Making Best use of the STMs Group Functionality

Making Best use of the STMs Group Functionality

An Introduction to Groups 

Contained within the STM functionality is the concept of a “Group” which in Release 7.0 and beyond means that there are 4 primary group types based on the configuration element type to which they are associated:
  • Autonomous System Numbers
  • Applications
  • Geolocations
  • Users

The main goal of the group functionality is to simplify a configuration such that a single validation/classification check can be performed on an Ingress Flow Class to classify traffic rather than having several rules one per user or application etc.

By way of an example the default applications that are loaded by the DPI subsystem are linked to 16 group names as follows: 
  • collaboration
  • database
  • file-mgmt
  • gaming
  • messaging
  • networking
  • p2p
  • proxy
  • remote-access
  • socialnet
  • streaming
  • voip
  • vpn-tunnels
  • web
Each of the default applications known to the DPI subsystem are created to belong to one of the above groups allowing for a much simpler Ingress Policy Map to be created since a single rule can be created to look for any IP address where the flow belongs to say group p2p and when true uses the p2p EFC or bandwidth partition. Compare this to multiple rules which would need to exist for each type of p2p application such as bit-torrent, edonkey and emule to name but a few.



The above screen capture for Release 7.0 reveals that there are in fact 20 p2p applications in the default application list so clearly having a single Ingress Flow Class – Classification Rule makes it a much simpler method for finding and handling all p2p applications rather than having one rule per application.

A secondary use for the Group feature is that a group item always tracks statistics regardless and independent of any Ingress classification rules that might be enforced by the STM, thus it is possible to see at any time what traffic is seen for all p2p applications. Indeed this information could be used to determine if any limiting policy should be created to reduce the amount of any specific type of traffic seen in a controlled network.

One final point to mention about applying group names to any configuration entry such as an application is that an individual element can belong to multiple groups which allows the application to belong to both the p2p group and also a new “low-priority” group – the user can now remap some but not all entries to a low-priority group and have that group handled differently to the standard p2p group. Indeed in this case you might not only have some p2p applications in the low priority group but also other applications such as Apple or MS update as well. This is configured by adding additional entries to the group field, the only requirement being that each group name has a “comma” separator.
   

Creating New Group Names

As already stated for Release 7.0 and beyond there are four basic group types:
  • Autonomous System Numbers
  • Applications
  • Geolocations
  • Users
Each of these high level entries can have new names added through the GUI at any time by selecting the appropriate entry in the Navigation Pane then right mouse click and further selecting the “New” option: 


 
 
Once created the new group name can be applied to an entry in the appropriate high level collection, thus an “Application Group” can be added to any application while a “User Group” would be used in relation to specific “Users”.

Viewing Group Statistics

Once a group name has been created and before any classification rule might be created to handle any specific traffic it will begin tracking ALL flows that belong to the group automatically making this a very useful tool to determine the traffic profile of any site, using the default groups and the Table View in an active STM might reveal the following:


A secondary method for viewing group statistics is to use the “Top X” Pie chart option which for the above list results in the following display:


With this type of chart you can now perform a “Zoom In” function by moving the mouse pointer over a segment and performing a single left mouse button click, when applied to the “networking” segment above the following Top chart is revealed: 


But we need not stop here since we can actually zoom into a specific application and discover the Top users of the application revealing the following: 


And finally from here we can zoom into a user to determine what applications a user is running: -

Creating a Group Based Classification Rule

Please refer to the “Basic Classification Tech Tip” for information about the “Basics” of building and using Classification Rules to filter traffic and apply the appropriate bandwidth allocation.
In this example we want to enable a low priority application rule where certain applications are assigned to a new group called”Low-Priority-Apps”, they will retain their original group configuration with this new group being added in addition to the group the application already belongs to. Once defined a rule (IFC) will allocate all flows to the “Low-Priority-Apps” Egress Flow class which when added to the active Egress Policy Maps will be allocated a minimal amount or bandwidth, perhaps only 20Mbps with a low rate multiplier.
To recap: 
  • All rules (IFC’s) require and ACL or IP address filter, if none is defined the system will use the ALL IP filter
  • All rules require and bandwidth partition (EFC) for normal use, failure to define an EFC or failure to add the required EFC to the Egress Policy Map in use on the interfaces will be treated as a “DROP” policy and ALL packets will be discarded
So where to begin?
First since we are using this for low priority applications we must create a new Application Group which we will call “Low-Priority_Apps” using the “New Application Group” window in the GUI:


          
Once added we would need to add this group name to ALL applications that are required to belong to the Group, in this example this would be applupdate and windowsupdate since these can typically take large quantities of bandwidth following the release of security updates or new releases, thus it is necessary to search for each application and modify the Groups entry, taking the appleupdate this would involve the search and modify function in the “Application” Navigation tree entry:


  
Notice the Groups field uses a comma space separator and will filter the available Group names as the entry is made, once added all that remains is to use the “Modify” button.

Once modified the “Low-Priority-Apps” group will begin to track ALL flows associated with the “appleupdate” application which will give valuable information about usage prior to the completion of a low priority rule, the above step would be repeated to make the same change to the windowsupdate application.

Before we can actually create a classification filter or rule (IFC) we not only need an ACL but also an Egress Flow Class or bandwidth partition name which will be used by all flows matching the rule, in this case we create a New Egress Flow Class called “Low-Priority-Apps”. Note using the same name is valid and actually makes it easier to create and understand the configuration.

So to create the New EFC requires a right mouse selection on the Egress Flow Class entry in the Navigation window:



You will notice that when an Egress Flow Class is created it is created with a name only, it is only when it is used in a Policy entry in an Egress Policy Map, the idea here is that you can have several Egress Policy Maps with different bandwidths defined. 

With the name now created we need to add a policy to the in use Egress Policy Map, in this example we will allocate 20Mbps and Host Equalize as a Best Effort Policy and this is accomplished by expanding the Egress Policy Map and the Policies currently defined, then right mouse click on the Policies entry and Select the New option: 


            
As can be seen above we have configured the Upstream and Downstream Rate along with selecting the EFC and checking the Host Equalization option.

At this point we have the EFC defined and the Egress Policy entry making the next step the creation on an Ingress Flow Class or classification filter/rule, as always this begins by selecting the Ingress Flow Classes entry in the Navigation tree and using the New option: 

  
In this example we have given the IFC the same name as for all other entris and allocated no ACL which means we will use the IP ANY ANY built in ACL, then we select the EFC and finally by scrolling the window we can add to the Required Group field the Low-Priority-Apps name and the IFC is complete.

That leaves one last task which is to add the IFC or rule to the Ingress Policy map as a Policy entry. Key to this step is to add the Policy with the correct sequence number since Ingress Policies are evaluated in sequence number order starting with the lowest sequence number moving to the highest. To determine which sequence numbers have been used it is best to select the “Policies” entry under the Ingress Policy Map and drag the field to a display pane, this will then show which graph options are available, in this case the table view is the only applicable chart. The next step is to select the items you wish to be displayed in the table, in this case sequence number and submitting the table will be displayed:



In this example we see the lowest sequence number is 10000 meaning that our new policy must use a lower value, now all we need do is create the new entry: 



Within 1 second of selecting the Create Button ALL current flows will have been updated making the new rule fully active. You can now verify if indeed flows exist that are using this policy, this is achieved by selecting the Ingress Flow Classes entry which can also be dragged and dropped on a table chart, in this case select the Egress Flow Class and Matching Flows entries – multiple entries are selected by using standard CTRL and SHIFT select options: 



The final operation would be to save the configuration.

Creation Sequence Roundup

In walking through this example the steps for creation are:
  1. Create the New Group Name in the Group you wish to use the name according to:
    • Application
    • GEO Location
    • Autonomous System Number
    • User
  2. Add this Group Name to all entries that should belong to this Group
  3. Create a New Egress Flow Class to be used by the eventual rule (IFC) you classify by
  4. Add the Egress Flow Class to the Egress Policy Map in use and allocate Upstream and Downstream rates together with setting the Host Equalization check box
  5. Create a New Ingress Flow Class – classification rule using the desired ACL and linking to the required EFC with the New group name included in the Required Groups field
  6. Finally add a New Policy to the Ingress Policy Map making sure to use an appropriate sequence number
  7. As a standard practice once happy with the new configuration change make sure you save the configuration to both partitions

Have more questions? Please submit a ticket to support@saisei.com