Solaris Bandwidth Manager 1.6 System Administration Guide. Sun Microsystems, Inc. 901 San Antonio Road Palo Alto, CA U.S.A.

Transcription

1 Solaris Bandwidth Manager 1.6 System Administration Guide Sun Microsystems, Inc. 901 San Antonio Road Palo Alto, CA U.S.A. Part Number April 2000

2 Copyright 2000 Sun Microsystems, Inc. 901 San Antonio Road, Palo Alto, California U.S.A. All rights reserved. This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any. Third-party software, including font technology, is copyrighted and licensed from Sun suppliers. Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd. Sun, Sun Microsystems, the Sun logo, docs.sun.com, AnswerBook, AnswerBook2, Java, Solstice, Domain Manager, Site Manager and Solaris are trademarks, registered trademarks, or service marks of Sun Microsystems, Inc. in the U.S. and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. The OPEN LOOK and Sun TM Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun holds a non-exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Sun s licensees who implement OPEN LOOK GUIs and otherwise comply with Sun s written license agreements. Federal Acquisitions: Commercial Software Government Users Subject to Standard License Terms and Conditions. DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. Copyright 2000 Sun Microsystems, Inc. 901 San Antonio Road, Palo Alto, Californie Etats-Unis. Tous droits réservés. Ce produit ou document est protégé par un copyright et distribué avec des licences qui en restreignent l utilisation, la copie, la distribution, et la décompilation. Aucune partie de ce produit ou document ne peut être reproduite sous aucune forme, par quelque moyen que ce soit, sans l autorisation préalable et écrite de Sun et de ses bailleurs de licence, s il y en a. Le logiciel détenu par des tiers, et qui comprend la technologie relative aux polices de caractères, est protégé par un copyright et licencié par des fournisseurs de Sun. Des parties de ce produit pourront être dérivées du système Berkeley BSD licenciés par l Université de Californie. UNIX est une marque déposée aux Etats-Unis et dans d autres pays et licenciée exclusivement par X/Open Company, Ltd. Sun, Sun Microsystems, le logo Sun, docs.sun.com, AnswerBook, AnswerBook2, Java, Solstice, Domain Manager, Site Manager et Solaris sont des marques de fabrique ou des marques déposées, ou marques de service, de Sun Microsystems, Inc. aux Etats-Unis et dans d autres pays. Toutes les marques SPARC sont utilisées sous licence et sont des marques de fabrique ou des marques déposées de SPARC International, Inc. aux Etats-Unis et dans d autres pays. Les produits portant les marques SPARC sont basés sur une architecture développée par Sun Microsystems, Inc. L interface d utilisation graphique OPEN LOOK et Sun TM a été développée par Sun Microsystems, Inc. pour ses utilisateurs et licenciés. Sun reconnaît les efforts de pionniers de Xerox pour la recherche et le développement du concept des interfaces d utilisation visuelle ou graphique pour l industrie de l informatique. Sun détient une licence non exclusive de Xerox sur l interface d utilisation graphique Xerox, cette licence couvrant également les licenciés de Sun qui mettent en place l interface d utilisation graphique OPEN LOOK et qui en outre se conforment aux licences écrites de Sun. CETTE PUBLICATION EST FOURNIE EN L ETAT ET AUCUNE GARANTIE, EXPRESSE OU IMPLICITE, N EST ACCORDEE, Y COMPRIS DES GARANTIES CONCERNANT LA VALEUR MARCHANDE, L APTITUDE DE LA PUBLICATION A REPONDRE A UNE UTILISATION PARTICULIERE, OU LE FAIT QU ELLE NE SOIT PAS CONTREFAISANTE DE PRODUIT DE TIERS. CE DENI DE GARANTIE NE S APPLIQUERAIT PAS, DANS LA MESURE OU IL SERAIT TENU JURIDIQUEMENT NUL ET NON AVENU. Please Recycle

3 Contents Preface Introduction 17 Bandwidth Management 17 The Need for Bandwidth Management 18 Examples 18 How Bandwidth Management Works 19 Borrowing Bandwidth 20 The Root Class and the Default Class 21 Flows 21 Directory Service Interaction 22 Support for HTTP Traffic 22 Type of Service Control 22 Bandwidth Statistics and Accounting 23 New in Solaris Bandwidth Manager Architecture 25 Product Structure 25 Administration Tool 26 The Policy Agent 27 Flows 27 3

4 Type of Service Support 28 IP Specification of TOS 28 Solaris Bandwidth Manager and Type of Service 29 Solaris Bandwidth Manager Modes 30 Server Mode 30 IP-Transparent Mode 31 Multicast Routing and Solaris Bandwidth Manager Planning 37 Where to Use Solaris Bandwidth Manager 37 Configuration Planning 39 Designing the Class Hierarchy 39 Allocating Bandwidth 40 Borrowing Bandwidth 42 Configuration Planning Example 43 Paris 45 Bonn 47 London Editing the Configuration Files 53 Configuration Overview 54 Configuration Files and Directories 54 Configuration File Format 55 General Configuration Parameters 56 URL Group Definition 56 Host Group Definition 57 Subnet Group Definition 58 Service Definition 58 Filter Definition 59 Interface Definition 61 4 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

5 Class Definition 63 Type of Service Values 64 Agent Properties File Format 65 Configuration Examples 66 IP-Transparent Mode Interface Configuration 67 Server Mode Interface Configuration 68 Logical Interfaces 68 Complete Configuration Configuring Solaris Bandwidth Manager Using batool 73 Using batool 73 H To Start the batool Application 73 H To Start the batool Applet 74 Connecting to a Host System 74 Connecting to a Directory Service 75 Working in Online and Offline Mode 75 Navigating in batool 76 Configuring Solaris Bandwidth Manager 78 Viewing the Configuration Overview 79 Editing the Configuration 80 Configuration Example 93 H Before you can create a new configuration file, you must: 94 Defining Interfaces 94 H Define qe0_out to handle outgoing traffic like this: 94 Creating Filter Components 96 Creating Filters 97 H For example, to create a filter http: 98 H To create a filter any_bonn: 99 Creating Classes 101 Contents 5

6 H To create the class http as a child of the Out class: Configuring Solaris Bandwidth Manager with a Directory Service 103 Sun Directory Services 3.1 Configuration 103 Configuring the Sun Directory Services Server 103 H To Add the Solaris Bandwidth Manager Schema Files to the Directory Server Configuration 104 Saving the Bandwidth Manager Configuration 105 Directory Tree for Solaris Bandwidth Manager 106 Example Directory Tree 108 Working With a RADIUS Server 109 Overview 109 Configuration 111 Policy Behavior 112 Schema Objects for Solaris Bandwidth Manager 113 Object Classes 117 Attributes 121 Naming Conventions for Solaris Bandwidth Manager Running Solaris Bandwidth Manager 131 Starting, Restarting, and Stopping Solaris Bandwidth Manager 131 H To Start Solaris Bandwidth Manager Policy Agent: 131 H To Prevent the Policy Agent Being Restarted When You Reboot 132 H To Restart the Solaris Bandwidth Manager Policy Agent 132 H To Stop the Solaris Bandwidth Manager 132 Dynamic Reconfiguration 133 Creating a Dynamic Reconfiguration Schedule 133 Restrictions on Dynamic Reconfiguration 134 Monitoring Solaris Bandwidth Manager with SNMP 134 Configuring SNMP Monitoring Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

7 8. Statistics 137 H To Integrate Solaris Bandwidth Manager SNMP Agents with Solstice Enterprise Agents 135 Using a Solstice Site or Domain Manager Console 136 Displaying Statistics Using batool 137 H To Display Statistics 137 H To DisplaySummary Statistics 138 H To Display Flow Statistics 139 H To Display Class Statistics 141 Using bastat 141 H bastat Examples 142 A. Policy Agent Architecture 145 B. Event Processing 147 Directory Event Processing 147 Index 151 Contents 7

8 8 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

9 Tables TABLE P 1 Typographic Conventions 15 TABLE P 2 Shell Prompts 16 TABLE 3 1 Bandwidth Allocation and Priority of Classes on Paris Server 46 TABLE 3 2 Bandwidth Allocation and Priority of Classes on Bonn Server 48 TABLE 3 3 Bandwidth Allocation and Priority of Classes on London Server 50 TABLE 4 1 Type of Service Values and Their Meanings 64 TABLE 6 1 Containment Relationships Under baconf 108 TABLE 6 2 Object Class Summary 114 TABLE 6 3 Attribute Syntax Definitions 121 9

10 10 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

11 Figures Figure 1 1 Hierarchical Class Definitions 19 Figure 1 2 Bandwidth Allocation 20 Figure 2 1 Solaris Bandwidth Manager Architecture 26 Figure 2 2 Solaris Bandwidth Manager in Server Mode 30 Figure 2 3 Solaris Bandwidth Manager on a Router in Server Mode 31 Figure 2 4 Network Configuration Without Solaris Bandwidth Manager 32 Figure 2 5 Network Configuration IP-Transparent Mode 32 Figure 2 6 Traffic Flow in IP-Transparent Mode 34 Figure 3 1 Planning Where to Use Bandwidth Manager 38 Figure 3 2 Example of Allocating Bandwidth: Class Hierarchy 40 Figure 3 3 Example of Allocating Bandwidth: Root Allocated 100% 40 Figure 3 4 Example of Allocating Bandwidth: Child Classes of Root 40 Figure 3 5 Example of Allocating Bandwidth: Second Level Classes 41 Figure 3 6 Example of Allocating Bandwidth: Allocation Complete 42 Figure 3 7 Bandwidth Allocation Planning for the Example Corporation 44 Figure 3 8 Actual Network Use for Paris Site 45 Figure 3 9 Class Structure for Paris Site 45 Figure 3 10 Actual Network Use for Bonn Site 47 Figure 3 11 Class Structure for Bonn Site 48 11

12 Figure 3 12 Actual Network Use for London Site 49 Figure 3 13 Class Structure for London Site 50 Figure 4 1 IP-Transparent Configuration at London Site 67 Figure 4 2 Interfaces Configuration at Paris Site 68 Figure 4 3 Configuring Logical Interfaces 68 Figure 5 1 Interfaces Window 81 Figure 5 2 URL Group Window 84 Figure 5 3 Host and Subnet Group Window 86 Figure 5 4 Services Window 88 Figure 5 5 Filters Window 90 Figure 5 6 Classes Window 92 Figure 6 1 Directory Information Tree Structure 107 Figure 6 2 Mapping Between Solaris Bandwidth Manager and a Directory 107 Figure 6 3 Example Directory Tree 109 Figure 6 4 RADIUS Operation with Solaris Bandwidth Manager 110 Figure 6 5 Solaris Bandwidth Manager Schema 114 Figure A 1 Policy Agent Components 145 Figure B 1 Directory Event Processing Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

13 Preface This book explains how to plan, configure, and manage a network bandwidth management system using Solaris TM Bandwidth Manager. Note - The Solaris TM operating environment runs on two types of hardware, or platforms - SPARC TM and IA. The Solaris operating environment also runs on both 64 bit and 32 bit address spaces. The information in this document pertains to both platforms and address spaces unless called out in a special chapter, section, note, bullet, figure, table, example, or code example. Who Should Use This Book This book is for network administrators planning and implementing bandwidth management, using Solaris Bandwidth Manager 1.6. How This Book Is Organized Chapter 1 explains the concepts of bandwidth management and quality of service management, and introduces the features of Solaris Bandwidth Manager. Chapter 2 describes the architecture of Solaris Bandwidth Manager. Chapter 3 explains how to plan a bandwidth management system. Chapter 4 explains how to configure Solaris Bandwidth Manager using the configuration file. 13

14 Chapter 5 explains how to configure and manage Solaris Bandwidth Manager using the batool utility. Chapter 6 explains how to use a Directory Service with Solaris Bandwidth Manager. Chapter 7 explains how to monitor and maintain your bandwidth management system. Chapter 8 explains the statistics and accounting tools provided with Solaris Bandwidth Manager. Related Books Solaris Bandwidth Manager 1.6 Developers Guide explains how to create applications that interact with Solaris Bandwidth Manager using the programming interfaces provided. Standards Reference Solaris Bandwidth Manager is based on the following Internet standards and proposed standards: 4 RFC 2474 Definition of the Differentiated Services Field 4 RFC 2475 An Architecture for Differentiated Services Ordering Sun Documents Fatbrain.com, an Internet professional bookstore, stocks select product documentation from Sun Microsystems TM, Inc. For a list of documents and how to order them, visit the Sun Documentation Center on Fatbrain.com at 14 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

15 Accessing Sun Documentation Online The docs.sun.com SM Web site enables you to access Sun technical documentation online. You can browse the docs.sun.com archive or search for a specific book title or subject. The URL is What Typographic Conventions Mean The following table describes the typographic changes used in this book. TABLE P 1 Typographic Conventions Typeface or Symbol Meaning Example AaBbCc123 AaBbCc123 AaBbCc123 AaBbCc123 The names of commands, files, and directories; on-screen computer output What you type, contrasted with on-screen computer output Command-line placeholder: replace with a real name or value Book titles, new words, or terms, or words to be emphasized. Edit your.login file. Use ls a to list all files. machine_name% you have mail. machine_name% su Password: To delete a file, type rm filename. Read Chapter 6 in User s Guide. These are called class options. You must be root to do this. Preface 15

16 Shell Prompts in Command Examples The following table shows the default system prompt and superuser prompt for the C shell, Bourne shell, and Korn shell. TABLE P 2 Shell Prompts Shell Prompt C shell prompt C shell superuser prompt Bourne shell and Korn shell prompt $ Bourne shell and Korn shell superuser prompt machine_name% machine_name# # 16 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

17 CHAPTER 1 Introduction Solaris Bandwidth Manager 1.6 is a bandwidth management system that helps you manage your network resources and provide a guaranteed quality of service to users. Using it, you can: 4 Allocate guaranteed bandwidth to different classes of network traffic 4 Prioritize traffic, giving highest priority to urgent traffic 4 Make sure that the network is fully utilized at all times, by sending low-priority traffic when there is no urgent traffic Bandwidth Management The bandwidth of a network link is the maximum amount of data that can be transmitted simultaneously. Bandwidth is measured in bits per second, or more often in megabits per second (Mb/s). The maximum bandwidth of a link is determined by the devices at either end of the link, and by the type of link in use. Bandwidth is also limited by the physical characteristics of the material used on the link, but the limits of the network devices are typically the determining factor. For an organization buying network services from a provider, higher bandwidth is usually available for a higher cost. For a network provider, higher bandwidth is available by using higher-performance network devices, typically at additional cost. 17

18 The Need for Bandwidth Management Almost all network links are used by more than one user or application. This means that the available bandwidth has to be shared between them. Bandwidth management tools let you manage how this is done. If a network link is continuously congested, the link needs to be upgraded to provide greater capacity. In many cases, however, the typical load on a link is within the link capacity, and the link is congested only temporarily. Temporary congestion is sometimes predictable; for example, there are typically peaks in network use at particular times of the day or following a particular event. Other causes of temporary congestion, such as the transfer of a large file, are not possible to predict. If the average use of a link is within the link capacity, you can make considerable improvements in the performance of the network link by managing how the available bandwidth capacity is used. Allocating bandwidth to a particular type of traffic enables you to optimize the usage of the available bandwidth. Solaris Bandwidth Manager 1.6 enables you to manage the bandwidth used by IP traffic. It does this by: 4 Allocating traffic to a class based on the application type, source and destination addresses, URL group, or a combination, then assigning individual limits for each class. For example: 4 Traffic to Engineering must have at least 50% of the link. 4 HTTP traffic cannot exceed 10% of the link. 4 Prioritizing traffic. Some types of traffic, for example interactive traffic generated when using telnet or rlogin, need a quick response time. Solaris Bandwidth Manager lets you assign a higher priority to that traffic. Traffic that does not require a quick response time, such as a file transfer using FTP, can be assigned a lower priority. By balancing the bandwidth allocated to different types of network traffic and the relative priorities, you can optimize your network performance. Examples 4 You are the owner of a LAN leasing a network connection from a service provider. You can use Solaris Bandwidth Manager to make sure you make the most efficient use of the capacity you lease. Bandwidth management makes sure that your higher-priority traffic is sent first, but that you always get the maximum use of the capacity you are paying for. It is no longer necessary to over-specify your requirements just to guarantee that priority traffic can be sent. You might even be able to reduce the capacity you lease. 4 You are the owner of a WAN providing network services to many clients. Solaris Bandwidth Manager enables you to regulate the traffic in your network. With 18 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

19 Solaris Bandwidth Manager, you can provide a guaranteed minimum of bandwidth to a client, and as a bonus, provide additional bandwidth from time to time when it is not required by other clients. Since you know the level of bandwidth guaranteed, capacity planning is be both easier and more accurate. 4 You are a web service provider, hosting several web sites on behalf of commercial companies. Solaris Bandwidth Manager enables you to guarantee your client companies that a given bandwidth is available to the customers visiting their web sites. Today, many web providers charges are based either on disk space usage or on the number of times a site is visited. Disk space used is not a good indication of the cost to the provider, since a small site that is visited frequently can be as expensive to provide as a large site that is visited less frequently. Using the number of visits to a site is a better indicator of the cost to the provider, but is potentially an unbounded cost for the client. With Solaris Bandwidth Manager you can charge clients for a guaranteed bandwidth for their web sites. 4 You are an ISP providing services to many customers. Solaris Bandwidth Manager enables you to provide different classes of services to different customers. For example, you could offer Premium and Standard services, with different guaranteed minimum access levels, to suit the needs and budgets of your customers. How Bandwidth Management Works Bandwidth is allocated to a class of network traffic. Traffic is put into classes using a set of filters. Filters are defined using some or all of the following: 4 IP source address 4 IP destination address 4 IP protocol (TCP, UDP or other) 4 Source ports for TCP and UDP 4 Destination ports for TCP and UDP 4 Type of Service (TOS) value 4 URL or URL Group Class definitions are hierarchical and every class has a parent. For example, if you define a class for FTP traffic and a class for FTP traffic to a host called pear, the classes are connected in a hierarchy as shown in Figure 1 1. root Figure 1 1 ftp ftp-to-pear Hierarchical Class Definitions Introduction 19

20 In this example, the ftp class is a child of the root class and is the parent of the ftp-to-pear class. The configuration of Solaris Bandwidth Manager specifies the set of known classes for an interface, defined in terms of the values of some or all of these factors. It also allocates a percentage of bandwidth and a priority to each class. The priority of a class is an integer from 1 (highest priority) to 7 (lowest priority). When a packet arrives at Solaris Bandwidth Manager, the classifier analyzes the packet protocol, TOS value, URL information, source information, and destination information and allocates the packet to a class queue where it waits to be processed. If the queue to which a packet is allocated is full, the packet is dropped. Normal retransmission means that the packet is resent. The scheduler uses the percentage bandwidth configured and the priority for each class to decide the order in which class queues are processed. Within a class queue, the packets are processed on a first-in, first-out basis. When the network traffic reaches the maximum allocated to a class, packets from the next class in priority order are processed. Classifier Scheduler Figure 1 2 Bandwidth Allocation Borrowing Bandwidth Each class is guaranteed a percentage of the bandwidth, and when that limit is reached, normally no more traffic from that class can be forwarded. However, if the 20 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

21 network link is not fully used, a class can borrow bandwidth temporarily from its parent class, and send traffic at a percentage that exceeds its allocation. It is possible to set a maximum allowed bandwidth for a class to stop it borrowing all of the available bandwidth. The Root Class and the Default Class The root class is a special class that is created automatically by the Solaris Bandwidth Manager policy agent. You cannot explicitly assign guaranteed bandwidth to the root class: if the total bandwidth allocated to other classes is less than 100%, the difference is allocated to the root class and is available for borrowing and for use by traffic not allocated to any other class. The default class is an optional special class. Any packet that the classifier does not allocate to a specific class is put in the default class. The scheduler treats the default class in exactly the same way as any other class. If you do not define a default class, any packet that the classifier does not allocate to a specific class is put in the root class. Flows A flow is a complete exchange of data across a network, such as a file transfer by ftp or a mail message being sent by smtp. A flow is identified by: 4 The interface used 4 The IP source address 4 The IP destination address 4 The IP protocol (TCP, UDP or other) 4 The source and destination ports (TCP and UDP) 4 The IP type of service (TOS) value 4 The URL For more information on flow statistics, see Flows on page 27. Using the Java APIs, it is possible to write an application to detect the start of a flow, or the presence of traffic in a new flow, and update the configuration to take account of that flow. Introduction 21

22 Directory Service Interaction Solaris Bandwidth Manager configuration information and policy information can be stored in a directory service such as Sun Directory Services 3.1. Some advantages to this approach are: 4 The configuration of multiple instances of Solaris Bandwidth Manager can be updated from a single point, the directory. 4 The configuration can be dynamically updated upon detection of user connections or traffic flows, for example when remote access using the RADIUS protocol is in use. In many networks, particularly where users have dial-up connections or are mobile, there is no permanent mapping between a user and an IP address. However, if a remote user connects to the network using a RADIUS login sequence when using Sun Directory Services, the user s directory entry is updated with the current IP address. Using a directory to store information about users and their current locations provides a way to identify the user who is associated with a particular IP address. This has two benefits: 4 You can adjust the configuration of the classifier and scheduler depending on the actual usage of the network. 4 You can collect accounting information for individual users. See Chapter 6 for details of how Solaris Bandwidth Manager interacts with a directory service. Support for HTTP Traffic Most web transactions involve a proxy web server. This proxy hides the actual HTTP server from the user. Classifying web traffic based on the proxy s IP address does not provide an accurate view of the actual network traffic. Solaris Bandwidth Manager can use URLs to identify and classify web traffic. Type of Service Control The header of an IP packet contains a Type of Service (TOS) field. This field was originally designed to be used by the upper layers to provide information to the Internet layer to optimize the packet route. It is used in both routing and queuing algorithms. Solaris Bandwidth Manager has two available TOS modes, TOS match and TOS mark. In TOS match mode, the TOS value is used to classify the packet. In TOS mark mode, the packet is classified using other information, and a TOS value inserted, replacing any existing TOS value. The TOS value inserted is configured for the class. 22 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

23 TOS match and TOS match mode can be used simultaneously. In this case, the TOS value is used to classify the packet and is then overwitten with a new TOS value. Note - Use of the TOS value by Solaris Bandwidth Manager is optional. See Interface Definition on page 61 for information about setting the mode to determine whether the TOS value is used, and in which mode. If you are not using a TOS mode, the value of the TOS field is left unchanged. Bandwidth Statistics and Accounting Knowing how your network is being used lets you charge accordingly. Solaris Bandwidth Manager provides two sets of statistics that you can use for accounting: Class statistics Flow statistics The cumulated number of bytes per class. The cumulated number of bytes per flow. See Chapter 8 for information about how to use the statistics features in Solaris Bandwidth Manager. New in Solaris Bandwidth Manager 1.6 Solaris Bandwidth Manager 1.6 is a follow-on release from Sun TM Bandwidth Allocator 1.0. It provides the following additional features: 4 Regulation of incoming and outgoing traffic 4 Differentiated Services/Type of Service support 4 Classification of web traffic based on URLs 4 Improved accounting and billing 4 Ability to work with a directory service 4 Dynamic configuration 4 The ability to send events that can be read by a system that supports version 5 of the CISCO NetFlow protocol 4 Additional and improved APIs Introduction 23

24 24 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

25 CHAPTER 2 Architecture Product Structure Solaris Bandwidth Manager contains the following major components: 4 The administration tool, batool, provides a graphical interface for configuring bandwidth management. This can be run as an applet or an application from any machine in your network that has a Java Virtual Machine. It also allows you to create a bandwidth management schedule and view statistics. 4 The policy agent implements the configuration and handles communication with the kernel module. See The Policy Agent on page 27 for details of how the policy agent works. 4 The kernel module is viewed as a STREAMS driver, /dev/ipqos, by the tools in user space, and is viewed as a STREAMS module, ipqos, by the IP stack. It contains the classifier and the scheduler. 4 The classifier allocates packets to a class queue. 4 The scheduler determines the order in which queued packets are forwarded across the network, and applies the bandwidth limits and priorities configured for each type of traffic. 4 A set of Java APIs allow you to write applications to configure Solaris Bandwidth Manager, use a directory service with Solaris Bandwidth Manager and gather statistics. There is also a C Statistics API. 4 In addition to the statistics gathering capabilities of batool, the statistics utility, bastat, displays statistics on the bandwidth management configuration in use. 25

26 4 The SNMP agent enables you to monitor Solaris Bandwidth Manager using any SNMP management utility, such as Solstice TM Site Manager TM or Solstice Domain Manager TM. This is a component of the policy agent. 4 Commands and utilities for managing the Solaris Bandwidth Manager software and monitoring your network The diagram below shows the architecture of Solaris Bandwidth Manager. Figure 2 1 Solaris Bandwidth Manager Architecture Administration Tool You can use the administration tool, batool, to configure Solaris Bandwidth Manager. It has two modes: 26 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

27 4 In on-line mode, you can change the configuration currently being used by the kernel module. This is useful if an immediate temporary change is required because of a problem in your network. You also have the option of saving the current configuration, so that your changes are preserved. On-line mode allows you to observe the consequences of a particular configuration before you save it. 4 In off-line mode, you can change a configuration without disturbing the current behavior of the kernel module. This is useful if you want to make changes in the configuration without disrupting users, and have them implemented the next time the product is restarted. The administration tool communicates with the kernel module through the policy agent. batool sends configuration changes to the kernel module, and the kernel module sends statistics to batool. See Chapter 5 for a more detailed description of batool and how to use it. You can also configure Solaris Bandwidth Manager by editing the configuration files or from a directory service. The Policy Agent The policy agent is the communications hub of Solaris Bandwidth Manager. It controls the information sent to and from all other components, and the policies that they operate. It is implemented using the Java Dynamic Management TM Kit framework. It contains a set of Java management beans (m-beans) and their exported interfaces. See Appendix A for more detail on the architecture of the policy agent. Flows A flow is a complete exchange of information between a sender and a recipient as seen from the user s point of view. Examples of flows include sending a mail message or downloading a web page. A flow is defined by: 4 The interface used 4 The source and destination IP addresses 4 The IP protocol (TCP, UDP or other) 4 The source and destination ports (TCP and UDP) 4 The IP type of service (TOS) value 4 The URL Architecture 27

28 Since the TOS value can change during the lifetime of a flow, a flow can move from one class to another. However, this is not recommended, as packet ordering can be compromised. Information about all current flows is stored in a cache. When a packet arrives, its flow characteristics are compared with the cache information to see whether it is part of an existing flow or whether a new flow has started. The cache record includes the flow identification information and the following statistics: 4 The number of packets sent 4 The number of octets sent 4 The system uptime when the first packet arrived 4 The system uptime when the last packet arrived Note - A flow is terminated 60 seconds after the last packet in the flow was detected. This is not configurable. Monitoring flows rather than classes gives a more accurate picture of network usage, at finer granularity. This enables you to predict future network needs more accurately and gives you information that can be used in accounting. You can use batool to view flow statistics. See Chapter 8. You can also use any billing or accounting package that is compatible with version 5 of the CISCO NetFlow protocol. Type of Service Support An IP packet contains a type of service (TOS) field. Its purpose is to convey information about how the packet should be processed. Solaris Bandwidth Manager can use this information when classifying a packet. It can also change the information, to influence how the packet is processed. IP Specification of TOS on page 28 is a summary of the type of service definition from the IP specification. Solaris Bandwidth Manager and Type of Service on page 29 explains how Solaris Bandwidth Manager interacts with TOS. IP Specification of TOS The IP specification includes a definition of a Type of Service field in an IP packet header. This is intended to be used by upper-layer protocols to pass information to the Internet layer about how to optimize routing for the packet. 28 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

29 Network topology means that there are often a number of available routes between the source and destination of a packet. Some routes are more reliable than others. Some are expensive, with high call setup or usage charges, while some are low-cost but slow. The most suitable route for a packet depends on the application and user, and might even vary with other factors such as the time of day. For example, if you are a system administrator monitoring a remote system, you need to receive alarm traffic as rapidly as possible regardless of the cost, because the cost of routing the alarm is significantly lower than the cost incurred by a system problem. However, if you start to get a document by ftp from the same system at the end of your working day, intending to use it the following day, a low-cost, slow route is sufficient. The Internet Layer has no direct knowledge of how to optimize a route for a given application or user. The TOS facility was intended to provide hints about how best to route a packet, influencing both queueing algorithms and routing. It contains a 3-bit precedence field and a 4-bit TOS field. The setting of precedence field indicates one of the following values for the precedence: 4 Network 4 Internet 4 Critical 4 Flash-override 4 Flash 4 Immediate 4 Priority 4 Routine The possible settings of the TOS field are: 4 Minimize delay 4 Maximize throughput 4 Maximize reliability 4 Minimize monetary cost 4 Normal service The TOS facility has not been widely used in the past, but the Internet Engineering Task Force (IETF) is now working to modify the definition of TOS and to encourage its use. Solaris Bandwidth Manager and Type of Service The Type of Service facility is provided by the IP protocol to convey information about how individual packets should be directed over the Internet. The TOS field controls the routing and queueing algorithms in gateway operations. Architecture 29

30 The TOS byte contains a Precedence field, a TOS field and an Empty field Precedence TOS MBZ 4 The Precedence field contains 3 bits which sets the Precedence level for the byte. 4 The TOS field contains the TOS match value. This will be matched against the packet and is expressed as a hexadecimal value. 4 The MBZ field is currently unused and must be set to 0. For more information, refer to RFC 1349 Type of Service in the Internet Protocol Suite by P. Almquist. Solaris Bandwidth Manager Modes Solaris Bandwidth Manager can be used in one of two modes: server mode or IP-transparent mode. Server Mode On a host that is a source of IP traffic, run Solaris Bandwidth Manager in server mode. A host is a source of IP traffic if has only one network connection, to either the WAN or the LAN, or because it is a router of traffic. Figure 2 2 Solaris Bandwidth Manager in Server Mode 30 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

31 Figure 2 3 Solaris Bandwidth Manager on a Router in Server Mode When an interface for which bandwidth management is configured is initialized (usually at system startup), the ipqos module is pushed on to the IP stack, between IP and the interface. The Solaris Bandwidth Manager policy agent reads the configuration file and loads the configuration information into the ipqos module. The ipqos module then processes all traffic according to the configured definitions. Note - If a firewall is running on the same machine, install Solaris Bandwidth Manager on an interface that is not running encryption software. IP-Transparent Mode On a host that is between a LAN and a router, run Solaris Bandwidth Manager in IP-transparent mode. This mode is called IP-transparent because the host running Solaris Bandwidth Manager is completely transparent to the IP network and is perceived as just another machine connected to the LAN. The LAN and the WAN behave as though they are directly connected through the router only. It is not necessary to modify the routing tables. Architecture 31

32 Figure 2 4 Network Configuration Without Solaris Bandwidth Manager Figure 2 5 Network Configuration IP-Transparent Mode Kernel Architecture The Kernel contains three modules which receive, filter, classify, schedule and forward the packets between the LAN and the router. The logical flow of data in IP-transparent mode is shown by the dashed lines in Figure Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

33 ipqos1 ipqos2 ipqos3 Implemented into the IP stack by autopush.ba and autopush_usr.ba during system startup. This module monitors the packets arriving at the host from the LAN but only processes packets addressed to the host machine. Implemented when the policy agent is started. This module monitors the packets arriving at the host from the LAN and is used to filter and distribute them within the kernel. Implemented when the policy agent is started. This module interface monitors the packets arriving at the host from the LAN or WAN and classifies and schedules them. The classes for the configuration file are stored in this module. Traffic Flow From the LAN Traffic from the LAN to the host running Solaris Bandwidth Manager is received by the LAN interface. If the destination IP address of the packet is the host running Solaris Bandwidth Manager, it is dropped by ipqos2 as it will have already been sent up the IP stack by ipqos1. If the destination IP address of the packet is not the host running Solaris Bandwidth Manager then the packet is forwarded directly to the router in the following cases: 4 The IP packet is addressed to the router 4 The packet is not an IP packet and non-ip mode is set to direct in the configuration file 4 It is a multicast packet and multicast mode is set to direct Otherwise, the packet will be classified and scheduled by ipqos3. Traffic Flow From the WAN Traffic from the WAN is forwarded to the LAN via ipqos3 and ipqos2. 4 ipqos3. Packets are not classified and scheduled in the following circumstances: 4 If ipqos3 is not configured for regulating incoming traffic 4 The multicast parameter is set to direct 4 The packet is not an IP packet and non-ip mode is set to direct 4 ipqos2. This module checks the destination IP address. If the packet is addressed to the host running Solaris Bandwidth Manager, it is sent up the IP stack via ipqos1. Otherwise it is forwarded to its destination. Architecture 33

34 Figure 2 6 Traffic Flow in IP-Transparent Mode Only ipqos3 can be configured via the configuration file so any reference to the interface in this file must be the WAN interface. Configure the network device option in the configuration file to reference the LAN interface in one of the following ways: 4 By editing the network keyword in the interface section of the configuration file 4 Using the Configuration Interface window of batool. Non-IP Packets Non-IP traffic bypasses ipqos if the nonip_mode parameter is set to direct. These packets are not logged in the flow statistics. If set to ipqos, the traffic is sent to the default class or the root class if no default class is configured. Multicast Routing and Solaris Bandwidth Manager In server mode, Solaris Bandwidth Manager does not distinguish between multicast and other types of traffic. However, if you are using Solaris Bandwidth Manager in IP-transparent mode, it is not possible to predict automatically whether a router will forward a multicast packet, since this depends on your network configuration. 34 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

35 Therefore, there are three options to control how Solaris Bandwidth Manager handles multicast traffic. Choose the most appropriate option for your network: 4 Send through the ipqos module any traffic that might be forwarded by the router. This makes sure that traffic that is forwarded has bandwidth allocated. Send traffic that will not be forwarded by the router directly to the router, not through the ipqos module. The router needs to be aware of all multicast traffic, even traffic that it does not forward. The router does not forward traffic with a time-to-live of less than 2, or that is intended for the local subnet only (that is, traffic with a destination address in the range to ). 4 Send all multicast traffic directly to the router, not through the ipqos module. Do this only if you know that the router will never forward any multicast traffic. 4 Drop multicast packets and do not send them to the router. This means that the router never receives any multicast traffic. Architecture 35

36 36 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

37 CHAPTER 3 Planning Bandwidth management must be planned for your whole network, not for individual points where the software runs. There are two stages to planning bandwidth management: 4 Deciding where to install Solaris Bandwidth Manager 4 Deciding how to configure Solaris Bandwidth Manager at each point where it is installed Where to Use Solaris Bandwidth Manager Use Solaris Bandwidth Manager at any point in your network where the demand for bandwidth sometimes or always exceeds what is available, and at potential bottlenecks in your network such as the start of a transatlantic or other long-distance link or a LAN/WAN border. Solaris Bandwidth Manager regulates incoming and outgoing traffic. If a network link uses a shared medium, you must regulate traffic at all points that send traffic over the link. Solaris Bandwidth Manager can be used on a host that is a source of IP traffic, on an IP router, or on a host that is between a LAN and a router (known as running in IP-transparent mode, as described in IP-Transparent Mode on page 31). Note - You cannot use Solaris Bandwidth Manager to regulate traffic flow on a logical interface, such as le0:1. However, by defining classes that correspond to the traffic that would use a logical interface, you can achieve the same result. See Logical Interfaces on page 68 for an example of how to do this. 37

38 Solaris Bandwidth Manager regulates incoming and outgoing traffic at a given point in your network. Depending on your network topology, it might be useful to use bandwidth allocation at a point before any known bottleneck. A 5 5 C 10 D B Figure 3 1 Planning Where to Use Bandwidth Manager Assume you have the network shown in Figure 3 1, with the link capacities (in arbitrary units) shown. If host C does not generate any traffic, it is not necessary to use Solaris Bandwidth Manager, since the capacity of link CD is sufficient for the total amount of traffic that both AC and BC can deliver at a given time. However, if host C is also a source of traffic, use Solaris Bandwidth Manager at C to regulate the flow of traffic on the link CD. If the capacity of the link AC is increased to 10, host C becomes a potential bottleneck, whether or not it is a source of traffic itself, since the total amount of traffic that AC and BC together can deliver at a given time exceeds the capacity of CD. Using Solaris Bandwidth Manager at C does not prevent this. Instead, you need to run Solaris Bandwidth Manager at A, preventing, or reducing the probability of C being overloaded. If C is not a source of traffic, using Solaris Bandwidth Manager at A alone is probably sufficient. If C is a source of traffic, use Solaris Bandwidth Manager at A and C. When planning the configuration of Solaris Bandwidth Manager at a point in your network, you must consider the configurations of other bandwidth managers upstream in the traffic flow. For example, if at A, the ftp-from-a class is configured to use no more than 2 units of capacity of AC, there is no point in giving the ftp-from-a class more than 2 units of capacity of CD. You must also be careful not to set the traffic limits too low and under use a link. Configure Solaris Bandwidth Manager across your network so that all links are fully used and use the relative priorities of the classes to determine which packets are dropped or delayed if a link is busy. In planning where to install Solaris Bandwidth Manager, you need to consider the characteristics of particular types of traffic. With HTTP traffic, for example, the heavier traffic flow is towards the user who instigates the transfer, so it is more useful to use bandwidth management on a web server than on the user s local machine. 38 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

39 Configuration Planning At each point where you plan to use Solaris Bandwidth Manager, you must decide the following: 4 Whether to use IP-transparent or server mode. See Solaris Bandwidth Manager Modes on page 30 for explanations of these modes. 4 How multicast traffic is handled, if you are using IP-transparent mode. See Multicast Routing and Solaris Bandwidth Manager on page The hierarchy of classes, and the priority and bandwidth allocated to each class. See Designing the Class Hierarchy on page 39 and Allocating Bandwidth on page How to specify groups, filters, and services to construct the classes you require. There are no precise rules for choosing an initial configuration for Solaris Bandwidth Manager at a site. You could start with a configuration that reflects the actual usage patterns, perhaps adjusted to solve any serious problems, monitor the performance over a period and fine-tune the configuration. Alternatively, you could start by allocating equal bandwidth to all classes, and running Solaris Bandwidth Manager in stats mode to monitor how traffic is classified before allocating real bandwidth percentages to classes. Designing the Class Hierarchy The class hierarchy must be based on the network traffic patterns that you want to establish for a link. As a starting point, consider the actual traffic patterns. Configuration Planning Example on page 43 explains how information about current traffic patterns can be used to create the class hierarchy. The class hierarchy does not need to be the same at every point, but you need to be aware of how the classes at one point correspond to the classes at other points down the route of a packet. You must also take into account the characteristics of the traffic in each class, and how you can define a class. For example, some applications allocate port numbers dynamically. Since you do not know the port number in advance in these cases, defining a class on the basis of port number for traffic generated by such applications is not useful. Instead, use the protocol and address information to define these classes. Planning 39

40 Allocating Bandwidth Guaranteed minimum bandwidth is allocated in percentages or in bits per second. The root class has 100% of the bandwidth configured for an interface. Each child class of the root class is allocated a share of root s bandwidth. The child classes of those classes are allocated a share of their parent s bandwidth. The bandwidth you allocate is the minimum guaranteed bandwidth for a particular class. You can also set a ceiling, or maximum bandwidth if you want. The rest of this section is an example of how to allocate bandwidth to a hierarchy of classes. Assume you have the following class hierarchy: root Figure 3 2 Example of Allocating Bandwidth: Class Hierarchy Before you allocate any bandwidth to child classes, the root class has 100%: Figure 3 3 Example of Allocating Bandwidth: Root Allocated 100% Share the bandwidth allocated to the root class with the child classes of the root class, 1, 2, and 3: Figure 3 4 Example of Allocating Bandwidth: Child Classes of Root 40 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

41 The root class itself requires some bandwidth to handle traffic allocated to it, therefore, do not allocate 100% of the bandwidth to the child classes. The root class will use the 5% that is left. For each child class, share the bandwidth allocated with their own child classes. For example, share the 30% allocated to class 1 with child classes 1.1 and 1.2. The figure in brackets shows the amount of bandwidth left-over once you have allocated bandwidth to the child classes. This left-over bandwidth effectively becomes the guaranteed minimum bandwidth for the parent class. Figure 3 5 Example of Allocating Bandwidth: Second Level Classes Continue sharing the bandwidth allocated to each class with its child classes until all classes have an allocation: Planning 41

42 Figure 3 6 Example of Allocating Bandwidth: Allocation Complete Note - When specifying the bandwidth allocated to a class in the configuration file or using batool, you must specify the aggregate bandwidth allocated to a class and all its descendants. For example, for class 3.1, specify 20%, and for class 1, specify 30%. Borrowing Bandwidth When using bandwidth allocation, every class has a guaranteed minimum bandwidth. However, if the amount of traffic in that class exceeds the bandwidth allocated, and if there is spare bandwidth that is not being used by another class, the class can borrow bandwidth. 42 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

43 In the above configuration, assume that traffic for class 1.2 exceeds the 5% allocated. Assume that it is 7%. But traffic in class 1 overall only adds up to 20%, leaving 10% of class 1 s aggregate bandwidth available for borrowing. Class 1.2 can borrow up to 10% from class 1, so in this case, it can borrow the 2% it needs. However, a class cannot borrow at the expense of another class s guaranteed minimum bandwidth. Assume that traffic in class 1.2 remains at 7%. But traffic in class 1.1 increases to 15% and traffic in class 1 overall increases to 30%. Class 1.2 cannot go on borrowing from its parent class, class 1. It may be possible for class 1 to borrow from its parent class root. In this case, class 1.2 could then borrow this extra bandwidth from class 1. When more than one class wants to borrow bandwidth, the class s priorities are used to decide which class can borrow. The class with the highest priority can borrow all than bandwidth that it needs (subject to availability). If there is any bandwidth left, the next highest priority class can borrow, and so on. If more than one class of the same priority wants to borrow, the amount of minimum guaranteed bandwidth is used to decide. For example, if classes 1.1 and 1.2 both wanted to borrow, and both had the same priority, a ratio of 3:1 would be used to split the available bandwidth between them. Note - In order to prevent a high priority class from using up all available bandwidth at the expense of other classes: 4 Make sure you allocate a sufficient level of guaranteed minimum bandwidth to all classes in the configuration. 4 Consider configuring a maximum level of allowed bandwidth for high priority classes. Configuration Planning Example This section contains an example of bandwidth management being used within the European network of the Example Corporation, at three points: Paris, Bonn, and London. In the example, the Paris and Bonn sites each have a busy LAN, and route traffic from the LAN and from other sites on to the London site. From Paris to London there is a 256K line. From Bonn to London there is a 768K line. There is also a dial-up link directly from Paris to Bonn. London has its own LAN, and routes traffic from it and from Paris and Bonn to a site in the USA over a 10Mb line. Planning 43

44 Figure 3 7 Bandwidth Allocation Planning for the Example Corporation At all three sites, the network administrator monitored the actual network usage over a period and asked users what they thought were the three most important uses of the network. The following sections contain the data for each site and show the configuration that was designed. 44 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

45 Paris Figure 3 8 Actual Network Use for Paris Site The network users at the Paris site consider , file transfer and access to the world wide web to be the most important uses of the network. The actual usage pattern is shown in Figure 3 8. Using the data on network use and the user input, the network administrator designed the class hierarchy shown in Figure 3 9 and assigned the priorities and percentages of bandwidth shown in Table 3 1. Figure 3 9 Class Structure for Paris Site Planning 45

46 TABLE 3 1 Bandwidth Allocation and Priority of Classes on Paris Server Class Description Class Name Parent Class Percentage of Bandwidth Allocated Priority Root root http to Bonn http-bonn http 5 3 http to London or US http-lon http 10 3 http to elsewhere http root 20 5 telnet telnet root 30 1 System monitoring snmp root root 20 4 File transfer ftp root 15 7 Default default root 5 7 In batool and in the configuration file, you must specify the bandwidth allocated to a class and all its descendants. For example, the http-bonn and http-lon classes are both child classes of the http class. The http class and its descendants are allocated 20% of the bandwidth, of which the child classes are allocated 5% and 10%. With this configuration, the bandwidth used by FTP traffic is constrained to 15%, contrasting with the current usage figure of over 30%. 46 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

47 Bonn Figure 3 10 Actual Network Use for Bonn Site The network users at the Bonn site consider order administration, and calendar access to be the most important uses of the network. The order administration system uses HTTP to transfer data. The actual usage pattern is shown in Figure Using the data on network use and the user input, the network administrator designed the class hierarchy shown in Figure 3 11 and assigned the priorities and percentages of bandwidth shown in Table 3 2. Planning 47

48 Figure 3 11 Class Structure for Bonn Site TABLE 3 2 Bandwidth Allocation and Priority of Classes on Bonn Server Class Description Class Name Parent Class Percentage of Bandwidth Allocated Priority Root root http to Paris http-paris http 18 2 http to London or US http-lon http 18 2 http to elsewhere http root root 20 6 Telnet for system administration telnet sysadmin 8 1 SNMP snmp sysadmin 10 4 System administration sysadmin root 20 1 Default default root Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

49 London Figure 3 12 Actual Network Use for London Site The network users at the London site consider , calendar access, and file transfer to be the most important uses of the network. The actual usage pattern is shown in Figure To design the class hierarchy and assign the bandwidth and priority to the classes for the London site, it is necessary to consider the following: 4 The data on actual network use 4 Information about user preferences 4 The patterns in the traffic originating in Paris and Bonn, according to their own bandwidth management configurations 4 The difference in capacity of the links connecting Paris and Bonn to London (the Bonn to London link has three times the capacity of the Paris to London link). Taking all this into account, the network administrator decided to run the Solaris Bandwidth Manager software on the host that runs the routing software and designed the class hierarchy shown in Figure The classes shown in parentheses are not actual classes, but remind the network administrator to allow bandwidth in a parent class where the child classes do not account for all the traffic. In the http class, for example, there are two child classes, for traffic to the US and to Europe. There will also be http traffic that is not going to the US or Europe. This traffic will be allocated to the http class, so the percentage of bandwidth allocated to the http class should not all be shared between the child classes. Table 3 3 shows the percentage of bandwidth and the priority assigned to each class. Planning 49

50 Figure 3 13 Class Structure for London Site TABLE 3 3 Bandwidth Allocation and Priority of Classes on London Server Class Description Class Name Parent Class Percentage of Bandwidth Allocated Priority Root root http http root Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

51 TABLE 3 3 Bandwidth Allocation and Priority of Classes on London Server (continued) Class Description Class Name Parent Class Percentage of Bandwidth Allocated Priority http to US http-to-us http 20 2 http to US from Paris http-paris-to-us http-to- US http to US from Bonn http-bonn-to-us http-to- US http to US from UK http-uk-to-us http-to- US http to Europe http-to-europe http 10 4 Electronic mail root from Paris -paris from Paris (IMAP) -paris-imap paris from Paris (SMTP) -paris-smtp paris from Bonn -bonn from Bonn (IMAP) -bonn-imap bonn from Bonn (SMTP) -bonn-smtp bonn using IMAP -imap using SMTP -smtp 2 5 FTP ftp root 15 7 System administration sysadmin root 10 2 Telnet telnet sysadmin 5 1 System monitoring snmp sysadmin 2 2 Planning 51

52 TABLE 3 3 Bandwidth Allocation and Priority of Classes on London Server (continued) Class Description Class Name Parent Class Percentage of Bandwidth Allocated Priority From system admin console administrator sysadmin 2 1 Default default root 5 7 The percentage of bandwidth allocated to a class containing traffic originating in Paris or Bonn takes into account the differences in the link capacity between those sites and the London site. For example, the classes for from Bonn have three times the allocation of the classes for from Paris. 52 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

53 CHAPTER 4 Editing the Configuration Files This chapter describes how to edit the Solaris Bandwidth Manager configuration files directly, using a text editor. To edit the configuration files using batool, see Chapter 5. The following definitions are specified in the main Solaris Bandwidth Manager configuration file: 4 A timeout value. 4 The interfaces where traffic is to be controlled by Solaris Bandwidth Manager. 4 The filters used to assign traffic to a class. For each filter, you need to define: 4 The service, or traffic type 4 The URL or URL group 4 Local entity information, in terms of hosts, host groups, or subnets 4 Remote entity information, in terms of hosts, host groups, or subnets. 4 The classes to which traffic is to be allocated, their priorities, and the amount of bandwidth allocated. Each definition contains both mandatory and optional parameters, which can be edited to suit your configuration requirements. You can also edit the agent properties file, if necessary for your configuration. You must log into the machine running Solaris Bandwidth Manager as root or become superuser in order to carry out any configuration. 53

54 Configuration Overview To configure Solaris Bandwidth Manager you must create a group of classes that will be used to determine how network traffic is handled. Classes are defined in terms of the filters that are used to allocate traffic to a particular class, and filters are composed of a number of elements. Therefore, you must create both the filter elements and filters you require before you can create classes. All classes are assigned to a particular physical interface, so you must also define the interface(s) that you want to use in your configuration. The Solaris Bandwidth Manager configuration file cannot contain forward references, so you must configure the definitions in the following order: 4 Filter elements: 4 URL groups 4 Host groups 4 Subnet groups 4 Services 4 Filters 4 Interfaces 4 Classes The rest of this chapter describes the files and directories used to hold configuration information and explains how to specify the configuration you want by editing the files directly. Configuration Files and Directories The file /etc/opt/sunwconn/ba/ba_config.location indicates the location of the configuration file currently being used. This can be done by specifying: 4 A file name by default, the configuration file is stored in the directory/etc/ opt/sunwconn/ba 4 A full pathname this is useful if you do not store the configuration file in the default location 4 A URL, if the configuration is stored in a Directory Service When the Solaris Bandwidth Manager policy agent starts, it reads the file named in ba_config.location. If ba_config.location does not exist or cannot be read, 54 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

55 the policy agent assumes that the configuration file is ba.conf. If the configuration changes while the policy agent is running, it can be re-read by the policy agent (see Dynamic Reconfiguration on page 133). The directory /etc/opt/sunwconn/ba also contains the following files: 4 ba_config.location-sample The template for the ba_config.location file. 4 ba.conf-sample A sample configuration file. 4 agent.properties A file configuring the properties of the policy agent. 4 agent.properties-sample A sample file containing policy agent properties. 4 autopush.ba-sample The template for the autopush.ba and autopush_usr.ba files. These files are used to insert ipqos between IP and the interface drivers. 4 Use the autopush.ba file to specify interface drivers located in the /kernel/ drv directory. 4 Use the autopush_usr.ba file to specify interface drivers located in the / usr/kernel/drv directory. When you configure an interface in Solaris Bandwidth Manager, the relevant changes are made to the autopush.ba and autopush_usr.ba files when you try to reload the new configuration. You must then reboot your system for the changes to take effect. Do not change autopush.ba-sample. 4 /etc/default/ba_info A script that sets the environment variables needed by the Solaris Bandwidth Manager software. If you do not install Solaris Bandwidth Manager in the default location, edit this file and specify the correct values for BACONFIGFILES and BAHOME. Configuration File Format The Solaris Bandwidth Manager configuration file contains general configuration parameters and a number of definitions used to allocate bandwidth to network traffic. These definitions can be included in any order, but forward references to other definitions are not permitted. The file contains definitions for the following items: 4 URL group 4 Host group 4 Subnet group 4 Service Editing the Configuration Files 55

56 4 Filter 4 Interface 4 Class A definition is terminated by the keyword indicating the start of the next definition or by the end of the file. Within a definition there is a series of keywords and their values. Class names and filter names must not exceed 20 characters. Some keywords can take only one value but can be present more than once in a subsection. Other keywords can take more than one value, in a list separated by commas. A value cannot contain a comma. If the list of values for a keyword continues over more than one line, use a backslash (\) as a continuation character. A value can contain a backslash, unless the backslash is the last character in the line, in which case it is treated as a continuation character. You can include comment lines, starting with a pound sign (#). All lines starting with a hash sign are treated as comments, however, a value can contain a hash sign. Within a comment line, any characters are permitted. You must be root in order to edit this file. General Configuration Parameters The configuration file contains the following general parameters: 4 timeout seconds Indicates a time limit after which dynamic classes and filters are removed if no traffic is classified in them. The default value is 30 seconds. If a value of 0 is specified, the dynamic classes and filters are never removed. 4 version Indicates the version of the product in use. In this case 1.6. URL Group Definition A URL group definition is a list of one or more URLs (Uniform Resource Locator). Format url_group name url url_address 4 name is the name of the URL group. 4 url_address is a URL-based filter, specified as protocol:// username:password@host:port/path where: 56 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

57 4 protocol is the transport protocol used. For example, http, ftp, nntp. If no value is specified, http is used. You can use an asterisk (*) as a wildcard to specify any protocol. 4 username is the login used to connect to the remote server. Use of a username is optional. You can use an asterisk (*) as a wildcard to specify any username. 4 password is the password corresponding to the user login. Use of a password is optional. You can use an asterisk (*) as a wildcard to specify any password. The password is ignored for classification purposes. 4 host is the web server. The value of this filter can be an IP address, host name or domain name. You can use an asterisk (*) as a wildcard to specify any host. 4 port is the port number. You can use an asterisk (*) to indicate any protocol. If no value is specified, the default protocol specified in the /etc/services file is used. 4 path is the path of the URL. You can use an asterisk (*) as a wildcard to include a particular pattern, for example, *.htm. You cannot include more than one asterisk in a path. The following characters are restricted, and must be entered as an ascii code, preceded by a percent (%) sign: character ascii code % 40 : 3A, 2C # 23 The / character can only be used as part of a path. Example url_group web_sun_group url url url url ftp://ftp.sun.com/* Host Group Definition A host group is a list of IP addresses (in dot format) or host names that will be resolved by the host s database on the system where Solaris Bandwidth Manager is running. Editing the Configuration Files 57

58 Format host_group name address address_list 4 name is the name of the host group. 4 address_list is the list of hosts to be included in this group. Example host_group host_group grp_sales address 134.xxx.yyy.1, 134.xxx.yyy.2 grp_paris address 125.xxx.yyy.1, 125.xxx.yyy.2, apple, pear,\ orange Subnet Group Definition A subnet group is a list of IP addresses (in dot format) or network names that will be resolved by the host s database of the system running Solaris Bandwidth Manager or by the networks table. A subnet group also contains a subnet mask. Format subnet_group name address mask address_list subnet_mask 4 name is the name of the subnet group. 4 address_list is the list of networks to be included in this group. If entered as names, networks listed must be defined in the /etc/hosts file or the /etc/networks file. 4 subnet_mask is the subnet mask in dot format. You cannot use the + style of specifying a netmask. Example subnet_group grp_nets address 129.xxx.yyy.0, plum mask Service Definition A service definition provides a mapping between a service defined in application layer terms and the protocol and ports used. This includes control protocols such as 58 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

59 PIM, RSVP, and IGMP. A number of services are pre-defined in the file /opt/ SUNWconn/ba/lib/services.def. Complete Configuration on page 69 shows the pre-defined services. Format service name protocol ports protocol local_port,remote_port 4 name is the name of the service 4 protocol can be either the ANY keyword or any protocol defined in the /etc/ protocols file. 4 local_port and remote_port are the source and destination ports used by the service, separated by a comma. Use an asterisk (*) to indicate any port. You can specify any number of ports keywords and pairs of ports. Note - To avoid confusion, the adjectives local and remote refer to the same servers or ports regardless of the direction of the traffic. local refers to the server on which Solaris Bandwidth Manager resides and remote is the rest of the network. In the case of an IP transparent configuration of Solaris Bandwidth Manager, local refers to the LAN-side, and remote refers to the WAN-side. Example service tv protocol tcp ports 2023,* ports 2024,* ports *,2023 ports *,2024 Filter Definition A filter contains local and remote information and a service, and is used to determine the class of a packet. It can also contain URL information and a Type of Service value. Format filter name local remote type local_info type type type Editing the Configuration Files 59

60 url tos_match tos_match_mask service remote_info type urltype url_info tos_match tos_match_mask service 4 name is the name of the filter. This value can contain up to 20 characters. 4 type is the type of information identifying the local or remote network entity and is one of: 4 host 4 host_group 4 subnet 4 subnet_group 4 local_info and remote_info are specific local and remote network entity information. The convention for what is local and what is remote is the same as for the service definitions. The format depends on the value of type: 4 If type is host, specify the keyword address and the IP address or name of the host. 4 If type is host_group, specify the keyword name and the name of a host group that is defined earlier in the configuration file. 4 If type is subnet, specify the keyword mask and the subnet mask (in decimal dot format only), and specify the keyword address and the IP address or name of the network. 4 If type is subnet_group, specify the keyword name and the name of a subnet group that is defined earlier in the configuration file. 4 urltype is the type of information identifying the url setting and is one of: 4 url 4 url_group 4 url_info is specific URL information. The format depends on the value of urltype: 4 If urltype is url, specify the keyword address and the URL in the format protocol://username:password@host:port/path. 4 If urltype is url_group, specify the keyword name and the name of a url group that is defined earlier in the configuration file. 4 tos_match is the Type of Service value specified as a value between This value can be specified as a hexadecimal, decimal, or octal value. Refer to Type of Service Values on page 64 for further information. Prefix hexadecimal values with 0x and octal with Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

61 4 tos_match_mask is a bit mask that specifies which bits will match the Type of Service value in the IP header with the tos_match. Refer to Type of Service Values on page 64 for further information. 4 service is the name of the service or services. To specify any service, do not specify the service keyword. Examples filter filter filter1 local remote tos_match tos_match_mask service filter2 local remote url service type host address apricot type host_group name grp_sales 0x03 0x0F ftp,http type subnet_group name grp_nets type subnet address 129.xxx.yyy.0 mask type url_group name web_sun_group http Interface Definition An interface definition specifies a Solaris device name, its flow direction, and the bandwidth to be associated with it. Format interface name rate activate router_addr router_mac network multicast nonip_mode bandwidth status router_addr router_mac network_device multicast non_ipmode 4 name is the device name and is followed by a suffix: 4 _out indicates that the hierarchy below this interface will regulate outgoing traffic only. This is the default if no suffix is specified. Editing the Configuration Files 61

62 4 _in indicates that the hierarchy below this interface will regulate incoming traffic only. 4 bandwidth is the operating bandwidth rate associated with the device, in bits per second. This value need not necessarily be the maximum of which the device is capable. The value should not exceed the device s maximum. Note - Consider the actual operating rate of the device, rather than the nominal rate when determining the value of the bandwidth rate. 4 status indicates the status of the interface with respect to Solaris Bandwidth Manager and is one of: 4 enabled indicates that the classifier and scheduler are running. Bandwidth allocation is used on the interface and statistics are collected. This is the default value. 4 tos indicates that the classifier is running but not the scheduler. Statistics are collected, and the TOS is activated. In this mode, the TOS is used in classes for marking. 4 stats indicates that the classifier is running but not the scheduler. Statistics are collected. 4 disabled indicates that bandwidth allocation is not used on the interface. IP-Transparent Mode If you are using Solaris Bandwidth Manager in IP-Transparent mode, you must specify the router_addr, network, and router_mac keywords. 4 router_address is the list of IP addresses (or the hostname) of the router. If you specify more than one address, separate them with a comma. 4 network_device is the name of the device connected to the LAN. 4 router_mac is the MAC address of the router. This can be expressed in the standard hexadecimal format or as a hostname referenced in the ethers table. The following parameters are optional in IP-Transparent mode: 4 multicast defines how multicast packets are forwarded: 4 none indicates that no multicast packets are forwarded. 4 all indicates that all multicast packets are forwarded through ipqos (unless the time-to-live is less than 2 or the packets are local subnet traffic with destination addresses in the range to , in which case they go directly to the router). 4 direct indicates that all multicast packets are forwarded directly, not though ipqos. 62 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

63 See Multicast Routing and Solaris Bandwidth Manager on page 34 for more information about how Solaris Bandwidth Manager handles multicast traffic. 4 nonip_mode defines how non-ip packets are forwarded: 4 ipqos indicates that all non-ip packets are classified and scheduled. 4 direct indicates that all non-ip packets are forwarded directly, not through ipqos. These packets are not logged in the statistics. Example interface qe0_out rate activate enabled router_addr 134.xxx.yyy.3 router_mac 809xxxxx network le0 multicast all nonip_mode ipqos Class Definition A class definition contains the parameters for the class, including the filters that cause packets to be placed in this class. Format class name parent interface bandwidth max_bandwidth priority bandwidth_bps max_bandwidth_bps tos_mark tos_mark_mask flow_events filter parent_class interface bandwidth max_bandwidth priority bandwidth_bps max_bandwidth_bps tos_mark tos_mark_mask flow_events filter 4 name is the name of the class. This must be unique for the specified interface. If you want this class to act as the default class, its name must be default. 4 parent_class is the name of the class above this class in the hierarchy. 4 interface is the name of the interface used by traffic in this class. 4 bandwidth is the percentage of the bandwidth of the interface that is allocated to the class. Use either this parameter or bandwidth_bps. Editing the Configuration Files 63

64 4 max_bandwidth is the maximum percentage of bandwidth this class can use, including bandwidth borrowed from its parent class. Use either this parameter or max_bandwidth_bps. 4 priority is the priority of the class. Specify an integer from 1 (highest priority) to 7 (lowest priority). 4 bandwidth_bps is the absolute bandwidth in bits per second that is allocated to the class. Use either this parameter, or bandwidth. 4 max_bandwidth_bps is the absolute maximum bandwidth in bits per second that this class can use, including bandwidth borrowed from its parent class. Use either this parameter, or max_bandwidth. 4 tos_mark is the Type of Service specified as a value between It overwrites the existing value in classified packets in this class. Refer to Type of Service Values on page 64 for further information. 4 tos_mark_mask is a bit mask that specifies which Type of Service bits in the IP header are modified with the tos_mark. Refer to Type of Service Values on page 64 for further information. 4 flow_events indicates that flow added events are generated when a new flow is detected in the class. There are no semantics associated with the value of this keyword. To disable flow added events, remove this line from the file. 4 filter is the name of a filter that allocates packets to this class. You can specify more than one filter in a comma-separated list. Example class test_class parent root interface qe0_out bandwidth 35 max_bandwidth 45 priority 3 tos_mark 0x07 tos_mark_mask 0x0F flow_events ip_source filter filter1,filter2 Type of Service Values Solaris Bandwidth Manager uses the TOS byte in the following ways: 4 In filters, as a classification criterion 4 In classes, where it defines how the TOS byte must be overwritten 64 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

65 TABLE 4 1 Type of Service Values and Their Meanings 1000 minimize delay 0100 maximize throughput 0010 maximize reliability 0001 minimize monetary cost 0000 normal service The classification criterion in filters is defined by the tos_match and the tos_match_mask parameters. tos_match_mask is a bitmask that defines which bits of the TOS byte need to be checked. tos_match is the value to check. For example, to filter all packets whose TOS field has the "minimize delay" bit set and the "minimize monetary cost" bit cleared (xxx 1xx0x): tos_match_mask must be set to (0x12), and tos_match must be set to (0x10). In classes, the following parameters are used: tos_mark_mask and tos_mark. tos_mark_mask is a bitmask defining which bits to modify in the TOS byte, and tos_mark is the value to apply. Agent Properties File Format To edit the agent properties file, you require root access to the system running Solaris Bandwidth Manager. The file is called agent.properties and is located in the / etc/opt/sunwconn/ba directory. The parameters it contains are: 4 login An authentication login name for batool and Java clients. If no login is configured, users have read-only access. 4 password An authentication password. 4 agentport Port number for the agent. The default value is 6969, but it can be overridden here to avoid conflicts with other products. 4 dirport Port number for the LDAP replication slave. The default value is lightweight This can be one of true or false. With lightweight mode enabled, the policy agent is started in a special resource-saving mode. In this mode, all the features of the policy agent such as connection from the tool, restart operations, and SNMP monitoring are disabled, except the transmission of NetFlow packets. By default, lightweight mode is disabled. Editing the Configuration Files 65

66 4 netflowhost Specifies the host to which flow accounting information will be sent using the NetFlow protocol. By default, NetFlow packets are not sent. The NetFlow host can be specified as a hostname or an IP address in decimal dot notation. 4 netflowport Specifies the UDP port number to which NetFlow packets will be sent. This is used only if netflowhost is specified. The default value is Configuration Examples This section contains some examples of configuration files, based on the Configuration Planning Example on page IP-Transparent Mode Interface Configuration on page 67 shows an IP-transparent configuration. 4 Server Mode Interface Configuration on page 68 shows the configurations for two interfaces, each configured in server mode. 4 Logical Interfaces on page 68 shows the configuration for one interface that is configured as one logical interface at the IP level, using classes to divide the traffic by subnet. 4 Complete Configuration on page 69 shows a complete configuration for the Paris site, including the standard service definitions. 66 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

67 IP-Transparent Mode Interface Configuration Figure 4 1 IP-Transparent Configuration at London Site In IP-transparent mode, the host running Solaris Bandwidth Manager sits between the traffic source (usually a LAN) and the router. On the host shown in Figure 4 1, you configure the qe1_out interface for Solaris Bandwidth Manager, giving le0 as the network device. For example: interface qe0_out rate activate enabled router_addr 123.xxx.yyy.1 network le0 router_mac 809xxxxx multicast all In addition to the configuration shown above, you must configure a standard IP interface for the network interface to the LAN. This is necessary for the interface to be inserted into the IP stack at boot time. Create the file /etc/ hostname.interfacename with a reference to the IP address of the interface. Note - Do not configure the network interface on the WAN side. Run ifconfig -a and check that there is no reference to this interface. Editing the Configuration Files 67

68 Server Mode Interface Configuration Figure 4 2 Interfaces Configuration at Paris Site In this example, the host running Solaris Bandwidth Manager is acting as a router and there are two interfaces. le0 is the interface used when sending network traffic to London, and ipdptp1 is a PPP interface used when sending network traffic to Bonn. The configurations for both interfaces are normal server mode configurations. For example: interface interface le0_out rate activate enabled ipdptp1_in rate activate enabled Logical Interfaces Figure 4 3 Configuring Logical Interfaces 68 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

69 Solaris Bandwidth Manager operates at the level of the physical interface (le0) and does not recognize logical interfaces (le0:1 and le0:2, for example). If your IP configuration includes logical interfaces, you can use the class hierarchy to subdivide network traffic according to the destination subnet, and then manage the traffic for each subnet separately. Figure 4 3 shows a configuration with two logical interfaces. The configuration file contains a definition for the le0 interface, and filter and class definitions for the subnet1 and subnet2 classes. For example: filter subnet1 remote type subnet address 123.xxx.yyy.0 mask filter subnet2 remote type subnet address 123.xxx.zzz.0 mask interface le0 rate activate enabled class class subnet1 subnet2 parent interface bandwidth 60 priority 3 root le0_in max_bandwidth 100 filter subnet1 parent interface bandwidth 40 priority 3 root le0_in max_bandwidth 100 filter subnet2 Complete Configuration The following file implements the configuration described for the Paris server in Configuration Planning Example on page 43. Note that two filters, imap and smtp, have been used to define the class . # Sample configuration file for Paris site version 1.6 timeout 30 #Subnet Group definitions (continued) Editing the Configuration Files 69

70 (Continuation) subnet_group bonn address 129.xxx.xxx, 129.xxx.yyy mask subnet_group paris address 129.yyy.xxx, 129.yyy.yyy, 129.yyy.zzz mask subnet_group london address 129.zzz.xxx, 129.zzz.yyy mask #Filter definitions filter http_to_london local type name remote type name service filter telnet service filter imap service filter http_to_bonn local type name remote type name service filter snmp service filter http service filter ftp service filter smtp service subnet_group paris subnet_group london http telnet imap subnet_group paris subnet_group bonn http snmp http ftp smtp #Interface defintions for qe0_out interface qe0_out (continued) 70 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

71 (Continuation) rate activate enabled #Class definitions for interface qe0_out class ftp interface qe0_out parent root filter ftp bandwidth 15 priority 7 max_bandwidth 15 class interface qe0_out parent root filter imap, smtp bandwidth 20 priority 7 max_bandwidth 20 class snmp interface qe0_out parent root filter telnet bandwidth 5 priority 1 max_bandwidth 5 class telnet interface qe0_out parent root filter telnet bandwidth 30 priority 1 max_bandwidth 30 class http interface qe0_out parent root filter http bandwidth 20 priority 5 max_bandwidth 20 class http_bonn interface qe0_out parent http filter http_to_bonn bandwidth 5 priority 3 max_bandwidth 5 (continued) Editing the Configuration Files 71

72 (Continuation) class http_london interface qe0_out parent http filter http_to_london bandwidth 10 priority 3 max_bandwidth 10 class default interface qe0_out bandwidth 0 priority 7 max_bandwidth 0 #Interface definition for qe0_in interface qe0_in rate activate enabled #Class definition for interface qe0_in class default interface qe0_in bandwidth 100 priority 7 max_bandwidth Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

73 CHAPTER 5 Configuring Solaris Bandwidth Manager Using batool The Solaris Bandwidth Manager tool, batool, provides a graphical interface for configuring the Solaris Bandwidth Manager software. This chapter describes how to use batool to configure Solaris Bandwidth Manager. Refer to Chapter 8 for information on using batool to look at statistics. Using batool This section describes how to start and navigate in batool and the available modes of operation. To Start the batool Application You can run batool as: 4 An application on your local machine. You must have the SUNWbac and SUNWbat packages installed. 4 An applet accessed through a browser such as HotJava TM or Netscape 4.0 or compatible versions with Java Activator plug-in. If you want to configure a remote system, you must have a web server such as Sun WebServer TM installed on the system that is running Solaris Bandwidth Manager. If you run batool as an application, you can configure Solaris Bandwidth Manager on a local or remote system. 73

74 1. Start the batool application by running the batool script: hostname% /opt/sunwconn/ba/sbin/batool The application window starts and displays the batool Overview window. To Start the batool Applet 1. As root, start the Solaris Bandwidth Manager policy agent on the system where Solaris Bandwidth Manager is installed: # /etc/init.d/bagent.control start 2. Create a link between /opt/sunwconn/ba/html and a directory (badir) that is below the documentation root for your web server. The web server must be installed on the same machine as Solaris Bandwidth Manager. 3. On your local system, start the HotJava browser and open the URL where hostname is the name of the system running Solaris Bandwidth Manager and badir is the directory containing the link to /opt/sunwconn/ba/html. Connecting to a Host System When using batool to configure a system running Solaris Bandwidth Manager, you need to connect to the host running the Solaris Bandwidth Manager software. This applies even if the Solaris Bandwidth Manager software is installed on the local system. To connect to the system where Solaris Bandwidth Manager is installed, select Connect from the Connection menu. The connection dialog box is displayed. Specify: 4 The name of the server hosting the Solaris Bandwidth Manager software. 4 The username for the server. This is the username set when the Solaris Bandwidth Manager software was installed. It is defined in the file /etc/opt/sunwconn/ ba/agent.properties. 74 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

75 4 The password for the server. This is the password set when the Solaris Bandwidth Manager software was installed. It is defined in the file /etc/opt/sunwconn/ ba/agent.properties. You can change the password using the Change Password option of the Connection menu. If your username and password are valid, the Overview window is displayed. Note - If you log in without specifying a username or password, you have read-only access to the configuration information. Connecting to a Directory Service If the configuration for Solaris Bandwidth Manager is stored in a directory service, you must connect to it. To do so, select Open URL from the File menu. In the Location field, type the URL of the directory you want to use. Use the format ldap://host:port/distinguishedname. distinguishedname is the entry in the directory tree that holds the configuration information in a series of sub-entries and attributes. The Directory configuration is opened and the application window displays the Overview window. For information on using a Directory Service with Solaris Bandwidth Manager, see Chapter 6. Working in Online and Offline Mode You can configure Solaris Bandwidth Manager in online or offline mode. This mode determines how modifications to the configuration are handled. Toggle between online and offline mode using the button at the top left hand side of the tool-bar. Modifications are not automatically saved to the configuration file. To save a file, choose Save from the File menu. Running batool in Online Mode Use the online mode to configure batool dynamically. If any modifications are made, the configuration for the kernel module is updated immediately. This is useful if an immediate temporary change is required because of a problem in your network. Online mode allows you to observe the consequences of a particular configuration before you save it. Configuring Solaris Bandwidth Manager Using batool 75

76 Caution - Care must be taken when modifying the configuration file in online mode as changes are effective immediately. For example, by reducing the bandwidth allocation to your own connection, you can disconnect yourself from the host system. Running batool in Offline Mode Use the offline mode to edit a Solaris Bandwidth Manager configuration file without disturbing the current behavior of the kernel module. This is useful if you want to make multiple changes in the configuration and have them implemented next time the policy agent is restarted. This is the default mode. Navigating in batool batool has a set of menus and an icon bar which you can use to navigate in the tool and make changes to the configuration. Using the File Menu and Icon Panel You can use the File menu to create a new configuration file, open an existing configuration file (by specifying either a filename or a URL), save a configuration file, and save a configuration file with a new name. You can also save your current configuration file and restart the Solaris Bandwidth Manager policy agent. Alternatively, you can use the icon panel to perform most of the same functions: Icon Menu Item Description none Refreshes the screen display. none New Creates a new configuration file, with the name new.conf. Open Opens the specified file and displays its contents in the Overview window. Save Saves a file. If the file has not been saved before, use the file selection window to specify a filename and directory. The file name should have the extension.conf. 76 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

77 Icon Menu Item Description none Save As Saves the configuration file with a new name or writes it to a Directory Service using the specified URL. Save and Restart Saves the configuration file and restarts the policy agent using the saved version of the file. none Restart URL Restarts the policy agent using the configuration saved in the Directory Service specified using the URL. Using the Edit Menu and Icon Panel You can use the Edit menu to create, cut, copy, and paste definitions in many of the windows in batool. The exact function of each option depends on the active window. For example, the paste option will paste a URL group in the URL Group window and will paste a class as child or sibling in the Classes window. Alternatively, you can use the icon panel to perform the same functions as the Edit menu: Icon Menu Item Description New Cut Creates a new definition. If you create a new class, it is added as a child of the currently selected definition. New definitions always have the name new. Change this before saving the configuration. Deletes a definition from the definition hierarchy. Copy Adds a duplicate definition as a child of the selected destination. It inherits parameter values and a name, appended by a number, from the original definition. Configuring Solaris Bandwidth Manager Using batool 77

78 Icon Menu Item Description Paste Adds the definition as a child of the selected destination. none Navigate up and down the definition hierarchy Wherever you see an instruction to use the Edit menu, you can use these icons. Configuring Solaris Bandwidth Manager To configure Solaris Bandwidth Manager, you must create a group of classes that will be used to determine how network traffic is handled. Classes are defined in terms of the filters that are used to allocate traffic to a particular class, and filters are composed of a number of elements. Therefore, you must create both the filter elements and the filters you require before you can create classes. All classes are assigned to a particular physical interface, so you must also define the interface(s) that you want to use in your configuration. If you configure Solaris Bandwidth Manager using batool, the configuration is stored, by default, in the file /etc/opt/sunwconn/ba/ba.conf. If you start Solaris Bandwidth Manager from batool and specify a different configuration file to be used, ba_config.location is updated automatically to contain the name of this configuration file. The name of the configuration file must be in the form *.conf. When the Solaris Bandwidth Manager policy agent starts, it reads the file named in ba_config.location. If ba_config.location does not exist or cannot be read, the policy agent uses the ba.conf configuration file. If the configuration changes while the policy agent is running, it can be re-read by the policy agent (see Dynamic Reconfiguration on page 133). You can also load a configuration stored in a directory service, by specifying a URL. Use the Open URL option of the File menu, and enter the URL of the directory you want to use. Use the format ldap://host:port/distinguishedname. The distinguishedname parameter is the entry in the directory tree that holds the configuration information in a series of sub-entries and attributes. There are two ways of modifying the values of configuration parameters using batool: 78 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

79 4 From the Overview window double click a definition to launch its editing window. You can also use the Overview window to view summary configuration information. 4 From the Configuration window select the Configuration tab then select the definition you want to modify. The editing window for the definition is displayed. Viewing the Configuration Overview The Overview window displays the definitions for the current configuration in a hierarchical format. The parameters and values for each definition are displayed in the adjacent rows and can be easily modified. The Overview window is displayed by default when batool is started. Otherwise, select Overview from the tab menu to display it. The definitions are displayed as a hierarchy from left to right, in the following order: 4 Interface name 4 Interface flow direction 4 Class, sibling class 4 Child class Select a definition to display its parameters and values in the adjacent table. Definitions that contain other definitions are displayed as folders. In the table, the following interface parameters are displayed: Bandwidth Activation Mode Default Class IP Transparency The total available bandwidth for the interface expressed in bits per second. The level of statistics logging expressed as stats, stats & tos, stats tos & scheduling or no. Indicates the presence of a default class, expressed as Yes or No. Indicates the IP transparency mode, expressed as Yes or No. In the table, the following class parameters are displayed: Bandwidth Priority The bandwidth allocated to the class, expressed as a percentage. The level of priority assigned to the class, expressed as a value between 1 and 7. TOS Mask The Type of Service, expressed as a value between 0 and 255. Configuring Solaris Bandwidth Manager Using batool 79

80 Flow events Filters Indicates whether flow added events are generated when a new flow is detected in the class. Click the filter cell to display the currently selected filters for the class. You can use the Edit menu or icon bar to create, delete, move, copy, and modify these definitions. Editing the Configuration To display the Configuration window, click the Configuration tab. The Configuration window contains six definition windows. A tab appears for each one when you display the Configuration window. The definitions can be configured in any order but should be completed in sequence from left to right to avoid forward references to other definitions: 4 Interfaces 4 URL Groups 4 Subnet and Host Groups 4 Services 4 Filters 4 Classes To display a definition window, click its tab. Defining Interfaces The Interface definition specifies an interface device name, its flow direction, and the bandwidth to be associated with it. 80 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

81 Figure 5 1 Interfaces Window The Interface List in the left hand column displays all the currently configured interface device names. To display configuration information for an interface, click its name. The relevant parameters and values are displayed in the interface panel. The configurable parameters are: 4 Device Name. A new interface is created with the temporary name new. To change this name, type a new name in the Device Name field and click Apply. The device name must follow the Solaris convention of driver name, driver number, for example qe0. Configuring Solaris Bandwidth Manager Using batool 81

82 The Device Name is automatically appended with _in or _out depending on the flow direction selected. 4 Bandwidth. This is the operating bandwidth rate associated with the device in bits per second. This value need not necessarily be the maximum of which the device is capable. The value should not exceed the device s maximum. Note - Consider the actual operating rate of the device, rather than the nominal rate when determining the value of the bandwidth rate. 4 Default Class. Allowed values are: Yes No Create a default class. There is no default class. 4 Flow Direction. Allowed values are: In Out The hierarchy below this interface will regulate incoming traffic only. The hierarchy below this interface will regulate outgoing traffic only. Depending on your selection, the interface device name is automatically appended with _in or _out. 4 IP Transparency Mode. Allowed values are: Yes No Use Solaris Bandwidth Manager in IP-transparent mode. Use Solaris Bandwidth Manager in Non-transparent mode. If you choose to run Solaris Bandwidth Manager in IP-transparent Mode, you must complete the additional options in the panel below: 4 Network Device. This is the name of the device used to communicate with the network, as opposed to the router. 4 Router Address This a list of IP addresses (or hostname) of the router. If you specify more than one address, separate them with a comma. 82 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

83 4 Multicast The Mulicast option defines how multicast packets are forwarded: None All No multicast packets are forwarded. All multicast packets are forwarded through ipqos with the exception of: 4 Packets where the time-to live is less than 2 4 Packets for the local subnet, with destination addresses in the range to In both of these cases, they go directly to the router. Direct All multicast packets are forwarded directly, not through ipqos. 4 Router MAC This is the MAC address of the router which can be expressed in the standard hexadecimal format. 4 SendNon-IP traffic to: This option defines how non-ip packets are forwarded: scheduler router All non-ip packets are classified and scheduled. All non-ip packets are forwarded directly, not through ipqos. These packets are not logged in the flow statistics. 4 Statistics Logging. Allowed values are: Statistics Statistics and TOS Statistics and TOS and scheduler Statistics are collected on the interface, with the classifier running but not the scheduler. Statistics are collected on the interface, with the Type of Service activated and the classifier running, but not the scheduler. Statistics are collected on the interface, with the classifier and scheduler running. You can also use the Interface window to disable Solaris Bandwidth Manager. Select No in the Active panel. Configuring Solaris Bandwidth Manager Using batool 83

84 Defining URL Groups The URL Group definition is a list of one or more URLs (Uniform Resource Locator). These are typically made use of in the URL block of the Filter definition. See Filter Definition on page 59. Figure 5 2 URL Group Window The URL Group list in the left hand column displays all the currently configured URL groups. To display configuration information for a particular URL group, click its name. 84 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

85 The configurable parameters are: 4 URL Group Name. The name of the URL group. 4 Group The list of URL group members. To Add a Definition to the URL Group 1. Double-click the empty line below the last URL entry. The text editing mode starts, indicated by a cursor in the empty line. 2. Type the URL you want to include in the URL group. Specify the URLs in the format: protocol://username:password@host:port/path where: 4 username is the login of a user. 4 password is the password corresponding to the user login. 4 protocol is the transport protocol used, for example, http, ftp, nntp. 4 host is the host machine. You can use an asterisk (*) as a wildcard to include a particular pattern, for example, *.sun.com. 4 port is the port used. You can use an asterisk (*) to indicate any protocol. If no value is specified, 80 is used. 4 path is the path of the URL. You can use an asterisk (*) as a wildcard to include a particular pattern, for example, *.htm. 3. Click Apply. Configuring Host and Subnet Groups A host or subnet group is a list of IP addresses (in dotted decimal format) or of host names that will be resolved by the systems host s database or networks table. A subnet group also contains a subnet mask. Configuring Solaris Bandwidth Manager Using batool 85

86 Figure 5 3 Host and Subnet Group Window The Group List in the left hand column displays all the currently configured Host and Subnet groups. Configurable parameters are: 4 Group name Assign a new group name when you create the group. 4 Group Type This can be either Host or Subnet 4 Address List 86 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

87 The list of addresses that compose the group. 4 Subnet mask The subnet mask. This is only required for a subnet group. This must be expressed in IP dotted notation or as a name that can be resolved by the system s host table. To add an address to a host or subnet group: 1. From the Group List, select the group you want to add an address to. The addresses currently contained in the group are displayed in the adjacent address list panel. 2. In the Address List panel, double-click in the empty line below the last address entry. The text editing mode starts, indicated by a cursor in the empty line. 3. Type the address you want to include in the group. The address can be specified as a hostname or IP address. 4. Click Apply. The address is added to the group. Defining Services A service definition provides a mapping between a service defined in application layer terms and the protocol and ports used. A number of services are pre-defined in the file /opt/sunwconn/ba/lib/services.def. You do not need to carry out any configuration to use these services. Configuration Examples on page 66 shows the pre-defined classes. Configuring Solaris Bandwidth Manager Using batool 87

88 Figure 5 4 Services Window The Services Lists in the left hand column display all the currently configured services. The configurable parameters for user defined services are: 4 Service Name New services are created with the temporary name new. To change this name, type a new name in the Service Name field and click Apply. 4 Protocol Choose one of TCP, UDP, Other, or Any. 88 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

89 4 Local and Remote Port. 4 Other Specify the protocol you want to use here. You need only complete this field if you specified Other in the Protocol field. To add port information: 1. From the Services List, select the service you want to add port information to. The service is highlighted. The ports currently used by the service are displayed in the TCP/UDP panel. 2. In the TCP/ UDP panel, double-click in the empty line below the last address entry. Complete both the Local and Remote port columns. The text editing mode starts, indicated by a cursor in the empty line. 3. Type the ports you want to include in the Service. Use an asterisk (*) to indicate any port. 4. Click Apply. The port information is added to the service. Defining Filters The filter definition contains local and remote information and a service and is used to determine the class of a packet. It can also contain URL information and a Type of Service value. Configuring Solaris Bandwidth Manager Using batool 89

90 Figure 5 5 Filters Window The Filter List in the left hand column displays all the currently configured Filters. The configurable parameters are: 4 Filter Name New filters are created with the temporary name new. To change this name, type a new name in the Filter Name field and click Apply. 4 TOS In the TOS field, type the Type of Service value. This must be a value between 0 and Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

91 4 Matching mask This value specifies which bits will match the Type of Service value in the IP header with the Type of Service value. This must be specified as a bitmask. 4 Remote and local network entity types. Specify the remote and local network entity types. For each type, a different name field is displayed: Host Host Group Subnet Subnet Group Complete the Host Name field. This value can be expressed as a domain name or IP address. Complete the Host Group Name field with a Host Group name defined in the Host and Subnet Groups window. To define a new Host Group, click Create. This starts the Host and Subnet Groups window. Complete the Subnet Name field with a Host name or IP address. Complete the Subnet Mask field with a subnet mask. Complete the Subnet Group Name field with a Subnet Group name defined in the Host and Subnet Groups window. To define a new Subnet Group, click Create. This starts the Host and Subnet Groups window. 4 Service The available services are displayed in the drop-down menu. To define a new service in the Services window, click Create. 4 URL From the local panel, select Single URL or URL Group. A different name field is displayed for each selection: Single URL URL Group Complete the Single URL field. Specify the URL in the format protocol:// username:password@host:port/path. Complete the Group Name field with a URL group name defined in the URL Group window. To define a new URL Group, click Create. This starts the URL Group window. Defining Classes A class definition contains the parameters for the class, including the filters that cause packets to be placed in this class. Configuring Solaris Bandwidth Manager Using batool 91

92 Figure 5 6 Classes Window The classes are displayed as an expandable tree structure in the Class Tree, together with the interface name and the flow direction. Classes that contain other classes are displayed as folders. The definitions are presented as a hierarchy, from left to right, in the following order: 4 Interface name 4 Interface flow direction 4 Class, sibling class 4 Child class 92 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

93 The parameters and values for each class are displayed in the adjacent class panel. New classes are added as a child or sibling of the currently selected class. Use the Edit menu to choose which. A new class is created with the temporary name new. To change this name, type a new name in the Class Name field and click Apply. The configurable parameters for a class are: 4 Bandwidth You can specify this as a percentage or in bits per second. You can also specify that this class is not allocated any bandwidth by choosing Deny Access. 4 Priority This must be a value between 1 (highest priority) and 7 (lowest priority). 4 Type of Service (TOS) This must be a value between 0 and Match bits This value specifies which Type of Service bits in the IP header will be modified with the Type of Service value. This must be specified as a bitmask. 4 Borrow bandwidth If you select Yes, complete the Max % field with the maximum bandwidth the class is allowed to borrow. 4 Directory request If you select Yes, complete the Flow Event field with the flow events to be generated when a new flow is detected in the class. For more information on Flows, see Flows on page Filter This determines what network traffic will be allocated to this class. If you do not specify any filters, no traffic is allocated. To create a new filter, click Create. Configuration Example This section contains an overview of the procedure for creating a Solaris Bandwidth Manager configuration using batool. The configuration in this chapter is that defined for the Paris site in Configuration Planning Example on page 43. In Solaris Bandwidth Manager, traffic is allocated bandwidth on the basis of the class to which it belongs. Classes are defined in terms of filters, and filters are defined in terms of URL groups, host and subnet groups, and services. You must also define the Configuring Solaris Bandwidth Manager Using batool 93

94 interface(s) running Solaris Bandwidth Manager. To configure Solaris Bandwidth Manager: 1. Define the interface running Solaris Bandwidth Manager. 2. Define the information that will be used to create filters. 3. Create filters. 4. Create classes. You can define an interface at any time. You can only define a class in terms of filters that already exist, and you can only define a filter based on information that you have already defined. Therefore, when using batool, work from left to right. Before you can create a new configuration file, you must: 1. Start the batool application by running the batool script: /opt/sunwconn/ba/sbin/batool 2. Create a new configuration file. To do this, select New from the File menu. This creates a configuration file called new.conf with undefined parameter values. 3. Display the configuration window. Click the Configuration tab. Defining Interfaces The example system requires two interfaces: one to handle outgoing traffic and one to handle incoming traffic. Define qe0_out to handle outgoing traffic like this: 1. Change the default device name new0 to the name of the interface, in this case qe0. Do not append _out; this is done automatically for you. 94 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

95 2. Specify the bandwidth for this interface, in this case bits per second. 3. Specify that there is a default class for this interface, that the direction of traffic handled is out, and that the interface is not IP transparent. 4. Specify the level of activation for the interface, statistics, TOS, and scheduling. 5. Click Apply, then choose Save from the File menu to save your changes. The filled in window looks like this: Configuring Solaris Bandwidth Manager Using batool 95

96 Creating Filter Components A Solaris Bandwidth Manager filter is defined using URL, host and subnet groups, and services. You must define these before you create filters. The example configuration requires 3 subnet groups, one each for the Paris, Bonn, and London networks. It also requires services to handle the following protocols: http, telnet, 96 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

97 snmp, smtp, imap, and ftp. However, as these services are all preconfigured, you do not need to create them. It does not require any URL groups or any host groups. Creating a Subnet Group Using Solaris Bandwidth Manager, you can classify traffic based on the source or destination IP address of an individual machine. If you want to classify all of the traffic from a given network or group of networks, a convenient way to do this is to create a subnet group. To create a subnet group for the Bonn site 1. Display the Host/Subnet Groups configuration window by clicking the Host/ Subnet Groups tab. 2. Click the new icon to create a new group. 3. Allocate a name to the group by changing the default name new. 4. Specify that the group type is Subnet. 5. Specify the list of subnets that belong to the Bonn site. To do this, click the top left of the Addresses pane this creates an editable field where you can type an address. After entering an address, click Apply. This records the address you just entered and makes the line below writable for your next entry. Specify subnet addresses in standard IP dotted notation. 6. Specify the subnet mask for these addresses. 7. Click Apply. Then choose Save from the File menu to save your changes. You could also use a host group for the same purpose, but you would have to enter the IP address of each host at the Bonn site separately. Creating Filters Filters are used by Solaris Bandwidth Manager to put traffic into classes. They are defined using host, subnet, and URL groups and services. Configuring Solaris Bandwidth Manager Using batool 97

98 For example, to create a filter http: 1. Click the Filters tab to display the Filters window. 2. Click the new icon to create a new filter. 3. Assign a name to the filter by overtyping new in the Filter Name field. 4. Specify that this filter applies to http traffic. Use the pull-down menu in the service pane to choose http. 5. Click Apply. 6. Choose Save from the File menu to save your changes. The completed http filter looks like this: 98 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

99 To create a filter any_bonn: 1. Click the new icon to create a new filter. 2. Assign a name to the filter, by overtyping new in the Filter Name field. Configuring Solaris Bandwidth Manager Using batool 99

100 3. Specify that this filter applies to traffic for Bonn. In the remote pane, click beside Subnet Group. Then use the pull-down menu to choose the subnet group bonn. 4. Click Apply. 5. Choose Save from the File menu to save your changes. The completed any_bonn filter looks like this: 100 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

101 Creating Classes Once you have created all the filters you require, you can create classes using them. When you open the Classes window (click the Classes tab) there is a navigation pane on the left hand side of the window. The class qe0 already exists. This represents the interface you configured earlier. The expanded class hierarchy looks like this: Note that a default class has been created automatically for each interface, as you specified when creating the interface that there would be a default class. To create the class http as a child of the Out class: 1. Click to highlight the Out class in the navigation window. A new class is always created as a child of the highlit class. 2. Click the new icon to create a new class. 3. Assign a name, for example http, to the new class. 4. Specify the percentage of bandwidth to be allocated to the new class (20%) and the priority (5) it should be given. 5. From the list of available filters, choose the filter(s) that define this class and add them to the selected filters list. 6. Click Apply. 7. Choose Save from the File menu. Configuring Solaris Bandwidth Manager Using batool 101

102 The completed new class looks like this: 102 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

103 CHAPTER 6 Configuring Solaris Bandwidth Manager with a Directory Service Solaris Bandwidth Manager configuration information and policy information can be stored in a directory service such as Sun Directory Services 3.1. Some advantages of this approach are: 4 It is possible to update the configuration of multiple instances of Solaris Bandwidth Manager from a single point, the directory. 4 The configuration can be dynamically updated upon detection of user connections or traffic flows, for example when using the RADIUS protocol for remote access. Sun Directory Services 3.1 Configuration To enable Solaris Bandwidth Manager to operate with Sun Directory Services, you must carry out a certain amount of configuration on the directory itself. Do this first. You must then save the Solaris Bandwidth Manager configuration into the directory. This operation automatically creates the necessary entries for policy information in the directory. Configuring the Sun Directory Services Server On the Sun Directory Services server, you must perform the following operations: 4 Add the Solaris Bandwidth Manager schema files to the Sun Directory Services schema. 103

104 4 Declare the policy agent as a replica of the subtrees containing Solaris Bandwidth Manager information. If you modify the Solaris Bandwidth Manager configuration in the directory, you must replicate the subtree containing the configuration. You must replicate all entries. The bind Distinguished Name (DN) to use in the replication is of the form uid=login, etc, where login is the login defined in the agent.properties file of the policy agent. The password to use in the replication is the password defined in the agent.properties file. Replication mode must be push. 4 Set a replication schedule for the replication of information between the directory and the policy agents. You can set replication to immediate, which means that whenever modifications are made to entries that are within the scope of the replica, they are automatically pushed to the appropriate policy agent. Doing so is mandatory if you are working with the RADIUS protocol. 4 Define Access Control Lists (ACLs) for Solaris Bandwidth Manager information: for remote user connections, you must give the policy agent read access to at least the policyref attribute of the entries in the remote user subtree. To enable updates to the configuration stored in the directory from batool, you must provide write access to the policy agent on all entries and attributes in the subtree containing the Solaris Bandwidth Manager configuration. To Add the Solaris Bandwidth Manager Schema Files to the Directory Server Configuration 1. Copy the Solaris Bandwidth Manager schema files to the directory server. By default, the Solaris Bandwidth Manager schema files, policy.at.conf and policy.oc.conf, are located under /etc/opt/sunwconn/ba/include. 2. Open the configuration file for Sun Directory Services, dsserv.conf, in a text editor. By default, this file is located under /etc/opt/sunwconn/ldap/ current. 3. In the main configuration section of dsserv.conf, include the schema files for Solaris Bandwidth Manager: # - Main Configuration Section - # include /etc/opt/sunwconn/ldap/current/dsserv.at.conf include /etc/opt/sunwconn/ldap/current/dsserv.oc.conf include /etc/opt/sunwconn/ldap/current/dsserv.acl.conf include /opt/sunwconn/ba/include/policy.at.conf (continued) 104 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

105 (Continuation) include /opt/sunwconn/ba/include/policy.oc.conf This include statement must contain the absolute path to the Solaris Bandwidth Manager schema files on the directory server. 4. Restart the directory server daemon, dsservd, to reload the directory configuration. This task is described in the Sun Directory Services 3.1 Administration Guide. The Schema section of the Directory Services Admin Console now lists the Solaris Bandwidth Manager object classes and attributes. These tasks are described in detail in the Sun Directory Services 3.1 Collection. Saving the Bandwidth Manager Configuration Save the Solaris Bandwidth Manager configuration into the directory using the graphical tool batool. To do so, select the Save As option from the File menu, and choose URL. The URL dialog appears. Enter either the complete URL in the URL location field or the individual parts of the URL in the relevant fields in the lower pane. If you enter the complete URL, do so in this format: ldap:// If you fill in the fields in the lower pane, do so like this: In either case: 4 Enter the username as a Distinguished Name. Configuring Solaris Bandwidth Manager with a Directory Service 105

106 4 The Distinguished name of the subtree to which you want to save the file must begin with a common name. If this common name does not already exist in the directory, it is created for you. Directory Tree for Solaris Bandwidth Manager When you save the Solaris Bandwidth Manager configuration to the directory, a dedicated subtree is created in the directory. This section explains the structure of the entries in the Solaris Bandwidth Manager subtree. Figure 6 1 shows the tree structure and the different types of entries allowed at each level in the tree. Refer to Object Classes on page 117 for a definition of each type of entry. A complete configuration is stored under an entry of type baconf. The subentries stored under the baconf entry describe conditions, groups, policies, and interfaces. A policy entry usually associates a list of conditions with a list of actions. When all the conditions are satisfied, the associated actions are performed. 106 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

107 Figure 6 1 Directory Information Tree Structure There is not a one-to-one mapping between the elements of the Solaris Bandwidth Manager configuration file and the way that those elements are stored in the Directory Tree. The diagram below summarizes the way in which the mapping is carried out: Figure 6 2 Mapping Between Solaris Bandwidth Manager and a Directory Configuring Solaris Bandwidth Manager with a Directory Service 107

108 In particular, note that Filters are handled using a combination of Conditions and Policies. The condition type used depends on the content of the filter. The condition name is suffixed with -R, -I,-U, or-d, depending on the condition type. Pre-defined services are not saved into the directory structure. Instead, if the policy agent finds a reference to a nonexistent Condition, it is assumed to be a pre-defined service. Table 6 1 shows the allowed containment relationships for entries stored below baconf. There are no constraints on the superior class for baconf. TABLE 6 1 Containment Relationships Under baconf Entry Policy Valid Superiors baconf URLCondition baconf, bacontainer IPRouteCondition baconf, bacontainer DSCondition baconf, bacontainer IPServiceCondition baconf, bacontainer IfCondition baconf, bacontainer Group baconf, bacontainer Classes baif, baconf, bacontainer baif baconf bacontainer baconf, bacontainer Example Directory Tree When you save the example configuration file shown in Configuration Examples on page 66, the entry is structured like this: 108 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

109 Figure 6 3 Example Directory Tree Note - The pre-configured services, such as ftp, do not appear as conditions, as pre-configured services are not saved to the directory. Working With a RADIUS Server The RADIUS server provided with Sun Directory Services 3.1 offers an authentication service for remote users. For full information on the RADIUS server, refer to the documentation delivered with Sun Directory Services 3.1. Overview The RADIUS server provided with Sun Directory Services 3.1 is an authentication and authorization information server for a Network Access Server (NAS). A NAS is a device that provides an access point to the network for remote users connecting using SLIP, PPP or any other remote access protocol. The NAS transmits the information provided in the connection request from the remote user to the RADIUS server. The RADIUS server checks this information against the entry for the remote user in the directory. It then returns to the NAS an authorization or denial for the Configuring Solaris Bandwidth Manager with a Directory Service 109

110 remote user connection. It can also provide the appropriate connection parameters for the remote user connection. Note - A NAS is also often referred to as a Remote Access Server (RAS) or as a RADIUS client. Figure 6 4 summarizes the way in which RADIUS operates with Solaris Bandwidth Manager. Figure 6 4 RADIUS Operation with Solaris Bandwidth Manager The user is an entity requesting access to network resources. In the directory database, a user is identified by a unique uid attribute. This and all other attributes describing a remote user are defined in the remoteuser object class. 110 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

111 The NAS is the device to which remote users connect. The NAS queries the RADIUS server for authentication status, user profiles, and authorizations. In the directory database, each NAS is identified by a unique iphostnumber attribute. This and all other attributes describing a RADIUS client are defined in the nas object class. The RADIUS server authenticates the NAS, then checks the remote user s identity and authorization in the directory database. It returns the user s status and configuration information to the NAS. If the RADIUS server cannot authenticate the NAS, it ignores the request there is no connection rejection. Once the authentication process is complete, the NAS sends accounting information on the remote connection to the RADIUS server. This is logged dynamically in the user s directory entry. The information logged is contained in the dynamicipaddress, dynamicsessionid, dynamicsessioncounter, and dynamicaddressbinding attributes. This information is then replicated to the Solaris Bandwidth Manager configuration using a Replication Event. An exchange of information between Solaris Bandwidth Manager and Sun Directory Services then takes place, in which the Solaris Bandwidth Manager configuration is updated with the dynamic information. The filters and classes that are created, are named using the relevant uid and sessionid names. If the action LSaction has the attribute queuename, no class is created. Note - When interoperating with Solaris Bandwidth Manager, dynamic accounting is used. Refer to the documentation delivered with Sun Directory Services for information on other approaches. Configuration To be able to use the RADIUS protocol, you must carry out configuration on Solaris Bandwidth Manager and on Sun Directory Services. Refer to the documentation delivered with Sun Directory Services for configuration instructions and schema information. On Solaris Bandwidth Manager: 4 Edit the /opt/sunwconn/ba/html/beans/qraspolicy.html file so that Solaris Bandwidth Manager can reply to replication events. On Sun Directory Services: 4 Enable dynamic accounting for the RADIUS server. 4 In the database, create the necessary entries for NAS devices and remote users. For each user, in addition to an object class of type remoteuser, you must create an object class of type policyaux. The policyaux object class must have the same Distinguished Name (DN) as the remoteuser object class. This is because the Configuring Solaris Bandwidth Manager with a Directory Service 111

112 remoteuser object class cannot contain a policyref attribute. The policyref attribute must point to a valid policy. 4 Set a replication schedule for the replication of information between the directory and the policy agents. Set replication to immediate, so that whenever modifications are made to entries that are within the scope of the replica, they are automatically pushed to the policy agent. 4 Replicate the subtree containing remote user entries. If you do not want to replicate all attributes in the remote user entries, make sure that you include at least the following attributes: dynamicipaddress, dynamicsessionid, dynamicsessioncounter. 4 Insure that Replication Events contain a Replication Password. This is the password you set when installing the Solaris Bandwidth Manager packages and is defined in the /etc/opt/sunwconn/ba/agent.properties file. You will be prompted for this when configuring the DN of the administrator of the remote system. The DN itself is ignored. Policy Behavior The policyref attribute contained in the policyaux object class for a user must point to an entry of type Policy. This can do one of the following: 4 Create a filter containing the IP address of the newly connected user. 4 Create a class and a filter containing the IP address of the newly connected user. Creating a Filter Only A service provider offers three classes of service: Standard, StandardPlus, and Premium. Each has a different level of guaranteed bandwidth. Administrative and other incidental traffic is handled by the root class: Class Name Guaranteed Bandwidth Premium 50% StandardPlus 30% Standard 10% User Fred Smith has a subscription to the Premium class. On receiving traffic from Fred Smith, the policyref attribute in the policyaux class is checked. It points to the policy Premium. The Premium policy contains an LSaction ActionPremiumClass with the attribute queuename Premium. 112 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

113 A filter is created containing Fred Smith s IP address and is added to the Premium class. Traffic from Fred Smith is then filtered into the Premium class. The filter name is the UID of Fred Smith s user entry in the directory, plus the sessionid. It would also be possible to add conditions to the policy, specifying a service, for example. Creating a Class and a Filter A service provider offers three classes of service: Standard, StandardPlus, and Premium. Each has a different level of guaranteed bandwidth. Administrative and other incidental traffic is handled by the root class. From time to time, however, the service s administrators need to send high priority messages to each other. To do so, they send from an account called admin-urgent. Doing so creates a class with a priority of 1 and a guaranteed bandwidth of 10% so that these messages are dealt with immediately. Jane Brown needs to send an urgent message to the other administrators. To do so, she logs in as admin-urgent. On receiving traffic from admin-urgent, the policyref atribute of the policyaux class is checked. It points to the policy Urgent. The Urgent policy contains an LSaction with the attributes ceilingrate, guaranteedrate, and queuepriority. The absence of the queuename attribute tells the Solaris Bandwidth Manager software to create a class called urgent with the specified maximum and guaranteed bandwidth and priority. A filter is then created containing the IP address from which the admin-urgent message was sent. The filter s name is composed of the UID and sessionid. Schema Objects for Solaris Bandwidth Manager The directory schema determines what information can be stored in the directory. See Sun Directory Services 3.1 Administration Guide for details of the default schema and how to modify it. Figure 6 5 summarizes the schema structure. Configuring Solaris Bandwidth Manager with a Directory Service 113

114 Figure 6 5 Solaris Bandwidth Manager Schema Table 6 2 lists the attributes for each object class. (M) indicates that the attribute is mandatory and (O) that it is optional. Refer to the alphabetical list of object classes below for a detailed description of each object class. Refer to the alphabetical list of attributes for a detailed description of each attribute. TABLE 6 2 Object Class Summary Object Class Attributes Allowed value(s) baconf baconfstate(m) commonname(m) baclconfref(o) batimeout(o) valid/invalid common name DN of generic configuration timeout in seconds 114 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

115 TABLE 6 2 Object Class Summary (continued) Object Class Attributes Allowed value(s) baif bagroup baurlgroup baifname(m) baifrate(m) commonname(m) baifnetwork(o) baifactivate(o) baifmulticast(o) baifnonip(o) baifrtrmac(o) baifrtraddr(o) commonname(m) groupmember(m) networkmask(o) commonname(m) URLgroupMember(O) device name with suffix _in or _out bandwidth in bits per second common name device name enabled, stats, tos, disabled none/all/direct ipqos/direct MAC address list of IP addresses or hostnames common name IP address subnet mask in dot format common name URL DSCondition receiveddsbytecheck(o) Mask:Match expressed in binary interfacecondition interfacename(m) device:direction, where direction is INCOMING, OUTGOING or BOTH Configuring Solaris Bandwidth Manager with a Directory Service 115

116 TABLE 6 2 Object Class Summary (continued) Object Class Attributes Allowed value(s) IProuteCondition IPserviceCondition LSaction sourceiphost(o) destinationiphost(o) sourcenetwork(o) destinationnetwork(o) sourcegroup(o) destinationgroup(o) sourceportnumberranges(o) destinationportnumberranges(o) portnumberpairs(o) protocolnumber(o) ceilingrate(o) guaranteedrate(o) parent(o) previous(o) queuename(o) IP address or hostname IP address or hostname name:mask name:mask DN of entry of type bagroup DN entry of type bagroup port number(s) port number(s) source:destination ANY or the name of any protocol defined in the / etc/protocols file. 1:bps or 2:percentage 1:bps or 2:percentage classname classname classname queuepriority(o) integer between 1 and 7 toswrite(o) integer between 0 and Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

117 TABLE 6 2 Object Class Summary (continued) Object Class Attributes Allowed value(s) policy policyaction commonname(m) policyname(m) policyconditionlist(m) policyenabled(m) policyactionlist(m) PolicyKeywords(O) policyusage(o) commonname (M) policyactionname(m) common name policy name reference to a set of policycondition objects TRUE/FALSE reference to a set of policyaction objects list of keywords distinguished name common name name policyaux policyref(m) reference to policy policycondition URLcondition commonname (M) policyconditionname(m) URLmatch(O) URLgroupMember(O) common name policy condition name URL pointer to baurlgroup entry Object Classes This section contains an alphabetical list of the object classes that are used by Solaris Bandwidth Manager. baconf Inherits from top Configuring Solaris Bandwidth Manager with a Directory Service 117

118 Mandatory attributes: baconfstate, commonname (cn) Optional attributes: baclconfref, batimeout Description: Top entry of a subtree that holds a complete configuration for Solaris Bandwidth Manager baif Inherits from top Mandatory attributes: baifname, baifrate, commonname (cn) Optional attributes: baifnetwork, baifmulticast, baifnonip, baifrtrmac, baifrtraddr, baifactivate Description: Contains the configuration parameters for an interface controlled by Solaris Bandwidth Manager bagroup Inherits from top Mandatory attributes: commonname (cn), groupmember Optional attributes: networkmask Description: Contains the configuration parameters for a group of hosts or subnets controlled by Solaris Bandwidth Manager baurlgroup Inherits from top Mandatory attributes: commonname (cn), URLgroupMember Description: Contains the configuration parameters for a group of URLs controlled by Solaris Bandwidth Manager DSCondition Inherits from policycondition Mandatory attributes: none Optional attributes: receiveddsbytecheck Description: In the context of differentiated services, describes a condition applicable to behavior aggregate 118 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

119 interfacecondition Inherits from policycondition Mandatory attributes: none Optional attributes: interfacename Description: Describes a condition applicable to an interface IProuteCondition Inherits from policycondition Mandatory attributes: none Optional attributes: sourceiphost, destinationiphost, sourcenetwork, destinationnetwork, sourcegroup, destinationgroup Description: Describes a condition applicable to an IP source or IP destination IPserviceCondition Inherits from policycondition Mandatory attributes: none Optional attributes: sourceportnumberranges, destinationportnumberranges, portnumberpairs, protocolnumber Description: Describes a condition applicable to an IP service LSaction Inherits from policyaction Mandatory attributes: none Optional attributes: ceilingrate, guaranteedrate, parent, previous, queuename, queuepriority, toswrite Description: Describes an action to be performed in the context of link sharing policy Inherits from top Mandatory attributes: commonname, policyname, policyconditionlist, policyenabled Optional attributes: policyactionlist, PolicyKeywords, policyusage Configuring Solaris Bandwidth Manager with a Directory Service 119

120 Description: Describes the interaction between two or more objects policyaction Inherits from top Mandatory attributes: commonname (cn), policyactionname Optional attributes: None Description: Describes a set of actions to be performed when all the conditions listed by a policy have been met policyaux Inherits from top Mandatory attributes: policyref Optional attributes: None Description: This object class is used to associate a policy with a remote user entry. It is an auxiliary object class which means that it can be used in conjunction with any other object class to create an entry. policycondition Inherits from top Mandatory attributes: commonname (cn), policyconditionname Optional attributes: None Description: Describes a set of conditions to be met to satisfy a policy. This object class is not used as such in the Solaris Bandwidth Manager DIT. Instead, the object classes derived from it are used to create entries that describe actual conditions. These object classes are DScondition, interfacecondition, IProuteCondition, IPserviceCondition, URLCondition. URLcondition Inherits from policycondition Mandatory attributes: nnone Optional attributes: URLmatch, URLgroupMember Description: Describes a condition applicable to a URL 120 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

121 Attributes This section contains an alphabetical list of the attributes used by Solaris Bandwidth Manager. It gives the attribute syntax, possible values, and a short definition of the attribute s purpose. This section does not include attributes that are not specific to Solaris Bandwidth Manager such as top or common name (cn). Table 6 3 shows the possible syntaxes for attributes, with their definitions. TABLE 6 3 Attribute Syntax Definitions Attribute syntax bin ces cis dn int protected tel utctime Syntax Definition Stands for binary. Stands for case exact string. A case-sensitive alphanumeric string. Stands for case ignore string. A non-case-sensitive alphanumeric string. A distinguished name An integer A value that has been encrypted using crypt(1) A telephone number UTC time baclconfref Used in baconf Syntax: dn, single Description: Provides a pointer to a generic configuration. baconfstate Used in baconf Syntax: cis, single Description: Indicates whether the configuration described by the entry is a valid one, or if it is currently being modified. This attribute can have only one of the Configuring Solaris Bandwidth Manager with a Directory Service 121

122 following values: invalid, valid. When a configuration is saved to the directory, this attribute is set to invalid, any previous version of the configuration is deleted, the new one is saved, and the attribute is set back to valid. baifactivate Used in baif Syntax: cis, single Description: Indicates the status of an interface controlled by Solaris Bandwidth Manager. This attribute can have only one of the following values: enabled, stats, tos ordisabled. The meaning of these values is described in Interface Definition on page 61. baifmulticast Used in baif Syntax: cis, single Description: Specifies how multicast packets are forwarded. This attribute can have only one of the following values: none, all or direct. The meaning of these values is described in IP-Transparent Mode on page 62. This attribute is required if Solaris Bandwidth Manager is working in IP transparent mode. baifname Used in baif Syntax: cis, single Description: Specifies the device name of the interface described by the entry. Suffixed with _in or _out to indicate the direction of traffic handled. baifnetwork Used in baif Syntax: cis, single Description: Specifies the name of the device used to communicate with the network. This attribute is required if Solaris Bandwidth Manager is working in IP transparent mode. 122 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

123 baifnonip Used in baif Syntax: cis, single Description: Specifies how non-ip packets are forwarded. This attribute can have only one of the following values: ipqos or direct. The meaning of these values is described in IP-Transparent Mode on page 62. This attribute is required if Solaris Bandwidth Manager is working in IP transparent mode. baifrate Used in baif Syntax: long, single Description: Indicates the operating bandwidth rate associated with the interface described by the entry. Enter in bits per second. baifrtraddr Used in baif Syntax: cis Description: Gives the list of IP addresses or the hostname of the router. If you specify several IP addresses, they must be separated by commas. This attribute is required if Solaris Bandwidth Manager is working in IP transparent mode. baifrtrmac Used in baif Syntax: cis, single Description: Specifies the MAC address of the router described by the entry. Can be either a hexadecimal address or a hostname listed in the ethers table. This attribute is required if Solaris Bandwidth Manager is working in IP transparent mode. batimeout Used in baconf Syntax: long, single Description: Specifies a timeout on the configuration. Expressed in seconds. Configuring Solaris Bandwidth Manager with a Directory Service 123

124 ceilingrate Used in LSaction Syntax: long, single Description: Indicates the maximum bandwidth allocated across a link. The value of this attribute can be expressed in bytes per second (bps) or as a percentage of bandwidth. If expressed in bytes per second, the syntax is 1:x. If expressed as a percentage, the syntax is 2:x, where x is the value in bps or a percentage. destinationgroup Used in IProuteCondition Syntax: dn, single Description: Provides a pointer to an entry of type bagroup. destinationiphost Used in IProuteCondition Syntax: cis Description: Specifies the name of the destination host in an entry describing an IP route condition. destinationnetwork Used in IProuteCondition Syntax: cis Description: Specifies the name of the destination network in an entry describing an IP route condition. destinationportnumberranges Used in IPserviceCondition Syntax: cis Description: Specifies the port or range of ports to which the condition described by the entry applies. 124 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

125 flowevent Used in LSaction Syntax: cis, single Description: Indicates that flow added events are generated when a new flow is detected in the class. The value is a string used by the directory M-bean when searching for a quality of service. groupmember Used in bagroup Syntax: cis Description: Provides the address of a host or subnet to include in a group described by a bagroup entry. guaranteedrate Used in LSaction Syntax: long, single Description: Indicates the guaranteed bandwidth across a link. The value of this attribute can be expressed in bytes per second (bps) or as a percentage of bandwidth. If expressed in bytes per second, the syntax is 1:x. If expressed as a percentage, the syntax is 2:x, where x is the value in bps or a percentage. interfacename Used in interfacecondition Syntax: cis, single Description: Specifies the name of the interface to which the condition described by the entry applies. The syntax is device:direction. Where device is expressed in local terms, for example hme0, eth0 and direction is INCOMING, OUTGOING or BOTH. networkmask Used in baconf Syntax: cis, single Description: Specifies the subnet mask of the subnet group described by the entry. The subnet mask is specified in dot format, or by the name of a subnet mask defined in the hosts file or the networks file. You cannot use the + style of specifying a Configuring Solaris Bandwidth Manager with a Directory Service 125

126 netmask. When this attribute is not present, the group described by the entry is a host group. This attribute is mandatory to describe a subnet group. parent Used in LSaction Syntax: long, single Description: The name of a class s parent class. policyactionlist Used in policy Syntax: dn Description: Provides references to a set of policyaction objects. The actions described by the policyaction entries are performed when all the conditions defined by the policy entry have been satisfied. policyactionname Used in policyaction Syntax: cis, single Description: The user friendly name of the policy action described by the entry. policyconditionlist Used in policy Syntax: dn Description: Provides references to a set of policycondition objects. The policy described by the entry is applicable when this set of conditions is satisfied. policyconditionname Used in policycondition Syntax: cis, single Description: The user friendly name of the policy condition described by the entry. This attribute is not a naming attribute, and therefore cannot be used in the RDN of an entry. 126 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

127 policyenabled Used in policy Syntax: cis, single Description: Indicates whether the policy described by the entry is currently enabled. This attribute can have only one of the following values: TRUE or FALSE. policykeywords Used in policy Syntax: cis Description: Provides a list of keywords that can be used in a search for the policy entry. policyname Used in policy Syntax: cis, single Description: The user friendly name of the policy described by the entry. This attribute is not a naming attribute, and therefore cannot be used in the RDN of an entry. policyref Used in policyaux Syntax: dn, single Description: Provides a reference to a policy. This attribute is used to associate a policy with other types of entries, for example a remote user entry. policyusage Used in policy Syntax: dn Description: Provides guidelines for using the policy described by the entry. portnumberpairs Used in IPserviceCondition Configuring Solaris Bandwidth Manager with a Directory Service 127

128 Syntax: cis Description: Indicates pairs of source and destination ports, with the following syntax: source:destination. previous Used in LSaction Syntax: long, single Description: Specifies the name of the class that was verified before the current one. If the previous class was root, this is blank. protocolnumber Used in IPserviceCondition Syntax: long, single Description: Provides the name of the protocol described in the condition. This attribute can have only one value and can be either ANY or the name of any protocol defined in the /etc/protocols file. queuename Used in LSaction Syntax: long, single Description: Specifies the classname of the queue to which the actions described by the entry apply. queuepriority Used in LSaction Syntax: long, single Description: As part of the actions described by the entry, it indicates the priority assigned to the flow. receiveddsbytecheck Used in DScondition Syntax: cis, single 128 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

129 Description: Specifies a condition for traffic based on the contents of the differentiated services (DS) byte of the received packet s IP header. The format is a string of the form xxxxxxxx:xxxxxxxx, where x is 0 or 1. The left substring is a Mask, and the right substring a Match. The DS byte of the received packet s IP header is ANDed with Mask, and the result is compared against Match. Therefore, the condition can be expressed as follows: (receivedpackettosbyte & Mask == Match)? where & indicates the bitwise AND operation, and == the bitwise compare operation. The combination of Mask and Match makes it possible to define DS byte-based profiles where certain bits in the DS byte may be ignored for the purpose of comparison. sourcegroupref Used in IProuteCondition Syntax: dn, single Description: Provides a pointer to an entry of type bagroup. sourceiphost Used in IProuteCondition Syntax: cis Description: Specifies the name of the source host in an entry describing an IP route condition. sourcenetwork Used in IProuteCondition Syntax: cis Description: Specifies the name of the source network in an entry describing an IP route condition. sourceportnumberranges Used in IPserviceCondition Syntax: cis Description: Specifies the port or range of ports to which the condition described by the entry applies. Configuring Solaris Bandwidth Manager with a Directory Service 129

130 toswrite Used in LSaction Syntax: long, single Description: As part of the actions described by the entry, specifies the type of service provided. The value of this attribute is an integer between 0 and 255. URLgroupMember Used in baurlgroup Syntax: cis Description: Provides a pointer to a baurlgroup entry. URLmatch Used in URLcondition Syntax: cis, single Description: Specifies a URL used to construct a filter for the URL condition described by the entry. This URL can contain wildcards. Naming Conventions for Solaris Bandwidth Manager When you create a Solaris Bandwidth Manager configuration either by editing the configuration file ba.conf or by using the configuration tool batool and then saving it to a directory, naming conventions are handled automatically for you. When creating a configuration in a directory service, you must observe the following conventions: 4 policynames, groupnames and servicenames must be unique within a configuration. The policyname becomes the filter name when the configuration is run in Solaris Bandwidth Manager. 4 classnames must be unique within an interface. As each class is associated with a particular interface, more than one class with the same name can exist as long as they are associated with different interfaces. 130 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

131 CHAPTER 7 Running Solaris Bandwidth Manager This chapter gets you started running and explains how to maintain and monitor Solaris Bandwidth Manager. Starting, Restarting, and Stopping Solaris Bandwidth Manager To Start Solaris Bandwidth Manager Policy Agent: 1. Log in as root or become superuser. 2. Type: # /etc/init.d/bagent.control start The policy agent is started automatically when you reboot your machine. It starts at run level

132 To Prevent the Policy Agent Being Restarted When You Reboot 1. Remove the file S89bagent from the /etc/rc2.d directory or rename it so that it no longer begins with the letter S. To Restart the Solaris Bandwidth Manager Policy Agent You can also restart the Solaris Bandwidth Manager policy agent, forcing it to reread the configuration information 1. Log in as root or become superuser. 2. Type: # /etc/init.d/bagent.control restart To Stop the Solaris Bandwidth Manager 1. Log in as root or become superuser. 2. Type: # /etc/init.d/bagent.control stop Note - If you are using Solaris Bandwidth Manager in IP-transparent mode, stopping the Solaris Bandwidth Manager policy agent prevents any network traffic being forwarded by the system. To stop bandwidth management without stopping all network traffic, change the configuration so that the interface is in stats mode and restart the Solaris Bandwidth Manager policy agent. 132 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

133 Dynamic Reconfiguration You can change the configuration of Solaris Bandwidth Manager dynamically, without disrupting network traffic. If you change the configuration and restart Solaris Bandwidth Manager using batool, the policy agent reads the updated file and implements the changes. If you modify the current configuration, or if you edit ba_config.location to indicate a different configuration file, you can use batool to restart the policy agent. Alternatively, become root or superuser and type the following command: $ /etc/init.d/bagent.control restart You can have several configurations to match different traffic patterns at different times of the day. For example, you might want one configuration to be used during normal working hours when there is more interactive traffic, and another to be used overnight and at weekends when files are being updated or backed up over the network. Creating a Dynamic Reconfiguration Schedule Using the Schedule window of batool, you can configure Solaris Bandwidth Manager to switch automatically between configuration files at pre-defined times. To display the Schedule window, select Schedule from the tab window. You must configure the following information: 4 Filename The path and name of the configuration file you want to use. 4 Start Date The date on which you want to start using this configuration file. 4 Start Time The time at which you want to start using this configuration file. 4 Frequency The frequency with which this configuration file will be used: once only, daily, weekly, every 2 weeks, every 4 weeks or yearly. 4 Repetitions Uses the units of time specified in the frequency field to determine how often the configuration file will be used. For example, if frequency is set to daily, and Running Solaris Bandwidth Manager 133

134 repetitions to 7, the file will be used daily for 7 days. If frequency is set to weekly, and repetitions to 2, the file is used weekly for 2 weeks. Set this value to Forever if you want the file to be used until you say otherwise. Restrictions on Dynamic Reconfiguration There are some restrictions on what can be changed dynamically: 4 You cannot change from IP-transparent to non-transparent mode, or from non-transparent to IP-transparent mode. 4 If you add an interface, you may have to reboot your system. For more information, see Configuration Files and Directories on page When the policy agent is running in lightweight mode, it is not possible to restart it. Monitoring Solaris Bandwidth Manager with SNMP You can monitor Solaris Bandwidth Manager using Solstice Site Manager, Solstice Domain Manager, or any SNMP monitoring station. The Solaris Bandwidth Manager SNMP agent runs on hosts running the Solaris 2.6, 7, or 8 operating system. It implements the management information base (MIB) found in the file /opt/ SUNWconn/ba/snmp/ba_mib. The files associated with SNMP monitoring are all installed in the /opt/sunwconn/ba/snmp directory. Ten tables of information are available: 4 Interface information 4 Class information 4 Filter information 4 Information on the associations between classes and filters 4 Information on parent/child relationships between classes 4 A list of routers configured on an interface in IP transparent mode 4 Information on the hosts and subnetworks defined in a filter 4 A list of the URLs defined in a filter 4 A list of the services defined in a filter 4 Information on flows Three traps are defined: 134 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

135 4 badaemonup, indicating that the Solaris Bandwidth Manager policy agent has started 4 badaemondown, indicating that the Solaris Bandwidth Manager policy agent has stopped 4 bareconfig, indicating that the configuration being used has changed Configuring SNMP Monitoring Note - This section assumes you are using either Solstice Site Manager or Solstice Domain Manager as your management platform. In the following instructions, the term SNM refers to either Solstice Site Manager or Solstice Domain Manager. The Solaris Bandwidth Manager SNMP agent is compatible with the Solstice Enterprise Agents. To Integrate Solaris Bandwidth Manager SNMP Agents with Solstice Enterprise Agents 1. Copy the files ba.rsrc, ba.reg and ba_read.acl to the /etc/snmp/conf directory. 2. Edit the file /etc/snmp/conf/ba_read.acl to specify hosts that will have read access to the SNMP agent. By default all hosts have access. 3. Copy the files SnmpAgent.html and qm_snmp.zip to the /opt/sunwconn/ ba/html/beans directory. 4. Edit the file /opt/sunwconn/ba/snmp/ba_trap.acl to specify trap destinations. This file must also contain the local hostname, in order to give the SNMP Master Agent read access to the subagent. Specify the trap destinations as a comma-separated list of hostnames, as follows: trap-recipients = { host1, host2, host3 } 5. Stop and restart the Solaris Bandwidth Manager agent and then the SNMP master agent. Running Solaris Bandwidth Manager 135

136 Using a Solstice Site or Domain Manager Console The files ba_mib.oid and ba_mib.schema in the /opt/sunwconn/ba/snmp directory allow you to query the Solaris Bandwidth Manager SNMP agent from a Solstice Site or Domain Manager console. Copy them to the agents directory (by default /opt/sunwconn/snm/agents) on the management station. Then rebuild the OID database using the command build_oid. The file ba_mib.traps in the / opt/sunwconn/ba/snmp directory is used to map the trap numbers to an ASCII string. Append it to the trap file (by default /var/opt/sunwconn/snm/ snmp.traps). See the Solstice Site and Domain Manager documentation for more information about this process. 136 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

137 CHAPTER 8 Statistics This chapter contains information on statistics available through Solaris Bandwidth Manager. You can display statistics using the Solaris Bandwidth Manager configuration tool batool. You can also use the command line statistics utility bastat. All Solaris Bandwidth Manager statistics are packet-based. Displaying Statistics Using batool The Solaris Bandwidth Manager configuration tool batool displays class-based, flow-based, and overall traffic statistics. In each case, you must first specify which statistics you want to display using the left-hand navigation pane in the relevant statistics window. To Display Statistics 1. Expand the class hierarchy by double-clicking on any definitions displayed as folders. 2. Choose the classes for which you want to see statistics by clicking on the class name. To select more than one class, hold down the control key on your keyboard while clicking. 3. Click Apply. 137

138 For example, with the settings shown below, statistics are collected and displayed for incoming and outgoing UDP traffic, but not for TCP traffic. To DisplaySummary Statistics 1. Select the classes for which you want to see statistics using the navigation pane. 2. Specify a polling interval in seconds. 3. Click Resume. The display looks like this: 138 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000

139 The display uses a different colored line for each class if you specify more than one. The color used is the same as that used to highlight the class name in the statistics navigation window. The number of bytes sent or received, together with the percentage of bandwidth allocated used, is displayed in the upper right-hand corner of the window. These are shown in the same color as is used in the graph and the statistics navigation window. Move your mouse over the statistics to display the name of the class and interface concerned at the bottom of the window. To display the statistics in a separate window, so that you can use the main batool window for other tasks, click the Create new window button. To change the scale used for the statistics display, use the Zoom in and Zoom out buttons. To Display Flow Statistics 1. Display the Flow Statistics window by clicking the Flow Statistics tab. Statistics 139

140 2. Select the classes for which you want to see statistics using the navigation window. 3. Specify the Refresh interval and the number of flows you want to see at one time. 4. Click Resume to begin displaying statistics. The Flow Statistics window looks like this: The upper pane contains information about traffic exchanges in the different flows. Each line represents a flow and specifies the source and destination IP addresses and port numbers, TOS value, number of bytes and packets exchanged, and a URL, if relevant. The lower pane contains a pie-chart summarizing the percentage of bandwidth used. By default, the pie-chart shows percentage of bandwidth used by each class. However, you can also display percentage of bandwidth used according to any of the values displayed in the top pane. For example, to see bandwidth use classified by source address, click anywhere in the source address column. The display in the lower pane changes to match. 140 Solaris Bandwidth Manager 1.6 System Administration Guide April 2000