|
|
This chapter describes how you create domains for agents on SwitchProbe devices and the Network Analysis Module. You can do the following tasks while working with domains:
The following sections contain more information:
After you have installed a domain on an agent, you can direct the agent to collect information for specific domain. The agent collects a new set of statistics only for the traffic that matches the domain definition.
Two categories of domains are supported:
Because generic domains are resource-intensive, you should use them only under the following circumstances:
After you boot a SwitchProbe device, the device immediately can monitor a wide range of protocols. SwitchProbe devices and Network Analysis Modules boot with many predefined domains based on common protocols (the domains on the Network Analysis Module are different from those on the SwitchProbe device). The TrafficDirector software ships with many more available in the Add Domain list. However, you may need to define additional protocols used on your network. To do this, you use the Domain Editor to create domains so they appear as available domains when you define agent properties files.
Protocol domains track information found at network layers above the data-link layer of the OSI model; they cannot access physical layer statistics. It is for this reason that some TrafficDirector physical layer applications like Segment Zoom cannot start when you select a protocol domain.
Each SwitchProbe device and Network Analysis Module keeps track of all protocol domains installed on the device. In addition to tracking all installed protocol domains, the SwitchProbe or Network Analysis Module's internal architecture also recognizes the base parent protocol, associated children protocols, and the encapsulation type. Each SwitchProbe device supports up to 256 protocol domains.
The Domain Editor also lets you create port-specific protocol domains for well-known UDP and TCP ports. If activity has been discovered on a new UDP or TCP port (possibly from a custom application), you can create a new domain to monitor activity and users. Two additional domain types---TCPAPP and UDPAPP---are provided as dialog box options to speed the configuration process for the most commonly created protocol domains. For more information, see "Creating Port-specific Protocol Domains."
You can also view statistics related to multiple domains simultaneously, using multidomain views in many of the real-time, protocol-level monitoring applications such an TopN Talkers and All Conversations. The multidomain view is a technique for displaying information from multiple domains for viewing in graphs and reports. These pseudo protocol domains---ALLNL and ALLAL---represent filtering on the TopN Matrix group, and they are automatically created.
Generic domains provide a different way to display data. For example, if you want to track IP traffic by subnet address rather than individual IP addresses, you would create a generic domain.
You can create a generic domain in subnet mode based on the IP filter and enable the host group. This generic domain could show traffic by IP subnet in such applications as All Talkers and TopNTalkers. You can also enable logging for hosts and conversations to allow for reporting and trend analysis of the IP subnet traffic.
You can analyze and classify a packet for tracking as part of multiple domains. A packet must successfully match at least one filter to be classified as the given generic domain. When packets contain attributes that match several different generic domains, they can be counted for each domain. For example, a TCP packet would be counted as both a member of the TCP and IP domains.
The TrafficDirector application lets you set up filters on any aspect of a packet; you create a new domain classification to track only those packets that match the filter definition. You can include up to eight filters in a single generic domain definition.
The RMON domain is the only generic domain designed for use without filters. You should not apply any filters to the RMON domain---you can easily create a new generic domain with the filters that you want using the Filter Editor instead.
While the filtering capabilities of a generic domain provides great flexibility, it also restricts the number of generic domains you can install on an agent. The maximum number of filters per agent is 32.
If you wish to have a single filter per domain on an agent, the maximum number of generic domains you can install on the SwitchProbe device is 32. But because you can define up to eight filters per generic domain---you could be limited to only four domains in the device if you choose eight filters for each domain. If you apply filters to a WAN interface, they are also propagated across both DTE and DCE.
This configuration limitation is important to remember when you edit filters that are already installed on SwitchProbe devices, or when you are installing new ones. See "Configuring Generic Domains" for more information about selecting the filters that define the domain.
Both protocol and generic domains collect one or more sets of statistics. The kind of statistics to be collected are defined when you install the domain on the agent.
Table 5-1 shows the primary statistics supported for both protocol and generic domains, and the RMON1 and RMON2 groups associated with each.
| Statistics Group | Protocol Group | Generic Group |
|---|---|---|
Statistics | RMON2 Protocol Distribution | RMON1 Statistics |
Short-Term History |
| RMON1 History |
Long-Term History |
| RMON1 History |
Host | RMON2 Network Layer and Application Layer Host | RMON1 Host |
Conversation | RMON2 Network Layer and Application Layer Matrix | RMON1 Matrix |
Application Response Time (ART) | ARTMIB |
|
The TrafficDirector application ships with a wide variety of predefined domain definitions; therefore, using the Domain Editor to create completely customized domains is less cumbersome, as you can use the basic definitions to address most needs.
The predefined domain definitions shipped with the TrafficDirector software are listed in Table 5-2:
| Domain | Members |
|---|---|
AEP, AFP, ARP, ASP, ATP, DSP, LAP, LDDP, NBP, PAP, RTMP, RTREQ, SDDP, ZIP | |
DEC | CLUST, CTERM, DIAG, DAP, DRP, FOUND, LAT, MOPDL, MOPRC, NICE, NET, NSP, SCP, STP |
IP | AOL, ARP, ATIP_AEP, ATIP_NBP, ATP_RTP, ATIP_ZIP, BGP, BGP_TCP, BOOTPC, BOOTPS, CCMAIL, COMPUSRV, CICCOGDP, DBASE, DLSW_RD, DLSW_WR, DNS_TCP, DNS_UDP, DOOM, EGP, FINDER, FTP_DATA, FTP_CRTL, GGP, GOPHER, HTTP, HTTPS, ICMP, IGMP, IGRP, INGRESQL, IPIP, IPIP4, IPV6, IPX1_TCP, IPX1_UDP, IPX2_TCP, IPX2_UDP, IP_LLC, IRC, MOBIPAGT, MOBIPMGR, MS-DNS_T, MS-DNS_U, MS-WINS, MSSNASRV, MSSQLMON, MSSQLSRV, NB_NS_T, NB_DGM_T, NB_SSN_T, NETB_DGM, NETB_NAM, NETB_SSN, NETVIEW, NETV_RCV, NETV_SND, NEW_TCP, NEW_UDDP, NNTP, NOTESTCP, NOTESUDP, NTP, NW-CS_T, NW-CS_U, NW-LU62T, NW-LU62U, ORACLSQL, OSPF, POP3, PORTMAP, RARP, REALAUD, REXEC, RFE_TCP, RFE_UDP, RIP, RLOGIN, RPRINT_T, RPRINT_U, RWHO, SIPP-ESP, SIPP-AH, SMTP, SNMP, SNMPTRAP, SOCKET, SQLNET, SQLNET_N, SQL_SVR, SUN_NFS, SUN_MOUNT, SUNRPC, SUNRPC_T, SUN_YP, TCP, TELNET, TFTP, UDP, VIP, WTCOMSQL, XWINDOW, XWIN_UDP |
IPX | IPX_ETH, IPX_LLC, IPX_SNP, NOTESIPX, NCP, NOV_ERRP, NOV_NETB, NOV_NLSP, NOV_PING, NOV_RIP, NOV_SAP, NOV_SNMP, NOV_SPX, NOV_TRAP, NOV_WAN2 |
NetBEUI | IBM_NETB, NETB, NET |
VINES | VINESARP, VINESICP, VINESIP, VINESIPC, VINESMAIL, VINESMM, VINESRTP, VINESSPP, VINESST, VIN_ETH, VIN_LLC, VIN_SNAP |
SNA | SNA_FM, SNA_GW, SNA_PS, SNA_RU, SNA_TCP, SNA_TH, SNA_XID |
XNS | XNS_ECHO, XNS_ERRP, XNS_IPX, XNS_PEP, XNS_RIP, XNS_SPP, XNS_SPX |
You can also add these domains to any properties file so they can be evaluated for statistical compilations through the Add Domain option in the Properties Editor.
If you create a custom protocol domain, you can also add the domain to the list displayed in the traffic, protocol, or application modes of the TrafficDirector GUI interface (that is, have the new domains or domain groups display in the Domain Name or Domain List boxes for these modes).
To do so, edit the following configuration files:
You can also delete Domain Names and Groups from these configuration files if you no longer want to see their monitoring results. Use an ASCII text editor to edit the appropriate configuration file located in the $NSHOME/usr directory.
You use the Domain Editor to define new protocol domains to track specific traffic classified by network- and application-layer protocols. Protocol domains have several advantages:
As you define a new domain, you are also identifying the relationship of parent and child protocols as they map to the OSI network-layer model.
To define a new protocol domain, follow these steps:
Step 1 Start the TrafficDirector application.
Step 2 Click the Admin radio button.
Step 3 Click Domain Editor icon.
The Domain Editor window is displayed (Figure 5-1).
Step 4 Select Protocol from the Domain Type drop-down list.
Step 5 Select Tools > New Domain, or click New on the tool bar.
The New Protocol Domain window is displayed (Figure 5-2).
Step 6 In the Domain Name field, enter the name you want associated with the domain.
This name can be a maximum of 15 characters and must begin with a letter. You can use only letters, numbers, dashes, and underscores. The name is not case-sensitive.
Step 7 Click the selection button to the right of the Data Link Layer field.
The Datalink layer list box is displayed.
Step 8 Select the appropriate Datalink layer option.
Step 9 Click OK to accept the selection, or click Cancel to close the list box without selecting a Datalink layer.
Step 10 Make a selection from the following choices:
Step 11 Click the selection button to the right of the Network Layer field.
The Network layer list box is displayed. The box lists parent protocols. They are high-level protocols. The list shows the protocol name, and a number that maps to an RMON2 definition. The protocols displayed work on the Datalink layer as selected in Step 10.
Step 12 Select the protocols you want to include.
Step 13 Click OK.
Step 14 Click the selection button to the right of any Application Layer field
(1 through 5).
These fields are optional; you can define none, some, or all of them.
A list of protocol children is displayed. Children protocols are related to the protocols you selected earlier. You can choose to examine multiple children protocols running on a network level above selected parent protocols. The list shows the children protocol name and a number that maps to an RMON2 definition.
Step 15 Highlight any children protocols.
Step 16 Click OK.
Step 17 Click OK again to save your selections, or click Cancel to close the New Protocol window without saving your definition.
The resulting domain is displayed in the Domain List in Configuration Manager. For the new domain to take effect, you must add it to a properties file, then install it on an agent in the SwitchProbe device.
By specifying UDPAPP or TCPAPP in the Domain Type field, you can create new protocol domains to monitor known UDP and TCP ports. For example, the Internet Relay Chat (IRC) protocol uses port 194. HTTP typically uses port 80. Table 5-3 shows examples of predefined protocol domains that are based on port numbers:
| This Protocol Domain... | Monitors |
|---|---|
ccmail | Lotus cc:Mail usage |
compusrv | Compuserve sessions |
AOL | America Online sessions |
Doom | Online interactive game, "Doom" |
HTTP | HTTP client traffic using port 80 |
To create new port-specific protocol domains, follow these steps:
Step 1 Select one of the following from the Domain Type pull-down menu:
Step 2 Select Tools > New Domain, or click New on the tool bar.
Depending on the domain type you selected, the New UDP Domain or the New TCP Domain window is displayed (Figure 5-3).
Step 3 Enter the domain name in the Name field.
Step 4 Enter the UDP or TCP port number in the Port field.
Step 5 Click OK to save the domain.
The resulting domain is displayed in the Domain List in Configuration Manager. For the new domain to take effect, you must add it to a properties file, then install it on an agent in the SwitchProbe device.
While generic domains are powerful and flexible, they can quickly deplete agent resources if you use them in large numbers.
One reason that generic domains use more resources than protocol domains is the way they collect and store statistics---primarily Host and Conversations statistics. Because generic domains are based on RMON1, separate Host and Conversation tables are created for each domain installed on each interface.
The number of generic domains you can install on an agent varies, depending on SwitchProbe resources and the definition of each domain. You can install a maximum of 32 domain-related filters on any SwitchProbe device.
For example, this system-level limit means you could install any of the following combinations on a SwitchProbe device:
To define a new generic domain, follow these steps:
Step 1 Click the Domain Editor icon in the TrafficDirector main window.
The Domain Editor window is displayed (Figure 5-1).
Step 2 Select Generic from the Domain Type pull-down menu.
Step 3 Select Tools > New Domain, or click New Domain on the tool bar.
The New Generic Domain window is displayed (Figure 5-4).
Step 4 In the Domain Name field, enter the name of the domain.
The name can be a maximum of 15 letters and must begin with a letter. You can use only letters, numbers, dashes, and underscores. The name is not case-sensitive.
Step 5 In the Host Address Mode option, select the viewing options for address display---either MAC, NET, SUBNET, or PORT
Step 6 Under the Domain Type heading, select one of the following:
Step 7 In the Packet Type options, select one of the following:
Step 8 Under the Selected Filters heading, scroll down and select one or more (up to 8) filters you want to include as part of the generic domain definition.
You can mix any of the network layer protocols displayed.
The filters you select determine the type of packets the new generic domain recognizes:
Step 9 Click OK to save the new generic domain.
The resulting domain is displayed in the Domain List in Configuration Manager. For the new domain to take effect, you must add it to a properties file, then install it on an agent in the SwitchProbe device.
dvclean -f <frame_relay_agent_name> filter
dvclean -f <frame_relay_agent_name> channel
ordvclean -f <frame_relay_agent_name>
You can change a domain definition when you want to monitor a different subset of network traffic or port number. You can also edit a previously defined domain whether it is attached to an agent or not. In this case, however, you must reinstall the domain on the agent in a properties file for the changes to take effect.
To change the definition of an existing domain, follow these steps:
Step 1 Highlight the domain from the Domain Editor window.
Step 2 Select Tools > Edit Domain from the menu bar, or click Edit Domain on the tool bar.
Step 3 Change any fields you want to modify.
Step 4 Click OK to modify the domain, or click Cancel to return to the Domain Editor window without saving the changes.
You can delete domains to remove unused or outdated domain definitions from the TrafficDirector domain list. Keep in mind this procedure simply removes the domain from the list available for adding to TrafficDirector properties files; it does not delete any domains already installed on an agent.
To deinstall domains from an agent, see Chapter 3, "Using Configuration Manager."
To delete a domain from the domain list, follow these steps:
Step 1 Select the domain you want to delete from the Domain Editor window.
Step 2 Select Tools > Delete Domain from the menu bar, or click Delete Domain on the tool bar.
A cautionary prompt is displayed, asking if you want to continue.
Step 3 Click OK to delete the domain definition.
Posted: Fri Mar 31 08:53:43 PST 2000
Copyright 1989 - 2000©Cisco Systems Inc.