ratio of classified traffic to the total traffic volume, click Statistics in the top-level menu and select DPI Engine Classification Ratio from the System submenu on the left.

Figure 67: DPI Engine Classification Ratio statistics

Temperature Sensors
The Temperature Sensors statistics show the temperature readings available for the system. To view temperature statistics, click Statistics in the top-level menu and select Temperature Sensors from the System submenu on the left.

Figure 68: Temperature Sensors statistics Note: Temperature sensors are not supported on all systems.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

74 | User Interface Reference

DPI Application Statistics


The application-specific statistics sections provide detailed information on network activity for each application and protocol group recognized by the DPI engine. PRX Traffic Manager records statistics which are used to generate utilization graphs and tables, top-talker lists and complete protocol-specific user statistics. To view application statistics data, click Statistics in the top-level menu and select the desired application group from the menu on the left. The table below shows the resolution at which the application statistics are maintained. Table 4: Application statistics resolution Aggregation Level 1 2 3 4 Time Period 1d 1w 1M 1y Resolution 60 s 600 s 1d 1d Description One day of data in one-minute averages One week of data in ten-minute averages One month of data in one-day averages One year of data in one-day averages

For more information on the data displayed for each application and protocol group, see the topics below.

Link Statistics
The Link statistics section provides detailed information on network activity on each link. For each configured link, three graphs display the data rate for all available protocol groups, unlicensed and unclassified traffic for the different time periods one for upstream traffic, one for downstream and one for both combined. To view statistics data for a link, click Statistics in the top-level menu and select the desired link from the Link submenu on the left.

Figure 69: Link statictics

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 75

Note: Link statistics aggregate protocols by group, with separate charts for each direction. For details on the total amount of transferred data for each protocol, see Application Statistics per Application Group on page 75 and Protocol Statistics by Transferred Volume on page 80.

Class Statistics
The statistics for Classes display data on the traffic in each class. Like the Link Statistics on page 74, this page shows the same data rate graphs for each class by link.

Figure 70: Class statistics (Link 2) Note: Class statistics aggregate protocols by group, with separate charts for each direction. For details on the total amount of transferred data for each protocol, see Application Statistics per Application Group on page 75 and Protocol Statistics by Transferred Volume on page 80.

Application Statistics per Application Group


Detailed statistics are available for each application and protocol group recognized by the DPI engine. To view application statistics data, click Statistics in the top-level menu and select the desired application group from the menu on the left. A chart appears with data lines plotted for each protocol in the group. You can toggle the display of each protocol in the diagram by clicking the colored square in the legend at the bottom of the chart. Note: While the application group statistics provide details on the amount of transferred data for each protocol, the data is shown as the sum of inbound and outbound traffic. For a breakdown of the amount of sent and received data in each protocol group, see Link Statistics on page 74 and Class Statistics on page 75.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

76 | User Interface Reference

Standard protocols This page shows the up- and downstream data rate graphs for all supported standard protocols individually and combined.

Figure 71: Standard protocol statistics Peer-to-Peer protocols This page shows the up- and downstream data rate graphs for all supported peer-to-peer (P2P) protocols individually and combined. For BitTorrent, the graph distinguishes between classified BitTorrent, which comprises all traffic handled by the whitelist (as defined under BitTorrent Trackers), and BitTorrent, which includes all unclassified BitTorrent traffic (for which no whitelist entry has been defined). Instant Messaging protocols This page shows the up- and downstream data rate graphs for all supported instant messaging (IM) protocols individually and combined.

Figure 72: Instant Messaging protocol statistics Streaming protocols This page shows the up- and downstream data rate graphs for all supported streaming protocols individually and combined.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 77

Figure 73: Streaming protocol statistics Tunnel protocols This page shows the up- and downstream data rate graphs for all supported tunnel protocols individually and combined.

Figure 74: Tunnel protocol statistics Voice over IP protocols This page shows the up- and downstream data rate graphs for all supported voice over IP (VoIP) protocols individually and combined.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

78 | User Interface Reference

Figure 75: Voice over IP protocol statistics Gaming protocols This page shows the up- and downstream data rate graphs for all supported gaming protocols individually and combined. Custom Defined Protocols For each configured custom protocol, graphs display the overall throughput for the different time periods.

Application-Specific Statistics
The application-specific statistics sections provide detailed information particular to each application (such as top downloads, etc.) BitTorrent Downloads This page shows the top talkers for the three types of BitTorrent traffic, as described in the Settings menu under BitTorrent Tracker on page 54.

Figure 76: BitTorrent download statistics

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 79

Click Show complete top-100 for the full list of torrents, Show unknown top-100 to see the trackers that are not specified in the whitelist, or Show positive top-100 to view information on the whitelisted trackers. Each tracker can be added directly to the whitelist by clicking the Add link in the Action column of the table or removed from the whitelist via Delete. Note: Clicking Delete only removes the tracker URL from the whitelist. It will still appear in the Statistics list until the PRX is restarted. You can export the complete table as a gzip-compressed file by clicking Download bt hashes. Save it to your hard drive, unpack it and open it in a spreadsheet application for further processing. The data is stored in comma-separated value format (.csv). To access the Round Robin Database with the full statistics data, click Download rrd database. eDonkey Downloads The table shows the top talkers for eDonkey traffic. As with BitTorrent data, you can export the contents of the table by clicking Download edk hashes.

Subscriber Statistics by Transferred Volume


The Subscriber Statistics table lists the subscriber IDs of the 20 top talkers with their inbound and outbound traffic combined and separately (requires the Reporting license option). Click on a subscriber ID to show the complete traffic of this user listed by protocol. You can download the complete user/subscriber statistics including all active users by clicking the user_statistics.csv.gz link on top of the page. Save the file to your hard drive, unpack it and open it in a spreadsheet application for further processing. The data is stored in comma-separated value format (.csv).

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

80 | User Interface Reference

Figure 77: Subscriber statistics

Protocol Statistics by Transferred Volume


The Protocol Statistics table lists the amount of traffic for each DPI protocol and application. This page shows the aggregated data volume statistics for the complete link, distinguished by inbound and outbound traffic and both combined, for the last minute, day, week, month and year.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 81

Figure 78: Protocol Statictics

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

82 | User Interface Reference

IP Host Statistics
The Active Hosts table provides realtime host statistics including information on current, average and peak throughput and the number of connections that are currently active.

Figure 79: List of Active Hosts The following information is available in the host view table: Table 5: Active Hosts list columns Column Hostname Current Bandwidth Utilization Description The IP address of the host. The current throughput or bandwidth used by the host. The throughput is maintained continuously. The value represents the throughput of the host at the time the request was made. The one-minute moving average throughput or bandwidth used by this host. Compared to the current utilization value, the average utilization represents a more realistic view of a host's throughput, as peaks and bursts are smoothed over an interval of one minute. The peak bandwidth utilization for this host since the host became active. The number of bytes transmitted by this host. This information is used for the Top Talker view. The number bytes received by this host. This information is used for the Top Listener view.

Average Bandwidth Utilization

Peak Bandwidth Utilization Transmitted Bytes Received Bytes

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 83

Column

Description

Number of Active Conversations The number of active conversations for this host. The value is maintained continuously and represents the number of active conversations at the time the request was made. Number of Active Client Conversations The number of active conversations with the host acting as the source. Similar to the number of active conversations, the value is maintained continuously and represents the number of active client conversations at the time the request was made. The number of active conversations with the host acting as the destination. Similar to the number of active conversations, the value is maintained continuously and represents the number of active server conversations at the time the request was made.

Number of Active Server Conversations

When first displayed, the list is sorted by bandwidth utilization. To change the sorting criteria, select an option from the list and click Refresh.

Figure 80: Active Hosts list sorting method The following sort criteria are available, each is shown in descending order: Current Bandwidth Utilization Average Bandwidth Utilization Peak Bandwidth Utilization Transmitted Bytes (Top Talker) Received Bytes (Top Listener) Active Conversations Active Server Conversations Active Client Conversations

Conversation View Click a hosts IP address to show the Top Conversations in chronological order.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

84 | User Interface Reference

Figure 81: Active Hosts list sorting method The following information is available in the Top Conversations table: Table 6: Top Conversations list columns Column Source Host Source Port Destination Host Destination Port Direction L4 Protocol L7 Protocol Description The IP address of the source host. The TCP port on the source host from which the conversation originated. The IP address of the destination host. The TCP port on the destination host to which the conversation was made. Whether it is an inbound or outbound conversation related to the PRX Traffic Manager. The Layer 4 protocol. The Layer 7 protocol or application as detected by PACE.

Reboot / Power Off


The commands available via the power button allow you to restart or shut down the computer, or log out of the web interface. To end your session in the web interface, click the red power button on the right side of the top-level menu. A dialog appears with the following options: Reboot Restart PRX Traffic Manager. Power Off Shut down the computer.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

User Interface Reference | 85 Cancel Return to the web interface. Log Off When you are done using the web interface, you can log out of your user account to prevent unauthorized access to PRX settings. After logging out, you can log in as a different user or close the browser window. The PRX application will continue running in the background. Note: Only a regular shutdown guarantees that all statistics are retained. A power failure or cold reboot causes a loss of all statistics of the current day starting from midnight (00:00). All previous data are stored in non-volatile memory.

Help
Click Help to show the online version of this document.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

Chapter

3
Configuration Examples
Topics: LAN Bandwidth Settings Profiles Traffic Management Subscriber Management
The sections in this chapter provide examples for various common configuration scenarios. Note: For additional configuration instructions, refer to Configuring PRX Traffic Manager.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

88 | Configuration Examples

LAN Bandwidth Settings


This example shows how to use PRX Traffic Manager to determine and manage network bandwidth.

Example 1
If you do not know whether the providers uplink value is gross or net, or if you do not know the exact value for the net bandwidth, assign a value of about 10 percent less than your uplink bandwidth and increase it in some steps to find out the best settings. Assume your Internet connection is a leased line with 34Mbit/s. The traffic manager is attached to the Internet router via a Fast Ethernet (100Mbit/s) connection. Enter 30Mbit/s as your maximum LAN bandwidth. This ensures that PRX Traffic Manager takes control over the bandwidth and not another device in the uplink chain that may drop packets for instance because of Random Early Detection.

Profiles
These examples illustrate the use of profiles to schedule the activation of rule sets.

Example 1
Assume your network is heavily utilized during a certain time of day. You would like to throttle P2P downloads at that time to improve the network performance for your essential applications. Monitoring the P2P traffic reveals that, after 6 p.m., its share relative to the link utilization is rising sharply. From the Settings menu, go to Profiles on page 42 and create two new profiles, named unlimited and limit P2P. Enter one line in the scheduler to enable the limit P2P profile daily at 6 p.m. Add a second line to activate the unlimited profile daily at 8 a.m., for example. Remember to click the Change button to commit the scheduler settings. Now go to Settings Traffic Management , create a new rule and select the profile limit rules to throttle P2P usage according to your requirements.
P2P

and add

The scheduler will automatically activate the profiles at the configured times the rules in the profile will be applied to traffic until the profile is deactivated (either by hand, or when the scheduler activates another profile).

Example 2
Assume you would like to limit P2P usage on weekends. Starting from the previous example, go to Profiles on page 42 and select Mon-Fri for the unlimited profile in the scheduler. For limit P2P, select Sat-Sun. Click Change to confirm the new settings.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

Configuration Examples | 89

Traffic Management
These examples provide settings to handle oversubscription, specify volume limits for P2P traffic, and prioritize traffic.

Example 1 Oversubscription
Assume a link bandwidth of 100 Mbit/s. If you assign a subscriber-based rule of 1 Mbit/s upload/download limit for a class with 1,000 users, you oversubscribe by a factor of 10. If the link is congested and demand by all users is equal, each user will get average data rates of 0.1 Mbit/s instead of 1 Mbit. This is similar to a competition situation in an unmanaged link.

Example 2 Tiered Volume P2P Service


Requirement: All P2P users shall get unlimited download speed for the first 1 Gbyte of transferred data, a data rate limit for the next 1 Gbyte, and all P2P traffic exceeding 2 Gbytes of data volume should be blocked. Solution: Set up the following two rules: 1. A bandwidth limitation rule for the appropriate class and profile (if applicable) for all P2P protocols, 100 kbit/s for up- and download and a volume of 1000 Mbytes 2. A bandwidth limitation rule for the appropriate class and profile (if applicable) for all P2P protocols, 0 kbit/s for up- and download and a volume of 2000 Mbytes

Example 3 Prioritization
Requirement: Your upstream bandwidth is 100Mbit/s. You would like to handle P2P traffic with lowest priority so that it is discarded first in case of a congestion. However, to provider your customers a good quality of experience even at such time periods, there should be a small guaranteed bandwidth (e.g. 5% of the link capacity) at any time to ensure P2P is always working, only with a lower data rate. Furthermore, P2P should never get more than 50% of the total bandwidth. Solution: Set up the following three rules: 1. A bandwidth prioritization rule for the appropriate class and profile (if applicable) for all P2P protocols, assign the priority very low and up- and download data rates of 100 Mbit/s 2. A bandwidth prioritization rule for the appropriate class and profile (if applicable) for all P2P protocols, assign priority high and up- and download date rates of 5Mbit/s (the guaranteed bandwidth) 3. A bandwidth limitation rule for the appropriate class and profile (if applicable) for all P2P protocols, assign 50Mbit/s for up- and download data rates

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

90 | Configuration Examples

Subscriber Management
This example shows how to define a common set of rules for all subscribers, with several exceptions for certain users.

Example 1
You have an subnet where all the subscribers receive their addresses via DHCP . By default, you want to put all the subscribers into a common class with special traffic rules, for example to block all traffic except HTML and POP . Later on, you want to treat certain users in this network with different rules that additionally allow FTP and Skype, depending on the ID. 1. Create the appropriate network ( Settings Networks Add a new network ) , mask and a name. 2. Select dhcp as type and provide the appropriate IP 3. Create two classes of type network/users named privileged and restricted (via Settings Classes add a new class ) 4. Go back to Networks and click the network name and the classes tab. 5. Here you see all associated classes; click associate with another class to associate this network to the restricted class. As a result, all subscribers with a DHCP request will be put into the restricted class by default. You can verify this in Subscriber Management when you select the restricted class to search through. To move a subset of these users to the privileged class, perform the following steps for each subscriber: 6. Click the subscriber ID you want to move. 7. Click the associated classes tab, then associate with another class and select the privileged class. Note: Because the ipoque class model allows a subscriber to be a member of several classes simultaneously, you must subsequently exclude this subscriber from the restricted class. Otherwise, all rules linked to both classes will apply and the most restrictive class will take precedence. 8. Click the exclude link in the action column of the restricted class. Note: To remove individual subscribers from classes that are associated with an entire subnet, use the exclude action. To remove subscribers that have been explicitly included, use remove. Now the subscriber is excluded from the restricted class and added to the privileged class. Only the rules for the privileged class will apply. To change the class associations for a long list of subscribers all at once, there is another way: 9. Under Subscriber Management, click the manage class associations link. 10. Select the restricted class, and provide a list of subscribers in the corresponding field, each on a new line. 11. Select the exclude action and click Save. 12. Select the privileged class, provide the same list of subscribers in the list of users field.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

Configuration Examples | 91

13. Select the add action and click Save.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

Chapter

4
Troubleshooting
Topics: Troubleshooting via the Serial Console Hardware Bypass Known Issues Customer Portal
The sections in this chapter offer solutions to common problems that may occur when using PRX Traffic Manager. In daily operation of the PRX, most configuration tasks are performed via the web interface described under User Interface Reference on page 17. Basic settings can also be performed via the Front Panel on page 18 and/or the serial console as described in the topics below.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

94 | Troubleshooting

Troubleshooting via the Serial Console


In addition to the web interface and the SSH-based command line interface (CLI), the PRX includes a serial port named Console that can be used to configure the system via a local serial connection. In case of a system failure, you can connect a serial cable to the Console port and to a workstation to reset the PRX to factory defaults. The serial console displays various log messages during the boot process. In case of hardware or software failure, kernel messages may also appear. This information can be useful in troubleshooting configuration errors. Once the PRX is running, you can log in via the serial console. The same functionality that is provided via the CLI is available from the serial console. With the exception of the PRX-20, each PRX includes a serial connection cable in the delivery package. Depending on the PRX model, the package will include a cable with the appropriate connectors (either RJ-45 or DB-9). Connect the PRX with a management workstation via the serial cable and run a terminal application with the following settings: PRX-20, PRX-2G & PRX-5G: 9,600 baud, 8bit, no parity, 1 stop bit (9600,8N1). PRX-1100: 19,200 baud, 8bit, no parity, 1 stop bit (19200,8N1). When you connect via the serial console, the PRX boot menu appears with the following options: This option is the default setting, which is automatically activated after a three-second delay. You can interrupt the process by pressing the up or down arrow keys on the management workstation. 1: FAILSAFE BOOT (use this after a crashed update) Use this option to recover the last running version if errors occur during a firmware update. Once this version is running, you can repeat the update process. 2: RESTORE DEFAULT SETTINGS (STATISTICS WILL REMAIN) Restores the factory defaults but retains any existing statistics data. Use this option if your current configuration is not running properly or you want to start from scratch but keep any statistics that have been collected so far. 3: RESTORE DEFAULT SETTINGS AND DELETE STATISTICS All settings and statistics data will be removed.
0: STANDARD BOOT

Note: If you select options 2 or 3, the PRX configuration and network settings of the management interface are reset to the factory default values. Option 2 allows you to reset the configuration, but still retain the statistics data the PRX has gathered so far.

Important: If you use option 1: FAILSAFE BOOT, you may need to restart the PRX twice, as the boot menu may change between the failsafe and the standard firmware versions. In this case, the PRX will display the boot menu after the first restart. Select 1: FAILSAFE BOOT again to start the PRX with the last running version of the firmware.

Hardware Bypass
The hardware bypass is automatically activated in case of a system failure to guarantee an uninterrupted network connection. On high-end PRX models such as PRX-1100 and the G-series, the built-in bypass switch for all copper interfaces maintains network connectivity when PRX is shut down, during firmware updates, in case of a system failure, or

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

Troubleshooting | 95 if a link is interrupted or deactivated in the Link Settings on page 32. The bypass is based on a watchdog timer. If hardware or software issues occur that interrupt the watchdog timer, the bypass is switched on automatically. The bypass mechanism electro-mechanically connects the INT/IN and EXT/OUT ports to ensure the network connection remains functional. When the bypass connects the two ports, it acts like a crossed UDP cable between the interfaces. Important: When the bypass is activated, traffic monitoring and management features are unavailable.

Tip: Before using the PRX in a production environment, be sure to verify connectivity both when the link is active (bypass off) and when the link is deactivated (bypass on).

Note: The hardware bypass is available on rack-mount PRX systems for copper links. Bypass solutions for fiber links are available on request. Contact support@ipoque.com for more information.

Known Issues
This section describes open issues in PRX Traffic Manager that ipoque is aware of and provides guidelines on how to avoid problems. For the latest information on product updates and additional documents, refer to the Customer Portal on page 96. Configuration Management As described under Configuration Management on page 63, if another user applies configuration changes while you are editing a configuration, a banner appears.

Figure 82: Newer configuration available When you click the Update link in the banner, your session configuration is updated to reflect the revised configuration. If you select Ignore and later apply your changes, your session configuration will overwrite the other users changes. Tip: If an Error locking configuration message appears, you may need to wait a moment until the other users configuration changes are committed to the device.

Bandwidth Limit Rules When defining limitation rules as described under Creating a Bandwidth Limit Rule on page 60, consider the following: Important: If the PRX is operated between two networks that are connected to the internal and external interface of the device and both networks belong to the same class, any limitation rules should be assigned

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

96 | Troubleshooting

to the Link class, as the rule would otherwise be applied to the traffic twice, which would lead to undesirable results.

Custom Protocols When defining host lists as described under Custom-Defined Protocols on page 44, do not add any URLs to the list. If a URL is included in a host list, the whole custom protocol will never match.

Customer Portal
Register with the ipoque Customer Portal to be notified whenever new firmware versions are released. Point your browser to http://portal.ipoque.com and request an account. Our support team will contact you as soon as possible and provide you with login details. Tip: When you create your account, be sure to have either your six-digit PRX serial number or the device key at hand. The serial number is located on the back side of the device. The device key appears in the web interface under Settings Basic Settings License Upgrade.

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

Index | 97

Index
A
about ipoque 8 accounting 12, 39 accounting interval 40 activate link 32 Active Connections per Internal IP Host (system statistics) 72 active hosts statistics 82 add new network 48 add new phone book 52 advanced protocol detection 34 allocate bandwidth 13 application group statistics 75 application-specific statistics 78 apply 63 audience 5

D
dashboard 19 data rate of an interface 31 decapsulation 33 device key 25 device name 36 DHCP 15 discard 63 DPI Engine Classification Ratio (system statistics) 73 dynamic IP address networks 15

E
enable RADIUS 39 Ethernet interface settings 31 examples 88, 89, 90 LAN bandwidth settings 88 profiles 88 subscriber management 90 traffic management 89 exceptions, protocol detection 33 expert settings 27, 28, 29 command line interface 27 LAN bandwidth 27 sliding token bucket 29 TCP FIN Handling 28 External IP Host Tracking Utilization (system statistics) 71

B
basic settings 23, 24, 25 firmware update 24 license upgrade 25 network settings 23 time settings 24 BitTorrent Tracker 54 block applications 12

C
changelog 6 changing 18 language setting 18 password 18 class statistics 75 classes 49, 51, 52, 57 adding 51 assigning subnets to 57 assigning subscribers to 57 deleting 52 renaming 52 classified traffic, See DPI Engine Classification Ratio (system statistics) CLI 27 command line interface 27 configuration 18, 94 front panel 18 serial console 94 configuration management 63 Connection Tracking, See TCP/UDP Connection Tracking Utilization (system statistics) Connections per Internal Host, See Active Connections per Internal IP Host (system statistics) control voice calls 14 conventions 6 custom protocols 44

F
firmware update 24 fixed IP address networks 15 flow control 31 Flow Rate, See TCP/UDP New Connection Rate (system statistics) front panel 18

H
hardware bypass 94 help 85

I
interface settings 31 interface speed 31 Internal IP Host Tracking Utilization (system statistics) 70 ipoque 8

K
key concepts 9 known issues 95

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

98 | Index
RADIUS service 39 reboot 84 related resources 7 reporting 12 reporting and logging 35, 36 syslog 36 reporting center settings 36 reports 35 reset subscriber statistics 58 rule sets (profiles) 14

L
L2 Errors (system statistics) 68 L2 Packet Size (system statistics) 68 L2 Packet Throughput (system statistics) 67 L2 Throughput (system statistics) 67 LAN bandwidth settings 88 configuration examples 88 language setting, changing 18 license upgrade 25 license upgrade key, See upgrade key limit bandwidth 12 limit bandwidth rule 60 link settings 32 link statistics 74 Link-Layer Errors, See L2 Errors (system statistics) logging 11 logout 18

S
scheduler 14 Sensors, See Temperature Sensors (system statistics) serial console 94 serial number 25 set date 24 settings 23, 24, 25, 27, 28, 29, 31, 32, 33, 34, 35, 36, 39, 40, 42, 48, 49, 51, 52, 54, 63 accounting 39, 40 accounting interval 40 basic 23, 24, 25 date and time 24 firmware update 24 license upgrade 25 network settings 23 bit torrent tracker 54 classes 49, 51, 52 adding 51 deleting 52 renaming 52 configuration management 63 expert 27, 28, 29 command line interface 27 LAN bandwidth 27 sliding token bucket 29 TCP FIN Handling 28 interface 31 link 32 networks 48 phone books 52 profiles 42 protocol detection 33 protocol logging 34 reporting and logging 35, 36 reporting center 36 reports 35 syslog 36 SNMP 31 sliding token bucket 29 SNMP 31 read-only access 31 SSL web services 43 statistics 65, 74, 75, 78, 79, 80, 82 active hosts 82 application groups 75 BitTorrent 78 classes 75 eDonkey 78 link 74 protocols 74, 80

M
MAC 15 mapping to subscriber 15 manage class associations 57 manage subscribers 56 management console 17 memory configuration 29

N
network integration 11 network settings 23 network tap 11 networks 48 NTP server 24

P
Packet Rate, See L2 Packet Throughput (system statistics) Packet Size, See L2 Packet Size (system statistics) Pass TCP FIN Packets 28 password, changing 18 phone books 52 phone calls 62 blocking 62 power off 84 prioritize applications 13 prioritize bandwidth rule 61 profile management 14 profiles 42, 88 configuration examples 88 protocol detection 33, 34 advanced 34 exceptions 33 tunnel decapsulation 33 protocol logging 34 protocol statistics 74, 80

R
RADIUS 15

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

Index | 99
statistics (continued) subscribers 79 system 65 subnets 57 associating with classes 57 subscriber 58 reset statistics 58 subscriber accounting 12 Subscriber Database Utilization (system statistics) 70 subscriber management 14, 54, 56, 90 configuration examples 90 subscriber statistics 79 Subscriber Tracking, See Subscriber Database Utilization (system statistics) syslog 11 syslog settings 36 System Memory Utilization, See TCP/UDP Connection Tracking Utilization (system statistics) system statistics 65, 66, 67, 68, 69, 70, 71, 72, 73 Active Connections per Internal IP Host 72 DPI Engine Classification Ratio 73 External IP Host Tracking Utilization 71 Internal IP Host Tracking Utilization 70 L2 Errors 68 L2 Packet Size 68 L2 Packet Throughput 67 L2 Throughput 67 Subscriber Database Utilization 70 System Load 66 TCP/UDP Connection Tracking Utilization 69 TCP/UDP New Connection Rate 68 Temperature Sensors 73

T
TCP FIN Handling 28 TCP/UDP Connection Tracking Utilization (system statistics) 69 TCP/UDP New Connection Rate (system statistics) 68 Temperature Sensors (system statistics) 73 Throughput, See L2 Throughput (system statistics) time settings 24 time zone 24 token bucket 29 traffic analysis 11 traffic management 12, 58, 60, 61, 89 configuration examples 89 new limitation rule 60 new prioritization rule 61 troubleshooting 93 tunnel decapsulation 33

U
uncommited changes 63 upgrade key 25 user guide 5 contents 5 user interface 17 user preferences 18

V
VoIP calls 14 blocking 14

W
web interface 17

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $

100 | Index

PRX Traffic Manager User Guide 2010 ipoque | PRX 2.8.4 [2010-10-18] $Revision: 9485 $