For feedback and comments: |
documentation.feedback@alcatel-lucent.com |
•
• Application Filters — App-filters are used to define applications based on Layer 3 to Layer 7 criteria. They provide a mapping between one or more protocol signatures or customized traffic patterns into an application of interest.
• Application — Such as BitTorrent®, Netflix®. Traffic is classified into applications using app-filters.
• Application Group — Such as peer-to-peer, multimedia streaming. For the purpose of reporting and control, applications of similar type/function can be grouped together in Application Groups (App-Group).
• Charging Group — Such as zero rating, default. For the purpose of charging or control, applications and app-group can be grouped together in charging groups.Figure 203: App-Filters/Applications/AppGroup
• BitTorrent® and Emule® applications are defined using their protocol signature and grouped in the P2P app-group.
• Google Maps® and Yahoo® web sites are defined using http expression and grouped together in the Web app-group.^abcd*: match ‘abcd’ at beginning, can end with anything*abcd*: match ‘abcd’ anywhere*abcd$: match ‘abcd’ at the end^abcd$: exact expression match ‘abcd’^ab*cd$: string starts with 'ab', ends with 'cd' (anything else in between)^ab\dcd$: string starts with 'ab', followed by a decimal digit, ends with 'cd'configure application-assurance group 1:1 policyapp-group "File Transfer"exitconfigure application-assurance group 1:1 policyapplication "FTP"app-group "File Transfer"exitconfigure application-assurance group 1:1 policyapp-filterentry <1..65535> createprotocol eq "ftp_data"application "FTP"no shutdownexitentry <1..65535> createprotocol eq "ftp_control"application "FTP"no shutdownexitApp-Filters are an ordered list of entries. It is important to keep the order of this list consistent with the classification objective.entry 100 createdescription "Default HTTP Protocol"protocol eq "http"application "HTTP"no shutdownexitentry 110 createdescription "Google"expression 1 http-host eq "*.google.com$"application "Google"no shutdownexitThe operator can customize the policy and create applications and app-filters by using the following ranges shown in Table 9 (other ranges are used by the Alcatel-Lucent default policy):
Table 9: Customer Reserved App-Filter Ranges
• HTTP Host and URI are located before the HTTP referer for accounting accuracy (for example, YouTube® from within Facebook® is classified as YouTube®)Figure 204 describes a typical persistent HTTP connection between a web client and a server with multiple HTTP transactions within the same TCP session:Figure 204: HTTP Persistent Connectionconfigure application-assurance group 1:1 policy app-filterentry <1..65535> createdescription "Wikipedia Web Access" expression 1 http-host eq "*.wikipedia.org$"
application "Wikipedia"no shutdownexitFigure 205: Wireshark® www.wikipedia.orgTable 10 displays an example of classification rules for the ISP ON-NET content services:
configure application-assurance group 1:1 policyapp-filterentry <1..65535> createdescription "Zero rated content"expression 1 http-host eq "^www.ispdomain.com$"expression 2 http-uri eq "^/video*"http-match-all-reqapplication "ISP Portal Video"no shutdownexitentry <1..65535> createdescription "Image charging"expression 1 http-host eq "^www.ispdomain.com$"expression 2 http-uri eq "^/images*"http-match-all-reqapplication "ISP Portal Images"no shutdownexitentry <1..65535> createdescription "Default charging"expression 1 http-host eq "^www.ispdomain.com$"http-match-all-reqapplication "ISP Portal Default"no shutdownexitThe snapshot (Figure 206) from Wireshark shows the SSL/TLS certificate exchanged using the mobile application whatsapp®.Figure 206: Wireshark® HTTPS www.whatsapp.comconfigure application-assurance group 1:1 policyapp-filterentry <1..65535> createdescription "Whats App tls and image/voice/video traffic"expression 1 tls-cert-subj-common-name eq"*.whatsapp.net$"application "Whats App"no shutdownexitFigure 207: HTTPS SNIconfigure application-assurance group 1:1 policyapp-filterentry <1..65535> createdescription "Yahoo HTTP or TLS SNI"expression 1 http-host eq "*.yahoo.com$"application "Yahoo"no shutdownexitAA supports SIP expression match criteria on SIP URI, SIP user agent and SIP media type. The snapshot below from Wireshark®shows a SIP control exchange using the voice-video application Vonage® followed by the RTP media audio flow; the expression fields that can be matched using AA app-filters are highlighted:Figure 208: SIP Wireshark® CaptureThe configuration example below provides the configuration to classify Vonage® SIP/RTP desktop traffic using SIP URI expression:configure application-assurance group 1:1 policyapp-filterentry <1..65535> createdescription "Vonage"expression 1 sip-uri eq "*voncp.com*"application "Vonage"no shutdownexitAA supports H323 expression match criteria on the H323 Product ID. The snapshot below from Wireshark shows an H323 control exchange using the Telepresence application LifeSize® followed by the RTP media audio flow; the expression field that can be matched using AA app-filters is highlighted:Figure 209: H323 Wireshark® CaptureThe configuration example below provides the configuration to classify LifeSize® H323/RTP traffic using the H323 product ID expression:configure application-assurance group 1:1 policyapp-filterentry <1..65535> createdescription "LifeSize H323 traffic"expression 1 h323-product-id eq "^LifeSize*"application "LifeSize"no shutdownexitAA supports RTSP expression match criteria on the RTSP Host, URI, UserAgent. The snapshot below from Wireshark® shows an RTSP setup request to YouTube® followed by the RTP media audio flow; the expression fields that can be matched in RTSP SETUP request using AA app- filters are highlighted:The configuration example below provides the configuration to classify YouTube® RTSP/RTP traffic using RTSP Host expression:configure application-assurance group 1:1 policyapp-filterentry <1..65535> createdescription "YouTube RTSP/RTP Video"expression 1 rtsp-host eq "*.youtube.com$"application "YouTube"no shutdownexitIndependent Computing Architecture (ICA) is a Citrix Systems® protocol used in Citrix’s WinFrame, Citrix XenApp (formerly called MetaFrame/Presentation Server), and Citrix XenDesktop products.Citrix makes it possible to run applications remotely on large servers, thus making better use of server resources while at the same time allowing people using other platforms to use the applications, for example, run Microsoft® Word on a UNIX workstation.The Citrix expression match app-filter is used to classify traffic based on the Citrix-published application. This published application is configured on the server and in the example above can be for instance RDP, SAP, Word, XLS or Microsoft® Word depending how the server is configured.configure application-assurance group 1:1 policyapp-filterentry <1..65535> createdescription "Citrix SAP Application"expression 1 citrix-app eq "SAP"application "Citrix SAP"no shutdownexitconfigure application-assurance group 1:1 policyapp-filterentry <1..65535> createdescription "Server #1 10.0.0.1"server-address eq 10.0.0.1/32application "Application-1"no shutdownexitconfigure application-assurance group 1:1 policyentry <1..65535> createdescription "Server #2 10.0.0.2 port 1234 Only"server-address eq 10.0.0.2/32server-port eq 1234application "Application-2"no shutdownexitconfigure application-assurance group 1:1 policyapp-filterentry <1..65535> createdescription "Business VPN Application X Port 4000"server-port eq 4000protocol eq unknown_tcpapplication "Busines VPN Application X"no shutdownexitconfigure application-assurance group 1:1 policyapp-filterentry <1..65535> createdescription "HTTP Server on the subscriber side"flow-setup-direction network-to-subscriberprotocol eq httpapplication "HTTP Server"no shutdownexitconfigure application-assurance group 1:1 policyapp-filterentry <1..65535> createdescription "ICMP v4"protocol eq "non_tcp_udp"ip-protocol-num eq icmpapplication "ICMP"no shutdownexitentry <1..65535> createdescription " ICMP v6"protocol eq "non_tcp_udp"ip-protocol-num eq ipv6-icmpapplication "ICMP"no shutdownexitTo illustrate this feature the Solaris® application GoGlobal is used. It provides remote access to a server (similar to VNC®). The snapshot below (Figure 208) from Wireshark® shows a TCP SYN/ACK session establishment followed by the first data exchange:Figure 210: Wireshark® GoGlobalWireshark® shows that each TCP session payload starts with 80DC0400 (no offset) after the three-way TCP handshake, as a result the configuration required to classify this traffic is described below:configure application-assurance group 1:1 policycustom-protocol 1 ip-protocol-num tcp createdescription "goglobal tcp"expression 1 eq "\x80\xdc\x04\x00" offset 0 direction client-to-serverno shutdownexitapp-filterentry <1..65535> createdescription "GoGlobal "protocol eq "custom_01"application "GoGlobal"no shutdownexit
• App-filters in shutdown state — The default app-filter state is shutdown. A no shutdown command must be executed in order for it to be enabled.show application-assurance group 1:1 application count
show application-assurance group 1:1 application count top [octets|packets|flows] [max-count <max-count>]
show application-assurance group 1:1 policy app-filter
A:PE# show application-assurance group 1:1 policy app-filter | match "application \"FTP\""
pre-lines 3 post-lines 2exitentry 44300 create (2 flows, 1205 B)protocol eq "ftp_control"application "FTP"no shutdownexitentry 44301 create (2 flows, 1401 B)protocol eq "ftp_data"application "FTP"no shutdownexitshow application-assurance group 1:1 aa-sub esm "bob" app-group count
show application-assurance group 1:1 aa-sub sap 1/1/1:10 application count
A:PE# configure application-assurance group 1:1 statistics aa-sub-study applicationA:PE>config>app-assure>group>statistics>aa-sub-study# aa-sub esm "bob"show application-assurance group 1:1 aa-sub-study esm "bob" application count
show application-assurance group 1:1 aa-sub-study esm "bob" application count top [octets|packets|flows] [max-count <max-count>]
show application-assurance group 1:1 aa-sub-study esm "bob" snapshot application count
tools dump application-assurance group 1:1 flow-record-search isa 1/2
tools dump application-assurance group 1:1 flow-record-search aa-sub esm "bob"
tools dump application-assurance group 1:1 flow-record-search aa-sub esm "bob" flow- status active
A:PE# show debugdebugapplication-assurancegroup 1:1http-host-recorderfilterdefault-filter-action recordrecord http-host-app-filter-candidatesexitrate 100no shutdownexitexitexitexitA:PE# tools dump application-assurance group 1:1 http-host-recorder top bytesA:PE# show debugdebugapplication-assurancegroup 1:1port-recorderapplication "Unidentified TCP"application "Unidentified UDP"rate 100shutdownexitexitexitexitA:PE# tools dump application-assurance group 1:1 port-recorder top bytes