Monday, August 31, 2009

How to install SCABB snmp real time monitoring (SNMP RTM)

If you had installed SCABB (Service Control Aplication Broadband) or if you had read scabb end user guide you will be familiar with this topic. This is a tool for network admins to monitor their network using SNMP in real time. Refer to the cisco guide, the snmp tool that we will be used are MRTG (Multi Router Traffic Grapher) and RRD (Round Robin Database) tool. MRTG will collect snmp data from sce then generate html pages, rrd tool will store data using round robin database and then generate a graph. In my Lab environment I'm using my desktop with windowsxp, scabb v3.1.6 , sce 2020.

How it works :

These are the components that will be used to install SNMP RTM:
1. MRTG-2.1.5 - download from mrtg.org

2. rrdtool-1.2.15 - download from rrdtool.org

3. Active Perl 5.8 - search google.com and download

4. Apache2 - download from apache.org

5. sca_bb v3.1.6 - download from cisco.com
6. sca_bb utility - extracted from sca_bb v3.1.6

7. scabb_rtm_templates_v3.0.5A_b05 - download
from cisco.com
8. firedaemon - search google.com and download

9. Java (jre) 1.4.2 - download from java.sun.com


- mrtg for collecting snmp
- rrd tool to store data

- Active perl for running mrtg

- Apache for running web server, cgi

- scabb v3.1.6 to get scabb utility

- scabb utility for generate mrtg cfg files

- scabb rtm template for generate
cfg file refer to the template and sce configuration
- firedaemon for running scheduler
- java needs for running scabb utility


Getting started :

1. Install mrtg, perl, rrdtool in C:\

2. Install apache web-server C:\Program Files

3. Install firedaemon
4. Install java

5. Extract scabb v3.1.6, extract scabb util (bin & lib) to C:\
6. Extract scabb rtm template to C:\bin\

7. Create directory rtm-output in C:\bin\

8. Edit rtcmd.cfg file


#The absolute path to the RRD tool's execution files folder
#Use '\\' or '/' as path separator
rrdtool_bin_dir=C:/rrdtool-1.2.15/rrdtool/Release

#The absolute path where RTM files will be placed.
#This path will be used by MRTG to create and update the RRD files
#Note: path must not contain white spaces!
rtm_dir=C:/PROGRA~1/APACHE~1/Apache2.2/htdocs

#The absolute path to the MRTG bin folder.
#This path will be used to create file crontab.txt
mrtg_bin_dir=C:/mrtg-2.14.5/bin

#The SCE's community string
snmpCommunityString=public
rrdtool_bin_dir=C:/rrdtool-1.2.15/rrdtool/Release

9. Open command prompt, running this command "rtmcmd -S "ip_sce1;ipsce2" -U xxxxx -P xxxxx --pqb-sce=ip_sce1 --source-dir=/templates --dest-dir=/rtm-output -c ./rtmcmd.cfg

C:\bin\rtmcmd -S "ip_sce1;ipsce2" -U xxxxx -P xxxxx --pqb-sce=ip_sce1 --source-dir=/templates --dest-dir=/rtm-output -c ./rtmcmd.cfg
connecting to ip_sce1 ... done
retrieving service configuration from SCE ... done
disconnecting from device ... done
loading user configuration from file 'rtmcmd.cfg' ... done
processing templates from '\templates' to '\rtm-output' ... done
C:\bin>

10. Check rtm-output directory

C:\bin\rtm-output>dir
Volume in drive C has no label.
Volume Serial Number is C4C2-8BAA

Directory of C:\bin\rtm-output

08/31/2009 08:16 AM dir .
08/31/2009 08:16 AM dir ..
08/31/2009 10:30 AM 43 .htaccess
08/31/2009 10:30 AM 386 crontab-unix.txt
08/31/2009 10:30 AM 310 crontab-windows.txt
08/31/2009 08:16 AM dir mrtg-cfg
08/31/2009 08:16 AM dir sce_202.155.50.75
08/31/2009 08:16 AM dir sce_202.155.50.77
08/31/2009 08:16 AM dir static

11. Copy all file to C:\Program Files\Apache Software Foundation\Apache2.2\htdocs>
12. Edit httpd Apache configuration file and add this text :


Options Indexes FollowSymLinks ExecCGI
AllowOverride Indexes
Order allow,deny
Allow from all


13. Test mrtg and mrtg cfg file with this command :


C:\Perl\bin>perl.exe c:\mrtg-2.14.5\bin\mrtg "c:\Program Files\Apache Software Foundation\Apache2.2\htdocs\mrtg-cfg\ip_sce1_scabb_mrtg.cfg"


C:\Perl\bin>perl.exe c:\mrtg-2.14.5\bin\mrtg "c:\Program Files\Apache Software Foundation\Apache2.2\htdocs\mrtg-cfg\ip_sce1_scabb_mrtg.cfg"

If no error appear, you can check working directory a lot of rrd files has been generated.

14. Open firedaemon, add new service definition :

Shortname : sce1
Executable : C:\Perl\bin\wperl.exe
Working Dir :C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\sce_ip_sce1
Parameters : C:\mrtg-2.14.5\bin\mrtg "C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\mrtg-cfg\ip_sce1_scabb_mrtg.cfg"


Start Service sce1

Shortname : sce2
Executable : C:\Perl\bin\wperl.exe
Working Dir :C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\sce_ip_sce2
Parameters : C:\mrtg-2.14.5\bin\mrtg "C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\mrtg-cfg\ip_sce2_scabb_mrtg.cfg"

Start service sce2



15. Open web browser and type :

http://localhost/sce_ip_sce1/
http://localhost/sce_ip_sce2/

And finally you will see the following display in your browser :

Refference http://www.cisco.com/en/US/products/ps61/products_user_guide_book09186a0080843872.html

Friday, August 14, 2009

Update protocol pack and signature using SCABB / SCE

Using Cisco SCE we can manage traffic per application based on protocol that supported by SCE Software. In my lab I use sce 2020, Software 3.1.6. My goal is I want to control or even block the subscribers traffic in accessing bandwidth consuming application such as peer to peer, flash youtube, flash yahoo, video google, http download etc.

First I applied the streaming service to the package and made some rule to control it, then I mapped the subscriber using SM to use that package. Somehow the rule was not working, user could still have an access to the video google, flash youtube etc. Than I checked the reporting in SCABB the user traffic is classified as a browsing. I was thinking that SCE cannot detect those protocol as a flash protocol that is define in its service configuration protocol. I checked at the cisco website than I found that I must upgrade the protocol pack of the existing software. This happen because of there are some of a new update to the protocol in internet, SCE must improve the capabilities in detecting and making classification to the new protocol and signature. The new update of protocol pack now is SCA BB Protocol Pack #17, it resolved some of caveat in the previous protocol pack, such as miss classifying protocol i.e yahoo login, flash etc.

This is the new update protocol :
• Flash YouTube HD
• Flash YouTube Normal

• Yahoo General Login

• Sky Player - (Supported by 3.5.0 only)


and here is the guide :

1. Download SPQI at cisco.com
2. Extract the SPQI file 3.1.6 Protocol Pack #17 ZIP package

3. install the ProtocolPack using SCABB, right clik on sce, network navig
ator menu















4. Extract the script.txt file from the 3.1.6 Protocol Pack #17 ZIP package and upload to the SCE platform using FTP.


SCE2020#copy-passive ftp://user:pass@ip-address/script.txt script.txt

5. Open a CLI session in the SCE platform and navigate to the directory where the uploaded script.txt. Using admin user run the script run script.txt.

SCE2020-2#>script run script.txt


configure
interface LineCard 0

lookup GT_LUT_HTTP_BASED_PROTOCOLS_UserAgents overwrite-key "Babelgum" value 23
lookup GT_LUT_HTTP_BASED_PROTOCOLS_UserAgents overwrite-key "babelgum" value 23
lookup GT_LUT_HTTP_BASED_PROTOCOLS_UserAgents overwrite-key "Deluge*" value 9
lookup GT_LUT_HTTP_BASED_PROTOCOLS_UserAgents overwrite-key "TVUPlayer*" value 24
lookup GT_LUT_HTTP_BASED_PROTOCOLS_UserAgents overwrite-key "PIPIPlayer" value 25
lookup GT_LUT_HTTP_BASED_PROTOCOLS_UserAgents overwrite-key "NateOn*" value 26
lookup GT_LUT_HTTP_BASED_PROTOCOLS_UserAgents overwrite-key "ed2k" value 6

lookup GT_LUT_HTTP_BASED_PROTOCOLS_HOST overwrite-key "*:*.babelgum.com" value 7
lookup GT_LUT_HTTP_BASED_PROTOCOLS_HOST overwrite-key "*:*.vuze.com" value 8
lookup GT_LUT_HTTP_BASED_PROTOCOLS_HOST overwrite-key "*:channel2.tvunetworks.com" value 10
lookup GT_LUT_HTTP_BASED_PROTOCOLS_HOST overwrite-key "co*:*.tvunetworks.com" value 10
lookup GT_LUT_HTTP_BASED_PROTOCOLS_HOST overwrite-key "*:mb.tvunetworks.com" value 10
lookup GT_LUT_HTTP_BASED_PROTOCOLS_HOST overwrite-key "*:pages.tvunetworks.com" value 10
lookup GT_LUT_HTTP_BASED_PROTOCOLS_HOST overwrite-key "*:*mail.google.com" value 11
lookup GT_LUT_HTTP_BASED_PROTOCOLS_HOST overwrite-key "*:*skype.com" value 12
lookup GT_LUT_HTTP_BASED_PROTOCOLS_HOST overwrite-key "*:*joost.com" value 13
lookup GT_LUT_HTTP_BASED_PROTOCOLS_HOST overwrite-key "*:*googlevideo.com" value 1

lookup GT_LUT_HTTP_BASED_PROTOCOLS_URL overwrite-key /videoplayback*:* value 2
lookup GT_LUT_HTTP_BASED_PROTOCOLS_URL overwrite-key *:*.hash value 7

lookup GT_LUT_DestPortBasedProtocolsPostMultipleSig overwrite-key "0.6.0.22:0xffffffff" value 16777216

lookup GT_LUT_HTTP_SPLIT_INITIATEE_BASED_PROTOCOLS_Server overwrite-key "AIM*:*" value 7

tunable GT_PL_USE_OLD_BEHAVIORAL_DOWNLOAD value false
tunable PL_AGING_RTMP value 3000
tunable GT_PL_SKYPE_TCP_PRECEDE_PKTS_PAT_MAX value 180

tunable GT_PL_BEHAVIORAL_DOWNLOAD_MIN_AVG_PACKET_SIZE value 700
tunable GT_PL_BEHAVIORAL_DOWNLOAD_MAX_VOLUME_RATIO value 25
tunable GT_PL_BEHAVIORAL_DOWNLOAD_PACKET_DEVIATION_HI_VOL_FACTOR value 50

tunable GT_PL_WINNYP_NUMBER_OF_CHECKED_PACKETS value 5
tunable GT_PL_WINNYP_MAXIMAL_ALLOWED_DIRECTION_CHANGES value 5

tunable GT_QQMaxPacketsInSameDir value 7

exit
exit

copy running-config-application startup-config-application
Writing general configuration file to temporary location...
Removing old application configuration file...
Renaming temporary application configuration file with the final file's name...

SCE2020-1#>
The screenshoot result for successfully blocked youtube and google video.

youtube :




Google Video :



This is only the sample if you want to block google video or youtube, you can control any of protocol as long as is supported by protocol pack.

Tuesday, August 4, 2009

ISG - SCE Integration using SCMP

ISG (Intelligent service Gateway) is a broadband agregation router to deliver service from service provider to the broadband subscriber. Using ISG we can control and implement dynamic policy to the subscriber such as turbo button (upgrade or downgrade speed), Parental control, Subscriber self-control using Captive Portal / Redirect Wallgarden Service and External-policy controll using CoA. For more advanced implementation is to implement ISG colaborative with SCE as a DPI (deep packet inspection) service control. Using SCE we can make some of different service levels for subscriber. We can control the subscriber trafic in the aplication layer (layer7) or we can use taffic shaping capabilites.

To integrate SCE and ISG we can use SCMP, it allows that isg and SCE to manage subscriber session and apply subscriber to particular service / profile dynamically intsead of using subscriber manager (SM) using SCABB application. External Portal / Walled garden can send a Coa packet (CoA RFC 3576) to ISG to change the user's service. In the isg policy we can define any package that will be sent using Coa to SCE include the GUID / user identity, next when the SCE accept the CoA, it will assign the package to this GUID.

I try to make a lab to implement this integration, using isg and sce 2020. Here is the diagram:

DIAGRAM :
---------------------------------------------
--------------------------------------------------------------------



-----------------------------------------------------------------------------------------------------------------

ISG configuration :

ISGD2#
!
aaa attribute list coa
attribute type nas-ip-address 172.16.0.29
!
!
!
aaa server radius policy-device
key peditea
message-authenticator ignore
client 192.168.50.77 vrf vpn_internet key peditea
!


Verify the SCMP peer in the ISG:

ISGD2#sh subscriber policy peer all
EXTERNAL POLICY PEER Details:
=============================

Peer IP: 192.168.50.77
Conn ID: 11
Mode : PUSH
State : ACTIVE
Version: 2.0
Conn up time: 00:08:55
Conf keepalive: 100
Negotiated keepalive: 100
Time since last keepalive: 00:00:34
Inform owner on pull: TRUE
Total number of associated sessions: 1


CoA from ISG to SCE :

*Aug 4 06:16:27.582: RADIUS(00000000): Send CoA Request to 192.168.50.77:3799 id 1645/53, len 211
*Aug 4 06:16:27.582: RADIUS: authenticator C7 E2 B1 A2 F5 7B 13 65 - 98 05 83 9B A5 DF 5E CE
*Aug 4 06:16:27.582: RADIUS: Vendor, Cisco [26] 37
*Aug 4 06:16:27.582: RADIUS: Cisco AVpair [1] 31 "session-guid=CA9B591E0000003C"
*Aug 4 06:16:27.582: RADIUS: NAS-Port [5] 6 60000
*Aug 4 06:16:27.582: RADIUS: NAS-Port-Id [87] 21 "nas-port:0/0/0/86/0"
*Aug 4 06:16:27.582: RADIUS: Vendor, Cisco [26] 37
*Aug 4 06:16:27.582: RADIUS: Cisco AVpair [1] 31 "subscriber:command=updateSess"
*Aug 4 06:16:27.582: RADIUS: Vendor, Cisco [26] 32
*Aug 4 06:16:27.582: RADIUS: Cisco AVpair [1] 26 "subscriber:policy-name=6"
*Aug 4 06:16:27.582: RADIUS: Vendor, Cisco [26] 36
*Aug 4 06:16:27.582: RADIUS: Cisco AVpair [1] 30 "subscriber:service-monitor=1"
*Aug 4 06:16:27.582: RADIUS: NAS-IP-Address [4] 6 172.16.0.29
*Aug 4 06:16:27.582: RADIUS: User-Name [1] 10 "fadlytea"
*Aug 4 06:16:27.582: RADIUS: Framed-IP-Address [8] 6 172.16.94.2
*Aug 4 06:16:27.586: RADIUS: Received from id 1645/53 192.168.50.77:3799, CoA Ack Response, len 63
*Aug 4 06:16:27.586: RADIUS: authenticator B8 00 27 53 E2 DF 79 28 - 82 30 38 3F 76 A9 85 06
*Aug 4 06:16:27.586: RADIUS: NAS-IP-Address [4] 6 192.168.50.77
*Aug 4 06:16:27.586: RADIUS: Vendor, Cisco [26] 37
*Aug 4 06:16:27.586: RADIUS: Cisco AVpair [1] 31 "session-guid=CA9B591E0000003C"

Verify the user session GUID:

ISGD2#sh subscriber policy peer all detail
EXTERNAL POLICY PEER Details:
=============================

Peer IP: 192.168.50.77
Conn ID: 11
Mode : PUSH
State : ACTIVE
Version: 2.0
Conn up time: 00:08:57
Conf keepalive: 100
Negotiated keepalive: 100
Time since last keepalive: 00:00:36
Inform owner on pull: TRUE
Total number of associated sessions: 1
Associated session details:
CA9B591E0000003C

ISGD2#


Verify SCMP peer in the SCE :




SCE2020-2#sh scmp all
SCMP Connection 'isg-dev2' status:
172.16.0.29 auth-port 1645 acct-port 1646
Connection state: Connected
Peer protocol-version: 2.0
Keep-alive interval: 100 seconds
Force single SCE: Yes
Send session start: Yes
Time connected: 9 minutes, 18 seconds




Verify subscriber session GUID mapping package in SCE :

SCE2020-2#SH interface LineCard 0 subscriber name CA9B591E0000003C
Subscriber 'CA9B591E0000003C' manager: isg-dev2
Subscriber 'CA9B591E0000003C' properties:
downVlinkId=0
monitor=1
new_classification_policy=0
packageId=6
QpLimit[0..17]=0*17,8
QpSet[0..17]=0*17,1
upVlinkId=0
Subscriber 'CA9B591E0000003C' read-only properties:
concurrentAttacksNumber=0
PV_QP_QuotaSetCounter[0..17]=0*18
PV_QP_QuotaUsageCounter[0..17]=0*18
PV_REP_nonReportedSessionsInTUR=0
P_aggPeriodType=5
P_blockReportCounter=0
P_endOfAggPeriodTimestamp=0
P_firstTimeParty=TRUE
P_localEndOfAggPeriodTimestamp=0
P_MibSubCounters16[0..31][0..1]=0*64
P_MibSubCounters32[0..31][0..1]=0*64
P_newParty=TRUE
p_numOfRedirections=0
P_partyCurrentDownVLink=0
P_partyCurrentPackage=6
P_partyCurrentUpVLink=0
P_partyGoOnlineTime=0
P_partyMonth=0
P_serviceReportedBitMap=0
Subscriber 'CA9B591E0000003C' mappings:
IP 172.16.94.2 - Expiration (sec): Unlimited
Subscriber 'CA9B591E0000003C' has 0 active sessions.
Aging disabled
SCE2020-2#