WNG R2.1 Product Guides

Alcatel-Lucent 9900WIRELESS NETWORK GUARDIAN | RELEASE 2.1P R O D U C T G U I D E S

Alcatel-Lucent ProprietaryThis document contains proprietary information of Alcatel-Lucent and is not to be disclosedor used except in accordance with applicable agreements.Copyright 2010 © Alcatel-Lucent. All rights reserved.

P R O D U C T G U I D E S

When printed by Alcatel-Lucent, this document is printed on recycled paper.

Alcatel-Lucent assumes no responsibility for the accuracy of the information presented, which is subject to change without notice.

Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners.

Copyright 2010 Alcatel-Lucent.All rights reserved.

Disclaimers

Alcatel-Lucent products are intended for commercial uses. Without the appropriate network design engineering, they must not be sold, licensed or otherwise distributed for use in any hazardous environments requiring fail-safe performance, such as in the operation of nuclear facilities, aircraft navigation or communication systems, air traffic control, direct life-support machines, or weapons systems, in which the failure of products could lead directly to death, personal injury, or severe physical or environmental damage. The customer hereby agrees that the use, sale, license or other distribution of the products for any such application without the prior written consent of Alcatel-Lucent, shall be at the customer's sole risk. The customer hereby agrees to defend and hold Alcatel-Lucent harmless from any claims for loss, cost, damage, expense or liability that may arise out of or in connection with the use, sale, license or other distribution of the products in such applications.

This document may contain information regarding the use and installation of non-Alcatel-Lucent products. Please note that this information is provided as a courtesy to assist you. While Alcatel-Lucent tries to ensure that this information accurately reflects information provided by the supplier, please refer to the materials provided with any non-Alcatel-Lucent product and contact the supplier for confirmation. Alcatel-Lucent assumes no responsibility or liability for incorrect or incomplete information provided about non-Alcatel-Lucent products.

However, this does not constitute a representation or warranty. The warranties provided for Alcatel-Lucent products, if any, are set forth in contractual documentation entered into by Alcatel-Lucent and its customers.

This document was originally written in English. If there is any conflict or inconsistency between the English version and any other version of a document, the English version shall prevail.

Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 iiiJuly 2010 3HE 06049 AAAA TQZZA

Preface

The 9900 Wireless Network Guardian is a GUI-based system that is designed to manage data flows, and monitor network activities and demands for network resources.

About the guides

Table 1 describes the guides that are in this document.

Table 1 Product guides

Guide Description

9900 Wireless Network Guardian System Planning, Installation, and Upgrade Guide

Contains information about:• planning and system architecture• hardware installation and maintenance• software maintenance and upgrades• commissioning

9900 Wireless Network Guardian User Guide

Contains information about:• 9900 WNG system• management interfaces• configuration procedures• network performance reporting and management• network anomaly reporting and management

9900 Wireless Network Guardian System Administration and Security Guide

Contains information about:• security monitoring and administration• user account administration and security• database administration

Preface

iv Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1July 2010 3HE 06049 AAAA TQZZA

Conventions used in this guide

Table 2 lists the conventions that are used throughout this guide.

Table 2 Documentation conventions

Important informationThe following conventions are used to indicate important information:

Acronyms and initialismsThe expansions and optional descriptions of most acronyms and initialisms appear in the glossary.

Procedures with options or substepsWhen there are options in a procedure, they are identified by letters. When there are substeps in a procedure, they are identified by roman numerals.

Convention Description Example

Italics Identify a variable hostname

Key+Key Type the appropriate consecutive keystroke sequence. CTRL+G

KeyKey Type the appropriate simultaneous keystroke sequence. CTRLG

↵ Press the Return key. ↵

An em dash in a table cell indicates there is no information.

→ A right arrow graphic following the menu label indicates that a cascading submenu results from selecting a menu item.

Help→About

Danger Danger indicates that the described activity or situation may result in serious personal injury or death; for example, high voltage or electric shock hazards.

Warning Warning indicates that the described activity or situation may, or will, cause equipment damage or serious performance problems.

Caution Caution indicates that the described activity or situation may, or will, cause service interruption.

Note Note provides important information that is, or may be, of special interest.

Preface

Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 vJuly 2010 3HE 06049 AAAA TQZZA

Procedure 1 Example of options in a procedure

At step 1, you can choose option a or b. At step 2, you must do what the step indicates.

1 This step offers two options. You must choose one of the following:

a This is one option.

b This is another option.

2 You must perform this step.

Procedure 2 Example of substeps in a procedure

At step 1, you must perform a series of substeps within a step. At step 2, you must do what the step indicates.

1 This step has a series of substeps that you must perform to complete the step. You must perform the following substeps:

i This is the first substep.

ii This is the second substep.

iii This is the third substep.

2 You must perform this step.

Measurement conventionsMeasurements in this guide are expressed in metric units and follow the Systeme International d’Unites standard for abbreviation of metric units. If imperial measurements are included, they appear in brackets following the metric unit. Table 3 lists the measurement conventions used in this document but not covered by SI.

Table 3 Bits and bytes conventions

Measurement Symbol

bit b

kilobit kb

gigabit Gb

byte byte

kilobyte kbyte

megabyte Mbyte

(1 of 2)

Preface

vi Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1July 2010 3HE 06049 AAAA TQZZA

Multiple PDF file search

You can use Adobe Reader, Release 6.0 or later, to search multiple PDF files for a term. Adobe Reader displays the results in a panel. The results are grouped by PDF file.

Procedure 3 To search multiple PDF files for a term

1 Open the Adobe Reader.

2 Choose Edit→Search from the Adobe Reader main menu. The Search panel appears.

3 Enter the term to search for.

4 Select the All PDF Documents in radio button.

5 Choose the folder in which to search using the drop-down menu.

6 Select the following search criteria, if required:

• Whole words only• Case-Sensitive• Include Bookmarks• Include Comments

7 Click on the Search button. Adobe Reader displays the search results. You can expand the entries for each file by clicking on the + symbol.

Contact information

If you have questions or comments about this documentation, please contact:

[email protected]

gigabyte Gbyte

Measurement Symbol

(2 of 2)

Note The PDF files that you search must be in the same folder.

Note After you click on a hyperlink, you can right-click and choose Previous View from the contextual menu to return to the location of the previous hyperlink.

mailto:[email protected]

Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 viiJuly 2010 3HE 06049 AAAA TQZZA

Contents

Preface ixAbout the guides ....................................................................................... ixConventions used in this guide........................................................................x

Important information..................................................................xAcronyms and initialisms...............................................................xProcedures with options or substeps .................................................xProcedure 1 Example of options in a procedure.................................. xiProcedure 2 Example of substeps in a procedure ................................ xiMeasurement conventions ............................................................ xi

Multiple PDF file search.............................................................................. xiiProcedure 3 To search multiple PDF files for a term ........................... xii

Contact information .................................................................................. xii

Contents

viii Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1July 2010 3HE 06049 AAAA TQZZA

Planning, Installation, and Upgrade Guide

Planning and system architecture

1 9900 WNG system architecture 1-11.1 9900 WNG overview..................................................................... 1-21.2 9900 WNG Detector and Central...................................................... 1-2

9900 WNG Detector .................................................................. 1-49900 WNG Central.................................................................... 1-4

1.3 9900 WNG hardware .................................................................... 1-59900 WNG Detector hardware...................................................... 1-59900 WNG Central hardware ....................................................... 1-6Detecting hardware failures........................................................ 1-6

1.4 9900 WNG software ..................................................................... 1-6Detecting software problems....................................................... 1-7

1.5 9900 WNG external user interfaces .................................................. 1-7

2 9900 WNG planning 2-12.1 Planning overview....................................................................... 2-22.2 9900 WNG Central and Detector server planning .................................. 2-22.3 9900 WNG Central planning ........................................................... 2-22.4 9900 WNG Detector planning.......................................................... 2-3

Processing data....................................................................... 2-3Tapping into the network ........................................................... 2-4Estimating 9900 WNG Detectors needed ......................................... 2-5Network technology ................................................................. 2-5Determine location to view network activity.................................... 2-6CDMA network activity .............................................................. 2-6UMTS network activity .............................................................. 2-8Geographic configuration for 9900 WNG Detectors............................ 2-10

2.5 IP addresses and port numbers planning ........................................... 2-119900 WNG Central interfaces...................................................... 2-119900 WNG Detector interfaces .................................................... 2-11Additional interfaces ............................................................... 2-11

2.6 Site preparation planning............................................................. 2-129900 WNG server and rack hardware specifications ........................... 2-12Rack-mount requirements ......................................................... 2-13Power requirements ................................................................ 2-13Cabling requirements............................................................... 2-14Environmental requirements ...................................................... 2-15

Contents

Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 ixJuly 2010 3HE 06049 AAAA TQZZA

Hardware installation

3 Safety and regulatory specifications 3-13.1 Safety hazards ........................................................................... 3-2

Signal words........................................................................... 3-2General hazard statements......................................................... 3-3

3.2 Product use and safety guidelines.................................................... 3-3Heed safety instructions ............................................................ 3-3System power on and off............................................................ 3-4Hazardous conditions, devices, and cables ...................................... 3-4ESD and ESD protection ............................................................. 3-4ESD and handling boards ............................................................ 3-4Installing or removing jumpers..................................................... 3-4Equipment handling practices...................................................... 3-4Safety steps ........................................................................... 3-5Cooling and airflow .................................................................. 3-5Power supply.......................................................................... 3-5Power cord warnings................................................................. 3-6Equipment rack anchoring .......................................................... 3-6

3.3 Regulatory specifications .............................................................. 3-6Product Safety Compliance ......................................................... 3-6Product EMC Compliance - Class A Compliance ................................. 3-6

4 9900 WNG Detector and Central server installation 4-14.1 9900 WNG Detector and Central server installation overview ................... 4-2

Required hardware................................................................... 4-24.2 Power requirements .................................................................... 4-3

AC power supplies.................................................................... 4-3DC power supplies.................................................................... 4-4

4.3 Receiving the shipment ................................................................ 4-5Procedure 4-1 To inspect a 9900 WNG package ................................ 4-6

4.4 Installing the 9900 WNG server in a rack............................................ 4-6Prerequisites .......................................................................... 4-6Rack installation...................................................................... 4-7Procedure 4-2 To install the 9900 WNG in a 4-post rack...................... 4-7Procedure 4-3 To install the 9900 WNG in a 2-post rack..................... 4-11

4.5 Grounding a DC-powered server ..................................................... 4-15Prerequisites and safety precautions ............................................ 4-16Procedure 4-4 To prepare the ground wire .................................... 4-16Procedure 4-5 To ground the server............................................. 4-16

4.6 Connecting the cables................................................................. 4-179900 WNG Central external ports................................................. 4-189900 WNG Detector external ports ............................................... 4-18Cable connections................................................................... 4-19Procedure 4-6 To connect cables for a 9900 WNG Detector ................ 4-19Procedure 4-7 To connect cables for a 9900 WNG Central server .......... 4-20Connecting power cables .......................................................... 4-20

Contents

x Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1July 2010 3HE 06049 AAAA TQZZA

5 Powering up, powering down, and resetting 9900 WNG components 5-1

5.1 Powering up and down the 9900 WNG Central and Detector overview......... 5-2Powering up the 9900 WNG Central and Detector .............................. 5-2Powering down the 9900 WNG Central and Detector........................... 5-2

5.2 Powering up and down the 9900 WNG Central ..................................... 5-2Procedure 5-1 To power up 9900 WNG Central................................. 5-2Procedure 5-2 To power down the 9900 WNG Central ........................ 5-3

5.3 Powering up and down a 9900 WNG Detector ...................................... 5-4Procedure 5-3 To power up a 9900 WNG Detector ............................. 5-4Procedure 5-4 To power down the 9900 WNG Detector....................... 5-5

5.4 Powering up, powering down, or resetting the 9900 WNG Detector orCentral using the BMC device .................................................. 5-5

Procedure 5-5 To power up, power down, or reset a 9900 WNGDetector or Central using the BMC device.................................. 5-5

Commissioning

6 License requirements 6-16.1 Licensing overview...................................................................... 6-2

License limit exceeded.............................................................. 6-2License expiration.................................................................... 6-2Retrieving license expiration data................................................. 6-3

6.2 Obtaining a license file................................................................. 6-3Procedure 6-1 To obtain the host identifier of 9900 WNG Central .......... 6-3

6.3 Installing the license file on the 9900 WNG Central ............................... 6-3Procedure 6-2 To install a new license on the 9900 WNG Central........... 6-4

7 Mandatory configuration procedures 7-17.1 Mandatory configuration procedures overview..................................... 7-27.2 Mandatory configuration procedures................................................. 7-2

Procedure 7-1 To perform the prerequisites to configure themanagement interface and BMC LAN on a 9900 WNG server ............ 7-2

Procedure 7-2 To configure the management interface and BMCLAN on the 9900 WNG Central and Detector............................... 7-3

Procedure 7-3 To provision the 9900 WNG Central ............................ 7-5Procedure 7-4 To provision the 9900 WNG Detector server .................. 7-6

Contents

Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 xiJuly 2010 3HE 06049 AAAA TQZZA

Hardware maintenance

8 Replacing CRUs 8-18.1 CRU overview ............................................................................ 8-28.2 Replacing hardware precautions...................................................... 8-2

Electrostatic discharge precautions ............................................... 8-38.3 Replacing a power supply.............................................................. 8-3

Procedure 8-1 To replace the power supply .................................... 8-38.4 Replacing a hard disk drive............................................................ 8-4

Procedure 8-2 To replace a hard disk drive ..................................... 8-5

Software maintenance and upgrades

9 Managing software 9-19.1 9900 WNG software upgrade overview .............................................. 9-29.2 Software upgrade CLI commands ..................................................... 9-29.3 Software repositories................................................................... 9-3

Configuring the 9900 WNG Central server as the software repository....... 9-4Procedure 9-1 To configure the 9900 WNG Central as the software

repository........................................................................ 9-4Displaying the enabled software repository ..................................... 9-4Procedure 9-2 To display the enabled software repository................... 9-4

9.4 Software upgrades and updates ...................................................... 9-5Upgrading software .................................................................. 9-5Procedure 9-3 To upgrade software on the 9900 WNG Central and

Detector using the 9900 WNG Central repository ......................... 9-6Procedure 9-4 To upgrade software on the 9900 WNG Central and

Detector using an external software repository........................... 9-7Procedure 9-5 To upgrade software on the 9900 WNG Central and

Detector using a USB removable hard drive as the softwarerepository........................................................................ 9-8

Displaying software packages ...................................................... 9-9Procedure 9-6 To display the software packages that are in the

software repository ............................................................ 9-9

Contents

xii Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1July 2010 3HE 06049 AAAA TQZZA

User Guide

9900 WNG overview

10 9900 WNG system 10-110.1 9900 WNG overview.................................................................... 10-2

Key 9900 WNG functions ........................................................... 10-2Key 9900 WNG benefits ............................................................ 10-3

10.2 9900 WNG Detector and Central..................................................... 10-49900 WNG Detector ................................................................. 10-69900 WNG Central................................................................... 10-6

10.3 9900 WNG external user interfaces ................................................. 10-7

11 9900 WNG new features 11-111.1 9900 WNG Release 2.1 features...................................................... 11-2

Configuration procedures

12 Optional configuration procedures 12-112.1 Optional configuration procedures overview ...................................... 12-212.2 9900 WNG Detector optional configuration procedures.......................... 12-2

Specifying the 9900 WNG Detector deployment mode ........................ 12-2Procedure 12-1 To specify the 9900 WNG Detector deployment

mode ............................................................................ 12-3Configuring the RNC load threshold .............................................. 12-3Procedure 12-2 To configure an RNC load threshold ......................... 12-4Configuring CDMA RNC-to-PCF IP address mapping ............................ 12-4Procedure 12-3 To configure RNC-to-PCF IP address mapping .............. 12-5Configuring UMTS RNC-to-SAI mapping .......................................... 12-5Procedure 12-4 To configure RNC-to-SAI mapping ............................ 12-6Specifying the mobile IP address range.......................................... 12-7Procedure 12-5 To specify the mobile IP address range ..................... 12-7Modifying the anomaly event throttle rate ..................................... 12-8Procedure 12-6 To modify the anomaly event throttle rate................. 12-8Adding subnets to a whitelist ..................................................... 12-8Procedure 12-7 To add subnets to a whitelist ................................. 12-8Modifying the mobile dormancy timeout value................................. 12-9Procedure 12-8 To modify the mobile dormancy timeout value .......... 12-10Specifying the VLANs from which packets are captured .................... 12-10Procedure 12-9 To include, exclude, clear, and show VLAN IDs to

process ........................................................................ 12-10

Contents

Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 xiiiJuly 2010 3HE 06049 AAAA TQZZA

Disabling the reporting of specific anomaly events.......................... 12-11Procedure 12-10 To disable the reporting of an anomaly event .......... 12-11Specifying the intensity level for reporting anomaly events ............... 12-12Procedure 12-11 To specify the intensity level for a reported

anomaly event ............................................................... 12-13Adding a detector to a 9900 WNG system ..................................... 12-14Procedure 12-12 To add a 9900 WNG Detector .............................. 12-14Copying files from a 9900 WNG Detector...................................... 12-15Procedure 12-13 To copy 9900 WNG Detector configuration files to

another 9900 WNG Detector............................................... 12-15Deleting a 9900 WNG Detector.................................................. 12-15Procedure 12-14 To delete a 9900 WNG Detector........................... 12-16

12.3 9900 WNG Central optional configuration tasks................................. 12-16Adding entries to the application map table ................................. 12-16Procedure 12-15 To configure the application map table ................. 12-18Enabling the security event manager feed.................................... 12-20Procedure 12-16 To enable the security event manager feed ............ 12-21Loading a saved login banner ................................................... 12-21Procedure 12-17 To load a saved login banner .............................. 12-21Generating a public key.......................................................... 12-21Procedure 12-18 To generate and display a public key .................... 12-22

Internal and external interfaces

13 Interfaces overview 13-113.1 Interfaces overview.................................................................... 13-213.2 Logging in to 9900 WNG interfaces.................................................. 13-3

14 CLI 14-114.1 CLI overview ............................................................................ 14-2

Accessing the 9900 WNG Central and Detector................................. 14-2CLI roles, privileges, and modes .................................................. 14-3CLI timeout........................................................................... 14-5

14.2 Logging in to the CLI................................................................... 14-6Logging in to the CLI on the 9900 WNG Central ................................ 14-6Procedure 14-1 To log in to the CLI on the 9900 WNG Central from a

Windows or UNIX platform using SSH....................................... 14-6Procedure 14-2 To log in to the CLI on the 9900 WNG Central from

the GUI.......................................................................... 14-7Accessing the CLI on the 9900 WNG Detector .................................. 14-7Procedure 14-3 To log in to the CLI on the 9900 WNG Detector ............ 14-8

14.3 Changing modes and target servers ................................................. 14-8Procedure 14-4 To change your mode on the 9900 WNG Central or

Detector ........................................................................ 14-8Procedure 14-5 To change target servers at the same mode................ 14-9Procedure 14-6 To change your mode and target server................... 14-10

14.4 CLI command syntax................................................................. 14-12

Contents

xiv Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1July 2010 3HE 06049 AAAA TQZZA

14.5 CLI navigation tips ................................................................... 14-12Displaying available commands ................................................. 14-12Using shortcuts .................................................................... 14-13Scrolling through commands .................................................... 14-14Paging through the CLI output .................................................. 14-14

14.6 CLI commands ........................................................................ 14-14

15 PC client installation 15-115.1 PC client installation overview....................................................... 15-215.2 PC client installation .................................................................. 15-2

Provisioning your PC ................................................................ 15-2Procedure 15-1 To provision your PC............................................ 15-2

15.3 Launching the GUI client.............................................................. 15-3Procedure 15-2 To launch the GUI client ....................................... 15-3Deployment by Java Web Start ................................................... 15-3

16 GUI 16-116.1 GUI overview............................................................................ 16-2

Menu-based and dynamic navigation............................................. 16-216.2 Logging in to the GUI .................................................................. 16-2

Procedure 16-1 To log in to the GUI............................................. 16-216.3 GUI components ........................................................................ 16-2

GUI menus............................................................................ 16-49900 WNG status indicators ....................................................... 16-4Navigation menu and views in the workspace panel .......................... 16-6

16.4 Common features and functions ..................................................... 16-6Sorting functions .................................................................... 16-6Export functions..................................................................... 16-7Calendar and time widget ......................................................... 16-7Using the whois query .............................................................. 16-7

16.5 Configuring the language on the GUI ............................................... 16-8Procedure 16-2 To display the current language resource file.............. 16-8Procedure 16-3 To install a language resource file ........................... 16-9

16.6 Configuring preference settings ..................................................... 16-9Procedure 16-4 To change the default data retrieval settings.............. 16-9Procedure 16-5 To change the default event reporting settings.......... 16-10Procedure 16-6 To modify subscriber report preferences ................. 16-11Procedure 16-7 To configure Network Graph preferences................. 16-12Procedure 16-8 To reset default configuration settings.................... 16-12

17 9900 WNG Central webpage 17-117.1 9900 WNG Central webpage .......................................................... 17-2

Procedure 17-1 To access the 9900 WNG Central webpage ................. 17-2

18 BMC 18-118.1 BMC....................................................................................... 18-2

Contents

Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 xvJuly 2010 3HE 06049 AAAA TQZZA

19 SNMP 19-119.1 SNMP interface ......................................................................... 19-219.2 Configuring SNMPv1/v2c .............................................................. 19-3

Procedure 19-1 To specify the NMS servers and configureSNMPv1/v2c settings .......................................................... 19-3

19.3 Configuring SNMPv3.................................................................... 19-5Procedure 19-2 To configure SNMPv3 settings ................................. 19-5

19.4 SNMP user accounts.................................................................... 19-7Procedure 19-3 To create an SNMP user account ............................. 19-8Procedure 19-4 To create a n SNMP group ..................................... 19-8Procedure 19-5 To delete an SNMP user account ............................. 19-8Procedure 19-6 To delete an SNMP group ...................................... 19-8Procedure 19-7 To display SNMP user accounts ............................... 19-8

19.5 Managing SNMP components.......................................................... 19-9Procedure 19-8 To update SNMP location information ....................... 19-9Procedure 19-9 To update the SNMP agent contact .......................... 19-9

19.6 Deleting SNMP components......................................................... 19-10Procedure 19-10 To delete IP addresses from an SNMP server............ 19-10Procedure 19-11 To delete an SNMP community ............................ 19-10Procedure 19-12 To delete an SNMP host..................................... 19-11Procedure 19-13 To delete an SNMP view .................................... 19-11

19.7 Configuring SNMP for anomaly, trend, and congestion alerts................. 19-11Procedure 19-14 To configure SNMP for anomaly, trend, and

congestion alerts ............................................................ 19-1119.8 SNMP commands...................................................................... 19-12

SNMP SET ........................................................................... 19-12SNMP GET........................................................................... 19-12SNMP TRAP ......................................................................... 19-12

19.9 SNMP MIBs ............................................................................. 19-15Procedure 19-15 To access the SNMP MIBs ................................... 19-15

20 Motive API 20-120.1 Motive API ............................................................................... 20-220.2 Motive API security..................................................................... 20-320.3 Motive API user accounts ............................................................. 20-3

Procedure 20-1 To create a Motive API user account......................... 20-3Procedure 20-2 To delete a Motive API user account......................... 20-3Procedure 20-3 To display Motive API user accounts ......................... 20-4

20.4 Motive API CLI commands............................................................. 20-4Adding Motive API subnets ......................................................... 20-4Procedure 20-4 To add Motive API subnets..................................... 20-4Deleting Motive API subnets ....................................................... 20-5Procedure 20-5 To delete Motive API subnets ................................. 20-5Displaying statistics and log files ................................................. 20-5Procedure 20-6 To display Motive API statistics ............................... 20-6Procedure 20-7 To display Motive API log file ................................. 20-6

Contents

xvi Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1July 2010 3HE 06049 AAAA TQZZA

GUI components

21 Dashboard view 21-121.1 9900 WNG Central Dashboard View overview...................................... 21-2

Dashboard features ................................................................. 21-221.2 Dashboard View components ......................................................... 21-2

Dashboard elements ................................................................ 21-421.3 Plotting elements in the Dashboard View .......................................... 21-5

Maximum number of element plots .............................................. 21-5Plotting procedures ................................................................. 21-5Procedure 21-1 To plot an element in the dashboard ........................ 21-5Procedure 21-2 To configure mandatory parameters for element

charts ........................................................................... 21-521.4 Dashboard View components and controls ......................................... 21-8

Element display controls ........................................................... 21-9Axes controls......................................................................... 21-9

21.5 Configuring optional properties for dashboard elements ........................ 21-9Procedure 21-3 To configure optional preferences for intensity

tables.......................................................................... 21-10Procedure 21-4 To configure optional properties for element charts.... 21-11

21.6 Modifying chart display properties ................................................ 21-12Right-click customization options .............................................. 21-12Configuring chart display properties ........................................... 21-12Procedure 21-5 To configure chart display properties ..................... 21-13

21.7 Moving a dashboard chart to a new dashboard.................................. 21-13Procedure 21-6 To move an chart to a new dashboard..................... 21-13

22 Real-time Events views 22-122.1 Real-time Events overview ........................................................... 22-2

Common features and components in the Real-time Events View .......... 22-2Real-time Events common components.......................................... 22-2

22.2 Anomaly Events view .................................................................. 22-5Anomaly Events view components................................................ 22-6Event Details in the Anomaly Events view ...................................... 22-7Filtering Anomaly Events........................................................... 22-8Procedure 22-1 To filter Anomaly Events....................................... 22-8Working in the Anomaly Events view............................................. 22-9

22.3 Performance Events view ........................................................... 22-10Performance Events view components ........................................ 22-10Configuring a Performance Events filter ...................................... 22-11Procedure 22-2 To filter Performance Events ............................... 22-11Working in the Performance Events view ..................................... 22-11

22.4 Anomaly History view................................................................ 22-12Anomaly History menu components and functions........................... 22-12Filtering Anomaly History records .............................................. 22-12Procedure 22-3 To filter Anomaly History records .......................... 22-13Anomaly History view components ............................................. 22-14Working in the Anomaly History view .......................................... 22-14

Contents

Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 xviiJuly 2010 3HE 06049 AAAA TQZZA

23 Forensic View 23-123.1 Forensic View overview ............................................................... 23-2

Generating Forensic View reports ................................................ 23-223.2 Forensic View menu components .................................................... 23-2

Forensic View tab ................................................................... 23-2Historic View tab .................................................................... 23-3

23.3 Forensic View reports ................................................................. 23-3Forensic reports components...................................................... 23-4

23.4 Working in the Forensic View ........................................................ 23-5Operations in the Forensic Events Details panel ............................... 23-5Querying data in the Forensic Events Details panel ........................... 23-6Opening the Mobile Flow view .................................................... 23-6

24 Topology view 24-124.1 Topology view overview............................................................... 24-224.2 Element Tables view................................................................... 24-2

Working in the Element Tables ................................................... 24-524.3 Network Graph view ................................................................... 24-6

Opening the Network Graphs view ............................................... 24-6Network Graph components and controls ....................................... 24-7

24.4 Working in the Network Graphs view ............................................... 24-8Display functions .................................................................... 24-8Operations in the Network Graph view ........................................ 24-10

24.5 Provisioning operations using the Network Element tables ................... 24-11Naming convention................................................................ 24-11Bulk provisioning NE groups from the Element Tables ...................... 24-11Procedure 24-1 To provision NEs in bulk using the Network Element

table........................................................................... 24-11Searching for NEs using the Network Element table......................... 24-12Procedure 24-2 To search for NEs using the Network Element table .... 24-12

25 Network Forensics view 25-125.1 Network Forensic view overview .................................................... 25-2

Hop reports .......................................................................... 25-2Network Element reports .......................................................... 25-2

25.2 Network Forensic view menu components ......................................... 25-2Generating a Network Forensic report........................................... 25-3Procedure 25-1 To generate a network forensic report ...................... 25-3History tab ........................................................................... 25-4

25.3 Network Forensic reports components ............................................. 25-4Network Forensic concise report components.................................. 25-5Network Forensic detailed report components................................. 25-5

25.4 Working in the Network Forensic view.............................................. 25-7Export functions..................................................................... 25-7Sort functions for table data ...................................................... 25-7Operations in the Network Forensic view ....................................... 25-7

Contents

xviii Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1July 2010 3HE 06049 AAAA TQZZA

26 System View 26-126.1 System View overview................................................................. 26-226.2 System View menu icons .............................................................. 26-226.3 System Events view .................................................................... 26-2

System Events components ........................................................ 26-3System Events display preferences............................................... 26-4Procedure 26-1 To filter system events......................................... 26-5

26.4 System History view ................................................................... 26-526.5 Working in the System View.......................................................... 26-6

Operations............................................................................ 26-6

27 Mobile Flow view 27-127.1 Mobile Flow records overview........................................................ 27-2

Mobile Flow menu and query form components................................ 27-2Generating Mobile Flow reports .................................................. 27-2Procedure 27-1 To generate a Mobile Flow report ............................ 27-2

27.2 Mobile Flow record components ..................................................... 27-3Event Details panel ................................................................. 27-5

27.3 Working in the Mobile Flow view .................................................... 27-7Operations in the Mobile Flow Event Details panel ............................ 27-7Opening Network Forensic reports from the Path tab......................... 27-8

27.4 Considerations regarding Mobile Flow measurements............................ 27-8RTT measurements (in the Performance tab) .................................. 27-8Throughput measurement (in the Performance tab) .......................... 27-8

28 CLI view 28-128.1 CLI view.................................................................................. 28-2

29 Subscriber view 29-129.1 Subscriber overview ................................................................... 29-229.2 Subscriber menu components ........................................................ 29-2

Subscriber view components ...................................................... 29-3Active Reports and Historic Reports tabs........................................ 29-3

29.3 Characteristics of subscriber reports ............................................... 29-429.4 Generating subscriber reports ....................................................... 29-4

Acquiring subscriber IDs............................................................ 29-4Procedure 29-1 To configure and generate a subscriber report ............ 29-5

29.5 Components of subscriber reports................................................... 29-729.6 Statistics tab............................................................................ 29-829.7 Top Applications tab................................................................... 29-829.8 Top Servers tab....................................................................... 29-1029.9 Anomaly Events tab.................................................................. 29-1129.10 Flow/Session tab ..................................................................... 29-11

Plots in the Flow/Session tab ................................................... 29-13Flow Details button ............................................................... 29-14

29.11 Path tab components ................................................................ 29-14Path panel interactions with Graphics view and Forensic reports......... 29-15

29.12 Billing tab ............................................................................. 29-15

Contents

Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 xixJuly 2010 3HE 06049 AAAA TQZZA

Browser-based reporting and management

30 Browser-based reporting overview 30-130.1 Browser-based reporting overview .................................................. 30-2

Legacy reports ....................................................................... 30-230.2 Generating a browser-based report ................................................. 30-2

Procedure 30-1 To generate a browser-based report......................... 30-230.3 Input parameters page components................................................. 30-3

Report controls ...................................................................... 30-4Filters ................................................................................. 30-4Time parameter fields.............................................................. 30-4Time zones ........................................................................... 30-5Lag period to current time ........................................................ 30-5Impact of daily summarization on early morning queries..................... 30-6

30.4 Report presentation page............................................................. 30-6Tool tips .............................................................................. 30-6Navigation icons on the presentation page ..................................... 30-6

30.5 Report types ............................................................................ 30-7Time-series charts .................................................................. 30-7Stacked area charts................................................................. 30-8Cumulative distribution function charts ......................................... 30-9Pie charts........................................................................... 30-10Table reports ...................................................................... 30-11

30.6 Exporting reports..................................................................... 30-12Export icons on the presentation page ........................................ 30-12Exporting graphical reports to an Excel or a CSV file ....................... 30-13

31 Configuring browser-based reports 31-131.1 Browser-based reports parameters overview...................................... 31-231.2 Network resource usage reports ..................................................... 31-2

Description of network resource usage reports ................................ 31-2Parameters overview for network resource usage reports ................... 31-4

31.3 Network statistics reports ............................................................ 31-5Description of network statistics reports........................................ 31-5Parameters overview for network statistics reports........................... 31-8

31.4 Network elements reports .......................................................... 31-10Description of network element reports ...................................... 31-10Parameters overview for network element reports ......................... 31-22Common configuration options for network reports......................... 31-24

31.5 Hop reports ........................................................................... 31-25Description of hop reports ....................................................... 31-26Parameters overview for hop reports .......................................... 31-27

31.6 Security reports ...................................................................... 31-28Description of security reports.................................................. 31-28

31.7 Subscriber reports.................................................................... 31-29Description of subscriber reports ............................................... 31-30Parameters overview for subscriber reports .................................. 31-35

Contents

xx Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1July 2010 3HE 06049 AAAA TQZZA

31.8 Applications reports ................................................................. 31-36Description of applications reports............................................. 31-36Parameters overview for applications reports................................ 31-40Configuring application parameters............................................ 31-40

31.9 Devices reports ....................................................................... 31-41Description of device reports ................................................... 31-42Parameters overview for device reports ...................................... 31-46

31.10 Troubleshooting ...................................................................... 31-47

32 Subscriber Group Manager 32-132.1 Subscriber Group Manager overview ................................................ 32-2

Interactions with web-based subscriber reports ............................... 32-232.2 Subscriber Group Manager page components...................................... 32-232.3 Creating a subscriber group .......................................................... 32-3

Procedure 32-1 To create a subscriber group.................................. 32-332.4 Searching for a subscriber ............................................................ 32-4

Procedure 32-2 To search for a subscriber ..................................... 32-432.5 Changing the subscriber group view ................................................ 32-4

Procedure 32-3 To change the subscriber group view........................ 32-432.6 Importing subscriber data ............................................................ 32-5

Procedure 32-4 To import subscriber data ..................................... 32-5

Network anomaly reporting and management

33 Threat detection and network anomaly events 33-133.1 Threat detection and network anomalies overview .............................. 33-233.2 Threat detection in a CDMA network ............................................... 33-2

Inputs and outputs .................................................................. 33-333.3 Threat detection in a UMTS network................................................ 33-3

Inputs and outputs .................................................................. 33-533.4 High-level workflow to investigate an anomaly event ........................... 33-5

Procedure 33-1 To investigate an anomaly event ............................. 33-533.5 Network anomaly events.............................................................. 33-633.6 Wireless attack events ................................................................ 33-7

Signaling attacks from a single source ........................................... 33-7Battery attacks from a single source............................................. 33-8Distributed battery attacks........................................................ 33-9RNC overloads ..................................................................... 33-10Single source mobile floods...................................................... 33-11Distributed mobile floods ........................................................ 33-12ICMP router discovery abuses ................................................... 33-13

33.7 Port scans and unwanted source events.......................................... 33-14Horizontal port scan events ..................................................... 33-14Vertical port scan events ........................................................ 33-15Unwanted source.................................................................. 33-16

Contents

Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 xxiJuly 2010 3HE 06049 AAAA TQZZA

33.8 Abusive subscriber events .......................................................... 33-17High-usage subscriber events ................................................... 33-17High signaling subscriber event ................................................. 33-18Always-active subscriber......................................................... 33-19Peer-to-peer mobile traffic events............................................. 33-20

33.9 Specifying the threshold values for anomaly events............................ 33-21Procedure 33-2 To specify the threshold values for an anomaly

event .......................................................................... 33-21

System Administration and Security Guide

Security and user account administration

34 Security overview 34-134.1 Security overview ...................................................................... 34-2

35 Managing licenses 35-135.1 Viewing the current license status .................................................. 35-2

Procedure 35-1 To view licensing information using the CLI ................ 35-235.2 Viewing license violation system events............................................ 35-2

36 User account management 36-136.1 User account management overview................................................ 36-2

Roles .................................................................................. 36-2Privileges ............................................................................. 36-2Passwords............................................................................. 36-3

36.2 Managing user accounts ............................................................... 36-4Creating a user account ............................................................ 36-5Procedure 36-1 To create a user account with CLI, GUI, and Reports

roles ............................................................................. 36-5Changing passwords................................................................. 36-5Procedure 36-2 To change the password for another user................... 36-6Procedure 36-3 To change your password using the CLI ..................... 36-6Procedure 36-4 To change your password using the GUI ..................... 36-6Modifying privileges................................................................. 36-7Procedure 36-5 To modify the privileges for a role........................... 36-7Modifying the name of an account ............................................... 36-7Procedure 36-6 To modify the name of an account........................... 36-8

Contents

xxii Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1July 2010 3HE 06049 AAAA TQZZA

Setting the password timeout ..................................................... 36-8Procedure 36-7 To reset the default timeout for all passwords ............ 36-8Procedure 36-8 To reset the default timeout for a specific password..... 36-8Setting the idle timeout............................................................ 36-9Procedure 36-9 To set the idle timeout for user accounts................... 36-9Disconnecting users ................................................................. 36-9Procedure 36-10 To disconnect one or all users from active GUI

sessions ......................................................................... 36-9Deleting user accounts ........................................................... 36-10Procedure 36-11 To delete a user account ................................... 36-10

36.3 Monitoring user accounts ........................................................... 36-10Displaying user accounts ......................................................... 36-11Procedure 36-12 To display CLI, GUI, and Reports roles that are on

the 9900 WNG Central ...................................................... 36-11Procedure 36-13 To display user accounts with a pattern ................. 36-12Displaying idle timeouts.......................................................... 36-12Procedure 36-14 To display the idle timeout for the GUI and

Reports roles ................................................................. 36-12

System monitoring and administration

37 Monitoring the 9900 WNG Central and Detector 37-137.1 Monitoring the 9900 WNG system.................................................... 37-237.2 Monitoring the 9900 WNG using log files ........................................... 37-2

Procedure 37-1 To view 9900 WNG log files using CLI ........................ 37-3Sample log reports .................................................................. 37-3

37.3 Monitoring GUI reports and queries ............................................... 37-10Subscriber Report ................................................................. 37-11Network Forensic Element Report.............................................. 37-11Network Forensic Hop Report ................................................... 37-11Mobile Flow Query ................................................................ 37-12

37.4 Measuring system performance .................................................... 37-12show stats .......................................................................... 37-13show memory ...................................................................... 37-16show system........................................................................ 37-17show backhaul ..................................................................... 37-18show compressionStatus ......................................................... 37-18show top ............................................................................ 37-18

37.5 Monitoring a remote 9900 WNG Central and Detector using the BMC ....... 37-29Procedure 37-2 To monitor a 9900 WNG Detector or Central

remotely using the BMC .................................................... 37-30Displaying the health status of the 9900 WNG Detector or Central ....... 37-31Procedure 37-3 To display the health status of the 9900 WNG

Detector or Central ......................................................... 37-31Displaying the sensor status of the 9900 WNG Central or Detector ....... 37-31Procedure 37-4 To display the sensor status of the 9900 WNG

Central or Detector ......................................................... 37-32

Contents

Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 xxiiiJuly 2010 3HE 06049 AAAA TQZZA

38 System events 38-138.1 System events overview............................................................... 38-2

Viewing system events ............................................................. 38-2System Event types ................................................................. 38-2

38.2 License Violation system event ...................................................... 38-238.3 Link Down system event .............................................................. 38-3

Clearing a Link Down event........................................................ 38-338.4 Process Down system event .......................................................... 38-338.5 Process Start system event ........................................................... 38-438.6 CPU Usage system event .............................................................. 38-438.7 Disk Usage system event .............................................................. 38-4

Exceptions for the 9900 WNG Central root partition .......................... 38-538.8 Memory Usage system event ......................................................... 38-538.9 No Packet system event............................................................... 38-638.10 Packet Drop system event ............................................................ 38-638.11 Line rate threshold system event.................................................... 38-638.12 Queue Usage system event ........................................................... 38-738.13 Hardware Failure system event...................................................... 38-838.14 Swap Usage system event............................................................. 38-8

Database administration

39 Backup and restore 39-139.1 Backup and restore overview ........................................................ 39-2

Recommended frequency of full database backups ........................... 39-2Restoring backup data.............................................................. 39-3Location of backup and restore files ............................................. 39-3Accessing SCP locations ............................................................ 39-3Backup filename format ........................................................... 39-3

39.2 Backing up 9900 WNG Central files.................................................. 39-4Procedure 39-1 To back up 9900 WNG Central files .......................... 39-4Incremental backups of the reports database .................................. 39-5Procedure 39-2 To perform an incremental backup of the reports

database ........................................................................ 39-539.3 Restoring 9900 WNG Central files ................................................... 39-5

Procedure 39-3 To restore 9900 WNG Central files ........................... 39-5Incrementally restoring report database files .................................. 39-6Procedure 39-4 To restore reports database increments .................... 39-6

39.4 Backing up 9900 WNG Detector files ................................................ 39-7Procedure 39-5 To backup a 9900 WNG Detector ............................. 39-7

39.5 Restoring 9900 WNG Detector files.................................................. 39-7Procedure 39-6 To restore a 9900 WNG Detector ............................. 39-7

Glossary

Contents

xxiv Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1July 2010 3HE 06049 AAAA TQZZA

Index

Alcatel-Lucent 9900WIRELESS NETWORK GUARDIAN | RELEASE 2.1P L A N N I N G , I N S T A L L A T I O N , A N D U P G R A D E G U I D E


P L A N N I N G , I N S T A L L A T I O N , A N D U P G R A D E G U I D E





Disclaimers





iii

Alcatel-Lucent License Agreement

SAMPLE END USER LICENSE AGREEMENT

1. LICENSE1.1 Subject to the terms and conditions of this Agreement, Alcatel-Lucent grants

to Customer and Customer accepts a nonexclusive, nontransferable license to use any software and related documentation provided by Alcatel-Lucent pursuant to this Agreement ("Licensed Program") for Customer's own internal use, solely in conjunction with hardware supplied or approved by Alcatel-Lucent. In case of equipment failure, Customer may use the Licensed Program on a backup system, but only for such limited time as is required to rectify the failure.

1.2 Customer acknowledges that Alcatel-Lucent may have encoded within the Licensed Program optional functionality and capacity (including, but not limited to, the number of equivalent nodes, delegate workstations, paths and partitions), which may be increased upon the purchase of the applicable license extensions.

1.3 Use of the Licensed Program may be subject to the issuance of an application key, which shall be conveyed to the Customer in the form of a Supplement to this End User License Agreement. The purchase of a license extension may require the issuance of a new application key.

2. PROTECTION AND SECURITY OF LICENSED PROGRAMS2.1 Customer acknowledges and agrees that the Licensed Program contains

proprietary and confidential information of Alcatel-Lucent and its third party suppliers, and agrees to keep such information confidential. Customer shall not disclose the Licensed Program except to its employees having a need to know, and only after they have been advised of its confidential and proprietary nature and have agreed to protect same.

2.2 All rights, title and interest in and to the Licensed Program, other than those expressly granted to Customer herein, shall remain vested in Alcatel-Lucent or its third party suppliers. Customer shall not, and shall prevent others from copying, translating, modifying, creating derivative works, reverse engineering, decompiling, encumbering or otherwise using the Licensed Program except as specifically authorized under this Agreement. Notwithstanding the foregoing, Customer is authorized to make one copy for its archival purposes only. All appropriate copyright and other proprietary notices and legends shall be placed on all Licensed Programs supplied by Alcatel-Lucent, and Customer shall maintain and reproduce such notices on any full or partial copies made by it.

3. TERM3.1 This Agreement shall become effective for each Licensed Program upon

delivery of the Licensed Program to Customer.

iv

3.2 Alcatel-Lucent may terminate this Agreement: (a) upon notice to Customer if any amount payable to Alcatel-Lucent is not paid within thirty (30) days of the date on which payment is due; (b) if Customer becomes bankrupt, makes an assignment for the benefit of its creditors, or if its assets vest or become subject to the rights of any trustee, receiver or other administrator; (c) if bankruptcy, reorganization or insolvency proceedings are instituted against Customer and not dismissed within 15 days; or (d) if Customer breaches a material provision of this Agreement and such breach is not rectified within 15 days of receipt of notice of the breach from Alcatel-Lucent.

3.3 Upon termination of this Agreement, Customer shall return or destroy all copies of the Licensed Program. All obligations of Customer arising prior to termination, and those obligations relating to confidentiality and nonuse, shall survive termination.

4. CHARGES4.1 Upon shipment of the Licensed Program, Alcatel-Lucent will invoice

Customer for all fees, and any taxes, duties and other charges. Customer will be invoiced for any license extensions upon delivery of the new software application key or, if a new application key is not required, upon delivery of the extension. All amounts shall be due and payable within thirty (30) days of receipt of invoice, and interest will be charged on any overdue amounts at the rate of 1 1/2% per month (19.6% per annum).

5. SUPPORT AND UPGRADES5.1 Customer shall receive software support and upgrades for the Licensed

Program only to the extent provided for in the applicable Alcatel-Lucent software support policy in effect from time to time, and upon payment of any applicable fees. Unless expressly excluded, this Agreement shall be deemed to apply to all updates, upgrades, revisions, enhancements and other software which may be supplied by Alcatel-Lucent to Customer from time to time.

6. WARRANTIES AND INDEMNIFICATION6.1 Alcatel-Lucent warrants that the Licensed Program as originally delivered to

Customer will function substantially in accordance with the functional description set out in the associated user documentation for a period of 90 days from the date of shipment, when used in accordance with the user documentation. Alcatel-Lucent's sole liability and Customer's sole remedy for a breach of this warranty shall be Alcatel-Lucent's good faith efforts to rectify the nonconformity or, if after repeated efforts Alcatel-Lucent is unable to rectify the nonconformity, Alcatel-Lucent shall accept return of the Licensed Program and shall refund to Customer all amounts paid in respect thereof. This warranty is available only once in respect of each Licensed Program, and is not renewed by the payment of an extension charge or upgrade fee.

v

6.2 ALCATEL-LUCENT EXPRESSLY DISCLAIMS ALL OTHER WARRANTIES, REPRESENTATIONS, COVENANTS OR CONDITIONS OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, WARRANTIES OR REPRESENTATIONS OF WORKMANSHIP, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, DURABILITY, OR THAT THE OPERATION OF THE LICENSED PROGRAM WILL BE ERROR FREE OR THAT THE LICENSED PROGRAMS WILL not INFRINGE UPON ANY THIRD PARTY RIGHTS.

6.3 Alcatel-Lucent shall defend and indemnify Customer in any action to the extent that it is based on a claim that the Licensed Program furnished by Alcatel-Lucent infringes any patent, copyright, trade secret or other intellectual property right, provided that Customer notifies Alcatel-Lucent within ten (10) days of the existence of the claim, gives Alcatel-Lucent sole control of the litigation or settlement of the claim, and provides all such assistance as Alcatel-Lucent may reasonably require. Notwithstanding the foregoing, Alcatel-Lucent shall have no liability if the claim results from any modification or unauthorized use of the Licensed Program by Customer, and Customer shall defend and indemnify Alcatel-Lucent against any such claim.

6.4 Alcatel-Lucent Products are intended for standard commercial uses. Without the appropriate network design engineering, they must not be sold, licensed or otherwise distributed for use in any hazardous environments requiring fail safe performance, such as in the operation of nuclear facilities, aircraft navigation or communication systems, air traffic control, direct life-support machines, or weapons systems, in which the failure of products could lead directly to death, personal injury, or severe physical or environmental damage. The Customer hereby agrees that the use, sale, license or other distribution of the Products for any such application without the prior written consent of Alcatel-Lucent, shall be at the Customer's sole risk. The Customer also agrees to defend and hold Alcatel-Lucent harmless from any claims for loss, cost, damage, expense or liability that may arise out of or in connection with the use, sale, license or other distribution of the Products in such applications.

7. LIMITATION OF LIABILITY7.1 IN NO EVENT SHALL THE TOTAL COLLECTIVE LIABILITY OF

ALCATEL-LUCENT, ITS EMPLOYEES, DIRECTORS, OFFICERS OR AGENTS FOR ANY CLAIM, REGARDLESS OF VALUE OR NATURE, EXCEED THE AMOUNT PAID UNDER THIS AGREEMENT FOR THE LICENSED PROGRAM THAT IS THE SUBJECT MATTER OF THE CLAIM. IN NO EVENT SHALL THE TOTAL COLLECTIVE LIABILITY OF ALCATEL-LUCENT, ITS EMPLOYEES, DIRECTORS, OFFICERS OR AGENTS FOR ALL CLAIMS EXCEED THE TOTAL AMOUNT PAID BY CUSTOMER TO ALCATEL-LUCENT HEREUNDER. NO PARTY SHALL BE LIABLE FOR ANY INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, WHETHER OR not SUCH DAMAGES ARE FORESEEABLE, AND/OR THE PARTY HAD BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

7.2 The foregoing provision limiting the liability of Alcatel-Lucent's employees, agents, officers and directors shall be deemed to be a trust provision, and shall be enforceable by such employees, agents, officers and directors as trust beneficiaries.

vi

8. GENERAL8.1 Under no circumstances shall either party be liable to the other for any failure

to perform its obligations (other than the payment of any monies owing) where such failure results from causes beyond that party's reasonable control.

8.2 This Agreement constitutes the entire agreement between Alcatel-Lucent and Customer and supersedes all prior oral and written communications. All amendments shall be in writing and signed by authorized representatives of both parties.

8.3 If any provision of this Agreement is held to be invalid, illegal or unenforceable, it shall be severed and the remaining provisions shall continue in full force and effect.

8.4 The Licensed Program may contain freeware or shareware obtained by Alcatel-Lucent from a third party source. No license fee has been paid by Alcatel-Lucent for the inclusion of any such freeware or shareware, and no license fee is charged to Customer for its use. The Customer agrees to be bound by any license agreement for such freeware or shareware. CUSTOMER ACKNOWLEDGES AND AGREES THAT THE THIRD PARTY SOURCE PROVIDES NO WARRANTIES AND SHALL HAVE NO LIABILITY WHATSOEVER IN RESPECT OF CUSTOMER'S POSSESSION AND/OR USE OF THE FREEWARE OR SHAREWARE.

8.5 Alcatel-Lucent shall have the right, at its own expense and upon reasonable written notice to Customer, to periodically inspect Customer's premises and such documents as it may reasonably require, for the exclusive purpose of verifying Customer's compliance with its obligations under this Agreement.

8.6 All notices shall be sent to the parties at the addresses listed above, or to any such address as may be specified from time to time. Notices shall be deemed to have been received five days after deposit with a post office when sent by registered or certified mail, postage prepaid and receipt requested.

8.7 If the Licensed Program is being acquired by or on behalf of any unit or agency of the United States Government, the following provision shall apply: If the Licensed Program is supplied to the Department of Defense, it shall be classified as "Commercial Computer Software" and the United States Government is acquiring only "restricted rights" in the Licensed Program as defined in DFARS 227-7202-1(a) and 227.7202-3(a), or equivalent. If the Licensed Program is supplied to any other unit or agency of the United States Government, rights will be defined in Clause 52.227-19 or 52.227-14 of the FAR, or if acquired by NASA, Clause 18-52.227-86(d) of the NASA Supplement to the FAR, or equivalent. If the software was acquired under a contract subject to the October 1988 Rights in Technical Data and Computer Software regulations, use, duplication and disclosure by the Government is subject to the restrictions set forth in DFARS 252-227.7013(c)(1)(ii) 1988, or equivalent.

8.8 Customer shall comply with all export regulations pertaining to the Licensed Program in effect from time to time. Without limiting the generality of the foregoing, Customer expressly warrants that it will not directly or indirectly export, reexport, or transship the Licensed Program in violation of any export laws, rules or regulations of Canada, the United States or the United Kingdom.

vii

8.9 No term or provision of this Agreement shall be deemed waived and no breach excused unless such waiver or consent is in writing and signed by the party claimed to have waived or consented. The waiver by either party of any right hereunder, or of the failure to perform or of a breach by the other party, shall not be deemed to be a waiver of any other right hereunder or of any other breach or failure by such other party, whether of a similar nature or otherwise.

8.10 This Agreement shall be governed by and construed in accordance with the laws of the Province of Ontario. The application of the United Nations Convention on Contracts for the International Sale of Goods is hereby expressly excluded.

viii

Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 July 2010 3HE 06049 AAAA TQZZA

Planning and system architecture

1 9900 WNG system architecture 1-1

2 9900 WNG planning 2-1

Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1July 2010 3HE 06049 AAAA TQZZA

Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 1-1July 2010 3HE 06049 AAAA TQZZA

1 9900 WNG system architecture

1.1 9900 WNG overview 1-2

1.2 9900 WNG Detector and Central 1-2

1.3 9900 WNG hardware 1-5

1.4 9900 WNG software 1-6

1.5 9900 WNG external user interfaces 1-7


1-2 Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1July 2010 3HE 06049 AAAA TQZZA

1.1 9900 WNG overview

The 9900 WNG monitors wireless data subscriber traffic and network signaling traffic to identify behaviors that threaten the performance of wireless data networks.

1.2 9900 WNG Detector and Central

The main components of the 9900 WNG system include:

• 9900 WNG Central• 9900 WNG Detector

Figure 1-1 shows the 9900 WNG Detector and Central in a wireless network.

Figure 1-1 9900 WNG components in a wireless network

The connections between the 9900 WNG and other NEs in a wireless data CDMA network are shown in Figure 1-2.



Figure 1-2 Network architecture for a CDMA environment

The 9900 WNG supports UMTS networks. The connections between the 9900 WNG and other network elements in a UMTS network are shown in Figure 1-3.

Figure 1-3 Network architecture for a UMTS environment

9900 WNGDetector

9900 WNGCentral

NMS

Servers

ExternalSources

AAA

AAA

AAA

GGSN

GGSN

RNC

SGSN

RNC BTS

BTS

21186



9900 WNG Detector

Table 1-1 describes the 9900 WNG Central based on the location.

Table 1-1 9900 WNG Detector

9900 WNG Central

Table 1-2 describes the 9900 WNG Detector based on the location.

Location Description

CDMA environment

In the network, a 9900 WNG Detector observes mirrored IP traffic between the AAA server and the PDSN, and between the HA and the PDSN. The 9900 WNG Detector monitors wireless traffic and reports anomalous behaviors to the 9900 WNG Central.The 9900 WNG Detector supports CDMA and UMTS technology at the same time.

Wireless network

The 9900 WNG Detector comprises purpose-designed hardware and software that monitors IP sessions and detects anomalous behaviors, registered to the individual subscriber level. The 9900 WNG Detector observes IP traffic mirrored from the packet core, as well as RADIUS traffic, interprets network events and states, and identifies anomalous traffic flow. The 9900 WNG Detector reports anomalies to the 9900 WNG Central to alert operators to take appropriate action.The 9900 WNG Detector identifies wireless specific anomaly events and notifies the 9900 WNG Central over a secure tunnel. All communication for configuration, bootstrap, and alarm reporting from the 9900 WNG Detector to the 9900 WNG Central component is through a SSL connection. The 9900 WNG Detector provides the following functionality:• supports up to two million packets per second or up to 4 Gb/s, whichever is

lower• supports up to one million subscriber sessions• supports up five million simultaneous flows• tracks information from the subscriber registration activities to associate the

dynamically assigned IP address with the user device identification and network path

• infers loads across the wireless data network by watching signaling and data traffic

• detects wireless 3G/4G network anomaly behavior using proprietary algorithms

• monitors individual subscriber session behavior (Mobile Flow records)• monitors mobile-to-mobile and Internet-to-mobile traffic

UMTS environment

In the UMTS environment, the 9900 WNG Detector observes mirrored IP traffic on two interfaces: between the AAA Server and the SGSN (Serving GPRS Service Node) and between the SGSN and the GGSN (Gateway GPRS Service Node). It is expected that an available Ethernet port from each of these interfaces is available from a switch or router within the Service Providers network. To avoid congestion on the capture ports, the capture port speed shall match or exceed the snooped interface. The 9900 WNG Detector snoops the path to the mirrored AAA Server for information regarding active mobile IP data sessions and reports anomalous behavior to the 9900 WNG Central.The 9900 WNG Detector supports CDMA technology and Universal Mobile Telecommunications System (UMTS) technology at the same time.



Table 1-2 9900 WNG Central

1.3 9900 WNG hardware

The following sections describe the hardware requirements for the 9900 WNG Detector and Central.

9900 WNG Detector hardware

The 9900 WNG Detector hardware is located in a NOC, security operations center, or central office. The major hardware components of the 9900 WNG Detector include:

• Multi-core server• 32GB RAM, 667 MHZ DIMMS. • six hot-swappable 2.5” SAS HDD media storage, with at least 146GB space per

HDD• 4 x 1Gbps Gigabit Ethernet NIC• Up to four SFP modules (optical or copper) • BMC


CDMA environment

The 9900 WNG Central has an EMS and also supports a northbound system log and SNMP interface to network management systems, if required.

Wireless network

The 9900 WNG Central comprises hardware and software with which to manage a set of 9900 WNG Detectors. The 9900 WNG Central handles correlation and northbound reporting functions, and helps identify unwanted traffic on the network. The 9900 WNG Central uses application software to process anomaly event streams from the 9900 WNG Detector, generate alarms, generate daily and on-demand network usage reports, and report to northbound network and security operations platforms.The 9900 WNG Central collects event data and mobile flow records generated from multiple 9900 WNG Detectors that are deployed throughout a providers network and stores the information in a database. The 9900 WNG Central provides the following functionality:• configures and manages 9900 WNG Detectors in the system as well as itself• supports up to 10 Detectors• provides GUI and CLI capabilities• collects, stores, and reports event data and notifications from the Detectors• provides a status display of the 9900 WNG system and provides the ability to

relay status and alarm information on external and internal interfaces as needed by the configuration

• provides the WSP with a user-friendly means of observing, recording, and interpreting the alarms and reports on anomaly status

• downloads software upgrades to the Detectors• manages events at an aggregated average rate of 2500 events per second• manages servers at a peak rate of 10 000 events per second

UMTS environment

The 9900 WNG Central has an EMS and also supports a northbound system log and Simple Network Management Protocol (SNMP) interface to the Network Management Systems (NMS), if required.



• Dual DC, 600W power supplies or Dual AC power supplies • 32 Gb memory server (TIGH2U)

The 9900 WNG Detector is a NEBS-3 and ETSI certified product that is suited for a host of applications in the Telecom Central Office and industrial environment.

9900 WNG Central hardware

The 9900 WNG Central hardware is located in the NOC, security operations center, or the central office. The major hardware components of the 9900 WNG Central include:

• Multi-core server• 32GB RAM, 667 MHZ DIMMS • six hot-swappable 2.5” SAS HDD media storage, with at least 146GB space per

HDD• CD-ROM and/or DVD-ROM • BMC• Dual DC, 600W power supplies or Dual AC power supplies

Detecting hardware failuresHardware Failure system events can be used to determine when a disk should be replaced. See section 38.13 for more information.

1.4 9900 WNG software

Table 1-3 describes the 9900 WNG software.

Table 1-3 9900 WNG software

Software Description

Red Hat® Enterprise® Linux

The 9900 WNG Central and 9900 WNG Detector software use the Red Hat Enterprise Linux operating system, version 5.1 or later.

MySQLTM database

The 9900 WNG Central software uses the MySQL database.

AdventNet SNMP The 9900 WNG Central software uses AdventNet SNMP to report to the northbound network and security operations platform.

9900 WNG application software

The 9900 WNG application software• Performs traffic analysis• Runs a CLI• Hosts a GUI• Processes anomaly event streams from the 9900 WNG Detector• Generates alarms• Produces reports• Reports to northbound network and security operations platforms



Detecting software problemsYou can use system events to determine software problems. See chapter 38 for more information.

1.5 9900 WNG external user interfaces

Figure 1-4 shows the components of the 9900 WNG and the associated interfaces.

Figure 1-4 9900 WNG external interfaces




2 9900 WNG planning

2.1 Planning overview 2-2

2.2 9900 WNG Central and Detector server planning 2-2

2.3 9900 WNG Central planning 2-2

2.4 9900 WNG Detector planning 2-3

2.5 IP addresses and port numbers planning 2-11

2.6 Site preparation planning 2-12

2 9900 WNG planning


2.1 Planning overview

You must consider the following before for you use the 9900 WNG in your network:

• evaluate the current network capacity for optimum use of the 9900 WNG• determine the appropriate physical location of the 9900 WNG Central and

Detector• identify the necessary equipment for 9900 WNG implementation

2.2 9900 WNG Central and Detector server planning

The 9900 WNG uses two servers, as described in Table 2-1.

Table 2-1 9900 WNG Central and Detector

2.3 9900 WNG Central planning

The 9900 WNG Central can be located in the NOC, security center, or a central office. The location for the 9900 WNG Central can be determined by:

• co-location with one or more 9900 WNG Detectors in a geographic cluster• where it is accessible for physical maintenance needs• AC and DC power supply options are available• other locations, as determined by organizational requirements• the Central management port must be connected to a LAN that is accessible for

remote monitoring because the user interfaces are on the 9900 WNG Central

The 9900 WNG Central supports the following:

• average rate feed of 2000 events/s from all 9900 WNG Detectors• peak rate feed of 10000 events/s from all 9900 WNG Detectors

Server Description

9900 WNG Central Provides all of the external user interfaces (webpage, GUI, CLI), northbound SNMP NMS interface, and has a large disk and database to collect events from all of the 9900 WNG Detectors.

9900 WNG Detector Monitors and analyzes packets that are received from one or more tap points in the wireless access network. The 9900 WNG Detector generates anomaly events and status events that are sent to the 9900 WNG Central server to be used for real-time anomaly reporting and network awareness reports.

2 9900 WNG planning


2.4 9900 WNG Detector planning

The following figures show a simple network configuration for CDMA and UMTS. The 9900 WNG Detectors can be located at specific points in the network to collect different types of network data.

Figure 2-1 Typical network configuration for a CDMA environment

Figure 2-2 Typical network configuration for a UMTS environment

Processing dataTable 2-2 describes the data that is processed by the 9900 WNG Detectors based on the network type.

Homenetwork

PDSN

HA

PDSN PDSN

HA

Roamingnetwork

PDSN

Internet

21188

AAA AAA

Homenetwork

SGSN

GGSN

SGSN SGSN

GGSN

Roamingnetwork

SGSN

Internet

21187

2 9900 WNG planning


Table 2-2 Data collection by the 9900 WNG Detector

Tapping into the networkThe 9900 WNG Detector passively monitors IP packets for 3GPP2/CDMA and 3GPP/UMTS networks as follows:

• 3GPP2/CDMA networks• PDSN and Home Agent • PDSN and AAA (accounting records only) (A11 interface to PDSN)

• 3GPP/UMTS networks• SGSN and GGSN

Tap feeds are mirrored from a router or switch at the tap points, and sent to the 9900 WNG Detector. Tap feeds that lose packets reduce the accuracy of the 9900 WNG Detector. This out-of-band capability of the 9900 WNG Detector means that any downtime is not service affecting to the network.

The 9900 WNG Detector can support four 1 Gb/s tap ports or one 10 Gb/s tap port. The 9900 WNG Detector can be configured with optical or copper SFPs (or a mix) tap ports to support 1000TX (copper), and 1000SX (multimode optical) physical tapping points.

If the number of tap feeds is greater than the number of ports available on the 9900 WNG Detector, you can use an external aggregator to condense multiple taps into the ports on the 9900 WNG Detector.

Network Data collected

3GPP2/CDMA • All incoming/outgoing subscriber data traffic • Simple IP • MIP: IP-IP tunneled

• Signaling traffic to relate IP traffic to subscriber/device/network elements• MIP signaling traffic • AAA accounting records (A11 signaling traffic)

3GPP/UMTS • All incoming/outgoing subscriber data traffic • mobile IP (MIP): IP-IP tunneled (GTP-U packets between SGSN and

GGSN) • Signaling traffic to relate IP traffic to subscriber/device/network elements

• AAA accounting records (GTP-C signaling packets between SGSN and GGSN)

Note Aggregated feeds that are mapped on a single tap port must not exceed the maximum line rate of the port, or packets are lost.

2 9900 WNG planning


Estimating 9900 WNG Detectors needed

To determine the number of required 9900 WNG Detectors, consider the following factors:

• geographic placement of tapping points to feed the 9900 WNG Detector• number of tapping points required to analyze the entire wireless network traffic

to capture all PDSN-to-HA and PDSN-to-AAA (accounting links) and PDSN A11 interface in a CDMA environment, and SGSN-to-GGSN links in a UMTS environment.

• anticipated number of simultaneous active subscriber sessions to observe at one 9900 WNG Detector and also collectively in the entire network as an appropriate product license is required. See chapter 6 for more information.

• anticipated traffic rate fed into one 9900 WNG Detector for analysis. In some cases, the captureVLAN CLI command can be used to restrict the number of packets fed into a 9900 WNG Detector by filtering the packet feed to only include the appropriate VLAN traffic that the Detector needs to analyze.

• the data rate of the events that are generated by one 9900 WNG Detector to the 9900 WNG Central must not exceed the data connection link for the management connection between the 9900 WNG Detector and 9900 WNG Central. The eventrate CLI command can be used to provide traffic limiting on this management link to match the physical link to provide smoothing of event feed to the 9900 WNG Central.

Estimating exact rules of deployment based on the above considerations depends on several factors and may change from deployment to deployment, the nature of traffic analyzed in the wireless network, and anticipated rate of traffic growth. Contact your Alcatel-Lucent technical support representative for support in planning your network deployment.

9900 WNG Detector specifications

The 9900 WNG Detector supports the following:

• up to four capture ports that can aggregate packets for analysis from traffic taps (unidirectional or bidirectional). A 9900 WNG Detector is equipped with either four ports with a maximum line rate of 1 Gb/s, or one port with a maximum line rate of 10 Gb/s.

• maximum packet processing of 2 million packets per second• up to 1 million simultaneous active subscriber data sessions monitored• up to 2 million simultaneous active flows monitored

Network technologyThe 9900 WNG Detector supports both CDMA and UMTS technologies.

2 9900 WNG planning


CDMA

The 9900 WNG Detector supports CDMA technology as per the 3GPP2 standards. This includes 1xRTT, EV-DO rev 0, and EV-DO rev A. The Detector can be used to analyze both MobileIP and SimpleIP sessions by decoding MobileIP signaling (PDSN-to-HA link) and AAA/RADIUS accounting records (PDSN-to-AAA link). The mode in which the Detector operates can be set with the deploymentMode command to process MobileIP only, SimpleIP only, or both MobileIP and SimpleIP sessions.

UMTS

In a UMTS environment, the Detector monitors the GPRS Tunneling Protocol (GTP) messages (GTP-C and GTP-U packets) across the Gn interface between the Serving GPRS Service Node (SGSN) and the Gateway GPRS Service Node (GGSN).

Determine location to view network activity

The location at which a Detector taps the network affects the type of data collected. The following are options for Detector placement:

• Southbound of the HA (CDMA)• Northbound of the PDSN (CDMA)• Southbound of the GGSN (UMTS)• Northbound of the SGSN (UMTS)

For 3GPP2/CDMA networks, the PDSN-AAA accounting records and optionally the A11 interface must be tapped and fed to the 9900 WNG Detector.

CDMA network activityYou can collect different types of data by installing the 9900 WNG Detector southbound of the HA or northbound of the PDSN in a CDMA network.

Southbound of the HA

Figure 2-3 shows a 9900 WNG Detector installed southbound of the HA in a CDMA network.

2 9900 WNG planning


Figure 2-3 Southbound of the HA (CDMA)

Placement southbound of the HA provides the following features and advantages:

• One 9900 WNG Detector can handle higher traffic loads from a larger section of the wireless service provider network (that is, several PDSNs) subject to the limits of the Detector specifications given earlier in this section of the document.

• The ability to observe the wireless service provider's own roaming subscribers' traffic when the subscribers are served by a “foreign” PDSN on a roaming partner network.

• The support for MobileIP only subscribers. SimpleIP traffic is not seen when deployed southbound of Home Agent.

• The ability to report on inter-PDSN traffic, which s includes inter-PDSN handoff reports and session state tracking capability across PDSNs.

Northbound of the PDSN

Figure 2-4 shows a 9900 WNG Detector installed northbound of the PDSN in a CDMA network.

Note When deployed southbound of the Home Agent, a separate tap or feed must be provided for the AAA/RADIUS accounting records and, optionally, for the A11 interface.

2 9900 WNG planning


Figure 2-4 Northbound of the PDSN (CDMA)

Placement of the 9900 WNG Detector northbound of the PDSN provides the following features and advantages:

• useful in large wireless networks where the amount of network traffic exceeds the capacity of one 9900 WNG Detector

• support can be provided for both MobileIP and SimpleIP data sessions served by the PDSN

• observation of all PDSN-to-AAA/RADIUS accounting records can be provided on the same tap point near the PDSN

• analyzes traffic for subscribers from roaming partners as they roam onto the network served by the PDSN

UMTS network activityYou can collect different types of data by installing the 9900 WNG Detector southbound of the GGSN or northbound of the SGSN in a UMTS network.

Note 1 Deploying northbound of the PDSN results in the appearance of a new session when a subscriber roams inter-PDSN. The HA handoff report is not applicable in this configuration.

Note 2 The placement of the 9900 WNG Detector should be such that one 9900 WNG Detector sees the MobileIP signaling or the AAA/RADIUS accounting signaling or both that corresponds to the bearer traffic that it observes. Optionally, the A11 interface may also be processed.

2 9900 WNG planning


Southbound of the GGSN (UMTS)

Figure 2-5 shows a 9900 WNG Detector installed southbound of the GGSN in a UMTS network.

Figure 2-5 Southbound of the GGSN (UMTS)

Placement southbound of the GGSN provides the following features and advantages:

• one 9900 WNG Detector can support higher traffic loads from a larger section of the wireless service provider network (several SGSNs) subject to the limits of the 9900 WNG Detector specifications

• ability to observe subscriber traffic when the subscriber is served by a SGSN on a roaming partner network.

• provides reports for inter-SGSN traffic, which includes inter-SGSN handoff reports and session state tracking capacity across SGSNs

Northbound of the SGSN

Figure 2-6 shows a 9900 WNG Detector installed northbound of the SGSN in a UMTS network.

2 9900 WNG planning


Figure 2-6 Northbound of the SGSN (UMTS)

Placement of the 9900 WNG Detector northbound of the SGSN provides the following features and advantages:

• useful in large wireless networks where the amount of network traffic exceeds the capacity of one 9900 WNG Detector

• analyzes traffic for subscribers from roaming partners as they roam onto the network served by the SGSN

Geographic configuration for 9900 WNG DetectorsIf multiple PDSNs for CDMA technology or multiple SGSNs for UMTS technology are co-located (geographic cluster), it is possible to configure a 9900 WNG Detector to serve multiple PDSNs or SGSNs, subject to the limits of the detector specifications given earlier in this document.

If PDSNs or SGSNs are not co-located, the options are to deploy one detector at each PDSN or SGSN location or to backhaul the mirrored traffic to a common shared detector. Equipping a detector for each of these PDSNs or SGSNs (even though not fully utilizing the bandwidth and session capacity of the 9900 WNG Detector) may be preferred when compared with the cost of backhaul of the mirrored traffic to a shared 9900 WNG Detector.

2 9900 WNG planning


2.5 IP addresses and port numbers planning

This section describes the IP addresses and port numbers that you need to configure the 9900 WNG.

9900 WNG Central interfacesThe 9900 WNG Central uses the following IP addresses:

• management interface IP address for providing GUI access, remote console access, Web-based Report access

• BMC (remote management) IP address is required for out-of-band management functions. This allows access to the 9900 WNG Central and Detectors for remote console and remote power cycle functions.

9900 WNG Detector interfacesThe 9900 WNG Detector uses the following IP addresses:

• management interface IP address to provide an interface to 9900 WNG Central from the 9900 WNG Detector.

• BMC (remote management) IP address is required for out-of-band management functions, which allows access to the 9900 WNG Central and Detectors for remote console and remote power cycle.

Additional interfacesIn addition to configuring the IP addresses of the 9900 WNG Central and Detector, the following IP addresses should be known in order to provide configuration for other features:

• IP address of NTP server for obtaining clock/time synchronization• IP address of SNMP network management server so that the 9900 WNG system

events can be reported to an external SNMP management server. SNMP reporting is optional.

• port numbers are required for accessing the 9900 WNG Central. The <central IP> in the following example is the address that is given to the 9900 WNG Central management port. The BMC IP address is the out-of-band management port that is used for remote console and remote power cycle.

IN:allow in from <ext> to <central IP> TCP port 22,80,443,3306,52802,52806 allow in from <ext> to <central IP> UDP port 161 [for snmp]allow in from <ext> to <BMC> TCP port 80,443 allow in from <ext> to <BMC IPs> TCP port 623allow in from <ext> to <BMC IPs> UDP port 623OUT:

Note DHCP is not used to obtain IP addresses to ensure correct and secure operation.

2 9900 WNG planning


allow out from <central IP> to <ext> UDP port 162 [for snmp]allow out from <central IP> to <ext> UDP port 123 [for NTP]<ext> = your external network/mask or specific IP<central IP> = IP of eth0 on 9900 WNG Central<BMC> = IPs of all the BMC modules in central and detector

2.6 Site preparation planning

This section describes site preparation considerations for the 9900 WNG system.

9900 WNG server and rack hardware specifications

The 9900 WNG Central and 9900 WNG Detectors can be rack-mounted, depending on the customer’s equipment configuration. A 19-inch or 23-inch rack is recommended. The assembly hardware (for example, mounting brackets, bolts, and nuts) and rack mount kit are included with the 9900 WNG or as orderable items, depending on the rack used. For ordering information, contact your Alcatel-Lucent technical support representative.

Table 2-3 Server dimensions

An additional clearance of 1.5 inches (38 mm) is required behind the server for cable bend allowance.

External disk array specifications

Table 2-4 describes the dimensions of the external disk array that is included with the 9900 WNG Central.

Table 2-4 External disk array dimensions

Dimension Value

Height 3.45 inches (87.6 mm)

Width 17.14 inches (435.3 mm)

Depth AC server: 21.25 inches (540 mm)DC server: 21.38 inches (543 mm)

Front clearance 2.0 inches (76 mm)

Side clearance 1.0 inches (25 mm)

Rear clearance 3.6 inches (92 mm)

Weight (base model) 35.0 lbs (15.8 kg)

Dimension Value

Height 3.39 inches (87.6 mm)

Width 17.66 inches (435.3 mm)

Depth 21.26 inches (540 mm)

(1 of 2)

2 9900 WNG planning


Rack-mount requirementsThe 9900 WNG Central and Detectors, and the external disk array that must be mounted in a customer-supplied rack.

• 19” racks supported are 2-post and 4-post racks with Electronic Industry Association (EIA) Universal and EIA wide hole spacing.

• 23” racks supported are 2-post and 4-post racks with EIA Universal, EIA wide and European Telecommunications Standards Institute (ETSI) hole spacing.

• The rack mount kits can be installed in 2-post racks with equipment mounting posts from 3 to 5 inches deep. The rack mount kits can be installed in 4-post racks with front equipment mounting rail to rear equipment mounting rail distance not exceeding 24 inches.

• Mounting hardware for 19” racks is included. • Mounting extension plates for 23” racks are included. These extension plates

allow the 19" rack mount system to be installed in a 23” frame.

Power requirements

Depending on the customer needs, the power supply is either DC (600 W) or AC. The AC and DC versions can be used in either an operations data center or a central office. Typically, data centers use the AC version and a central office uses the DC version.

The power supply (AC or DC) is redundant and is supplied on separate power buses.

Table 2-5 describes the power requirements.

Front clearance 30 inches (760 mm)

Rear clearance 24 inches (620 mm)

Weight (base model) 59.55 lbs (15.8 kg)

Dimension Value

(2 of 2)

2 9900 WNG planning


Table 2-5 Power requirements

Cabling requirements

The following describes the cabling requirements:

• Supplied: Power cables for the 9900 WNG Central and 9900 WNG Detector, and an SAS cable to connect the external disk array to the 9900 WNG Central

• Supplied equipment ground cables: The DC chassis provides two threaded studs for chassis enclosure grounding. A single 45° standard barrel #14 -10 AWG conductor/-6 AWG barrel must be used for proper safety grounding.

Component Description

DC power supply

9900 WNG Central and Detectors

• Maximum continuous output power: 604 W• Maximum continuous current output @ -48VDC: 12.6 A

• Peak power: 680 W• Peak current @ -48V: 14.2 A

• Chassis input voltage range: -40.0 to -60.0 V• Power supply: two hot swappable 600W power supplies• Number of power feeds: two pairs• Supplied DC power cable assemblies:

• Two 1-ft cables• Two 14-ft cables

• The power supply shuts down when input drops below 36 VDC and powers back up when DC input returns to >36 VDC.

External disk array • Input voltage range: -36 to -72 VDC• Power consumption: 530 W

• Current at -48 VDC: 11 A

AC power supply (optional)

9900 WNG Central and Detectors

• Maximum continuous power: 604 W• Maximum continuous current output @ 110VAC: 5.5 A• Maximum continuous current output @ 220VAC: 2.75 A

• Peak Power: 680 W• Peak current @ 110VAC: 6.2 A• Peak current @ 220VAC: 3.1 A

• Chassis input voltage range: 100-127 V or 200-240 V • Power supply: Two hot swappable 600 W AC power supplies• Number of power feeds: 2 pairs• Supplied AC power cable assembly:

• Two 6-foot US AC 110 V power cords

External disk array • Input voltage range: 90 to 264 VAC• Power consumption: 530 W

Power distribution center

Power distribution center

A power distribution unit is not required. However, if present, the fuse recommendation is 20A.

2 9900 WNG planning


• Optional: Fiber optic cables: Multi-mode fiber with LC connectors.These optional cables are available from Alcatel-Lucent.

• Ethernet cables: Shielded cat5e or better cables are recommended, grounded at both ends. For 1 GbE connections, Cat6 cable is recommended. The optional cables are available from Alcatel-Lucent.

Environmental requirements

Consider the following environmental requirements when are choosing a location for your 9900 WNG equipment.

Locating the equipment

The system is designed to operate in a typical office environment. Choose a site that is:

• clean, dry, and free of airborne particles (other than normal room dust)• well-ventilated and away from sources of heat including direct sunlight and

radiators• away from sources of vibration or physical shock• isolated from strong electromagnetic fields produced by electrical devices• in regions that are susceptible to electrical storms, we recommend you plug your

system into a surge suppressor and disconnect telecommunication lines to your modem during an electrical storm

• provided with a properly grounded wall outlet (AC) or appropriate power connections DC)

• provided with sufficient space to access the power supply cords

Temperature

The temperature in which the server operates when installed in an equipment rack must not go below 5°C (41°F) or rise above 35°C (95°F). Extreme fluctuations in temperature can cause a variety of problems in your server.

Ventilation

The equipment rack must provide sufficient airflow to the front of the server to maintain proper cooling. The rack must also include ventilation sufficient to exhaust a maximum of 1200 BTU/h for the server. The rack selected and the ventilation provided must be suitable to the environment in which the server is to be used.

2 9900 WNG planning



Hardware installation

3 Safety and regulatory specifications 3-1

4 9900 WNG Detector and Central server installation 4-1

5 Powering up, powering down, and resetting 9900 WNG components 5-1



3 Safety and regulatory specifications

3.1 Safety hazards 3-2

3.2 Product use and safety guidelines 3-3

3.3 Regulatory specifications 3-6



3.1 Safety hazards

Hazard statements describe the safety risks relevant while performing tasks on Alcatel-Lucent products during deployment and/or use. Failure to avoid the hazards may have serious consequences.

Signal wordsThe signal words that identify the hazard severity levels are described in Table 3-1.

Table 3-1 Signal words for hazard severity

Signal word Description

DANGER Indicates an imminently hazardous situation (high risk) which, if not avoided, results in death or serious injury.

WARNING Indicates a potentially hazardous situation (medium risk) which, if not avoided, could result in death or serious injury.

CAUTION Indicates a potentially hazardous situation (low risk) which, if not avoided, may result in personal injury or property damage, such as service interruption or damage to equipment or other materials.



General hazard statementsGeneral hazard statements provide information about hazards that may arise in the course of your work, but are not necessarily related to a specific procedure.

3.2 Product use and safety guidelines

The 9900 WNG was evaluated for use in a Telecommunication Central Office environment.

Heed safety instructionsBefore working with the 9900 WNG Central or Detector, whether you are using this guide or any other resource as a reference, pay close attention to the safety instructions. You must adhere to the assembly instructions in this guide to ensure and maintain compliance with existing product certifications and approvals. Use only the described, regulated components specified in this guide. Use of other products components voids the UL listing and other regulatory approvals of the product and most likely result in noncompliance with product regulations in the regions in which the product is sold.

Danger This equipment generates high leakage current. This can lead to high voltages with respect to ground for accessible parts of the installation. Contact with these parts can cause serious health effects, possibly including death, even hours after the event.

This equipment is only suited for permanent connection. Before connecting the power supply, establish a grounding connection.

Caution Components can be damaged by static discharges.

The following rules must be followed when handling any module containing semiconductor components:

• wear conductive or antistatic working clothes (for example, a coat made of 100% cotton)

• wear the grounded wrist strap• wear shoes with conductive soles on a conductive floor surface or

conductive workmat• leave the modules in their original packaging until ready for use• ensure that there is no difference in potential between yourself, the

workplace, and the packaging before removing, unpacking, or packing a module

• hold the module only by the grip without touching the connection pins, tracks, or components

• place modules removed from the equipment on a conductive surface

• test or handle the module only with grounded tools on grounded equipment

• handle defective modules exactly like new ones to avoid causing further damage



System power on and offThe power button does not turn off the system AC power. To remove power from system, you must unplug the AC power cord from the wall outlet. Make sure the AC power cord is unplugged before you open the chassis, add, or remove any components.

Hazardous conditions, devices, and cablesHazardous electrical conditions may be present on power, telephone, and communication cables. Turn off the 9900 WNG Central or Detector and disconnect the power cord, telecommunications systems, networks, and modems attached to the 9900 WNG Central or Detector before opening it. Otherwise, personal injury or equipment damage can result.

ESD and ESD protectionESD can damage disk drives, boards, and other parts. We recommend that you perform all procedures in this chapter only at an ESD workstation. If one is not available, provide some ESD protection by wearing an antistatic wrist strap attached to chassis ground any unpainted metal surface on the 9900 WNG Central or Detector when handling parts.

ESD and handling boardsAlways handle boards carefully. They can be extremely sensitive to ESD. Hold boards only by their edges. After removing a board from its protective wrapper or from the 9900 WNG Central or Detector, place the board component side up on a grounded, static free surface. Use a conductive foam pad if available but not the board wrapper. Do not slide board over any surface.

Installing or removing jumpersA jumper is a small plastic encased conductor that slips over two jumper pins. Some jumpers have a small tab on top that you can grip with your fingertips or with a pair of fine needle nosed pliers. If your jumpers do not have such a tab, take care when using needle nosed pliers to remove or install a jumper; grip the narrow sides of the jumper with the pliers, never the wide sides. Gripping the wide sides can damage the contacts inside the jumper, causing intermittent problems with the function controlled by that jumper. Take care to grip with, but not squeeze, the pliers or other tool you use to remove a jumper, or you may bend or break the pins on the board.

Equipment handling practicesReduce the risk of personal injury or equipment damage:

• Conform to local occupational health and safety requirements when moving and lifting equipment.

• Use mechanical assistance or other suitable assistance when moving and lifting equipment.

• To reduce the weight for easier handling, remove any easily detachable components.



• A microprocessor and heat sink can be hot if the system has been running. Also, there can be sharp pins and edges on some board and chassis parts. Contact should be made with care. Consider wearing protective gloves.

• Danger of explosion if the battery is incorrectly replaced. Replace only with the same or equivalent type recommended by the equipment manufacturer. Dispose of used batteries according to manufacturer’s instructions.

Safety stepsWhenever you remove the chassis covers to access the inside of the system, follow these steps:

• Turn off all peripheral devices connected to the system.• Turn off the system by pressing the power button.• Unplug all AC power cords from the system or from wall outlets.• Label and disconnect all cables connected to I/O connectors or ports on the back

of the system.• Provide electrostatic discharge (ESD) protection by wearing an antistatic wrist

strap attached to chassis ground of the system—any unpainted metal surface—when handling components.

After you have completed the safety steps, remove the system covers. To do this:

• Unlock and remove the padlock from the back of the system if a padlock has been installed.

• Remove and save all screws from the covers.• Remove the covers.

Cooling and airflowFor proper cooling and airflow, always reinstall the chassis covers before turning on the system. Operating the system without the covers in place can damage system parts. To install the covers:

• Check first to make sure you have not left loose tools or parts inside the system.• Check that cables, add-in boards, and other components are properly installed.• Attach the covers to the chassis with the screws removed earlier, and tighten them

firmly.• Insert and lock the padlock to the system to prevent unauthorized access inside

the system.• Connect all external cables and the AC power cords to the system.

Power supplyThe power supply in this product contains no user-serviceable parts. There may be more than one supply in this product. Refer servicing only to qualified personnel.



Power cord warningsIf an AC power cord was not provided with your product, purchase one that is approved for use in your country.

• To avoid electrical shock or fire, check the power cords to be used with the product as follows:

• Do not attempt to modify or use the AC power cords if they are not the exact type required to fit into the grounded electrical outlets.

• The power cords must meet the following criteria:• The power cord must have an electrical rating that is greater than that of the

electrical current rating marked on the product.• The power cord must have safety ground pin or contact that is suitable for the

electrical outlet.• The power supply cords are the main disconnect device to AC power. The socket

outlets must be near the equipment and readily accessible for disconnection.• The power supply cords must be plugged into socket-outlets that are provided

with a suitable earth ground.• Do not attempt to modify or use the supplied AC power cord if it is not the exact

type required. A product with more than one power supply has a separate AC power cord for each supply.

Equipment rack anchoringThe equipment rack must be anchored to an unmovable support to prevent it from falling over when one or more 9900 WNG Central or Detectors are extended in front of the rack on slides. You must also consider the weight of any other device installed in the rack. A crush hazard exists should the rack tilt forward, which can cause serious injury.

3.3 Regulatory specifications

The 9900 WNG meets the specifications and regulations for safety and EMC described in this chapter.

Product Safety ComplianceThe 9900 WNG complies with the following safety requirements:

• USA/Canada: UL 60950-1, 1st Edition/CSA 22.2• Europe: Low Voltage Directive 2006/95/EC to EN60950-1, 1st Edition

Product EMC Compliance - Class A ComplianceThe 9900 WNG has been has been tested and verified to comply with the following electromagnetic compatibility (EMC) regulations:

• USA: FCC 47 CFR Parts 2 and 15, Verified Class A Limit• Canada: IC ICES-003 Class A Limit• International: CISPR 22, Class A Limit, CISPR 24 Immunity Electromagnetic

Compatibility Notices



• Europe:• EMC Directive, 2004/108/EEC• EN 300-386 - Electromagnetic Compatibility and Radio spectrum Matters (ERM)• EN55022, Class A Limit, Radiated & Conducted Emissions• EN55024 Immunity Characteristics for ITE• EN61000-4-2 ESD Immunity (level 2 contact discharge, level 3 air discharge)• EN61000-4-3 Radiated Immunity (level 2)• EN61000-4-4 Electrical Fast Transient (level 2)• EN61000-4-5 Surge• EN61000-4-6 Conducted RD• EN61000-3-2 Harmonic Currents• EN61000-3-3 Voltage Flicker




4 9900 WNG Detector and Central server installation

4.1 9900 WNG Detector and Central server installation overview 4-2

4.2 Power requirements 4-3

4.3 Receiving the shipment 4-5

4.4 Installing the 9900 WNG server in a rack 4-6

4.5 Grounding a DC-powered server 4-15

4.6 Connecting the cables 4-17



4.1 9900 WNG Detector and Central server installation overview

You or an Alcatel-Lucent technical support representative can perform the hardware installation. The following tasks are part of hardware installation:

• preparation of racks or cabinets for installation of 9900 WNG Central and Detector servers

• installation of the 9900 WNG Central, Detector, and the external disk array into the racks

• connecting the 9900 WNG Central and 9900 WNG Detector server to an existing network

See chapter 7 for more information about the mandatory configuration procedures for the 9900 WNG.

Table 4-1 lists the tasks that you must perform to install the 9900 WNG Central Detectors, in the order that you need to perform them.

Table 4-1 9900 WNG installation tasks

Required hardware

Table 4-2 describes the hardware that is required for installing 9900 WNG Central and Detector.

Table 4-2 Hardware requirements for the 9900 WNG Central and Detectors

Task See section

Set up the required AC or DC power supplies 4.2

Install the 9900 WNG Central and Detector using the appropriate rack mounts 4.4

Ground the servers, if you are using a DC power supply 4.5

Connect the 9900 WNG to your OAM and traffic networks 4.6

Equipment Description

WNG Central Server (1) The 9900 WNG Central server

WNG Detector Server (1) The 9900 WNG Detector is a NEBS-3 and ETSI certified product which is suited for a host of applications in the Telecom Central Office and industrial environment. (1)

External disk array An external redundant data storage device for the 9900 WNG Central.

Ethernet cables (2) Cat5e or better:Various lengths for direct connections Cables must be shielded and grounded at both ends.

Transceiver Copper or optical transceivers are required for the ports on the packet capture card. See section 4.6 for more information about ports on the packet capture card.

(1 of 2)



Notes(1) 9900 WNG equipment is delivered with the required software installed.(2) Contact your Alcatel-Lucent technical support representative for ordering information.

4.2 Power requirements

This section describes the power requirements of the 9900 WNG for both AC and DC power supplies.

AC power supplies

Table 4-3 describes the requirements for AC power.

Table 4-3 AC power requirements

SAS cable A SAS cable used to connect the 9900 WNG Central to the external disk array.

Mounting rack for servers 19-inch mounting brackets and 23-inch adapters

Power supply cable Two 6-foot US 110V AC power cable

Fiber optic cables (optional)

Various lengths:• 50/125 µm multi-mode fiber (MMF), Duplex LC-SC connectors• 50/125 µm multi-mode fiber (MMF), Duplex LC-ST connectors• 50/125 µm multi-mode fiber (MMF), Duplex LC-LC connectors

Equipment Description

(2 of 2)


Main AC Voltage The AC line voltage source must be 50 or 60 Hz, and have a voltage of 100 to 127 VAC for 110 V operation or between 200 and 240VAC for 220V operation.

Continuous power The 9900 WNG has the following continuous AC power requirements:• maximum continuous output power: 604W• maximum continuous current: 5A

Peak power The 9900 WNG has the following peak AC power requirements:• maximum peak output power: 680W• maximum peak current: 5.6A

Main AC power connection

The AC power cords are considered the main connection for the server and must be readily accessible. If the individual server power cords are not readily accessible, then you must install an AC power connection for the entire rack unit. This main connection must be readily accessible, and it must be labeled as controlling power to the entire rack, not just to the servers.

Grounding the rack installation

To avoid the potential for an electrical shock hazard, you must include a third wire safety ground conductor with the rack installation. If the server power cord is plugged into an AC outlet that is part of the rack, then you must provide proper grounding for the rack itself. If the server power cord is plugged into a wall AC outlet, the safety ground conductor in the power cord provides proper grounding only for the server. You must provide additional, proper grounding for the rack and other devices installed in it.

(1 of 2)



DC power supplies

The server with DC input is to be installed in a Restricted Access Location in accordance with articles 110-16, 110-17, and 110-18 of the National Electric Code, ANSI/NFPA 70.

The DC source must be electrically isolated from any hazardous AC source by double or reinforced insulation. The DC source must be capable of providing up to 300 W of continuous power per feed pair.

Table 4-4 describes the requirements for DC power.

Over-current protection

The equipment is designed for an AC line voltage source with up to 20 A of over-current protection per cord feed. If the power system for the equipment rack is installed on a branch circuit with more than 20 A of protection, you must provide supplemental protection for the server. The overall current rating of a configured server is less than 6 amperes.

External disk array The external disk array has the following AC power requirements:• power source voltage: 120VAC• power consumption: 530W• current: 4.5A

Note Do not modify or use an AC power cord set that is not the exact type required. You must use a power cord set that meets the following criteria:

• Rating: In the U.S. and Canada, cords must be UL listed or CSA certified type SJT, 18-3 AWG. Outside of the U.S. and Canada, cords must be flexible and meet standards for that region.

• Connector, wall outlet end: Cords must be terminated in grounding-type male plug designed for use in your region. The connector must have certification marks showing certification by an agency acceptable in your region. For U.S., the connector must be listed and rated for 125% of the overall current rating of the server.

• Connector, server end: The connectors that plug into the AC receptacle on the server must be an approved IEC 320, sheet C13, type female connector.

• Cord length and flexibility: Cords must be less than 4.5 m (14.8 ft) long.


(2 of 2)

Caution Connection with a DC source should only be performed by trained service personnel.



Table 4-4 DC power requirements

4.3 Receiving the shipment

Procedure 4-1 describes how to inspect a 9900 WNG package.


Main DC Voltage Redundant DC power feeds are supported for high reliability. The 9900 WNG requires a -48V DC power source.

Continuous power The 9900 WNG has the following continuous DC power requirements:• maximum continuous output power: 604W• maximum continuous current: 12.6A

Peak power The 9900 WNG has the following peak DC power requirements:• maximum peak output power: 680W• maximum peak current: 14.2A

Main DC power connection

The UL-listed circuit breaker of a centralized DC power system may be used as a disconnect device when easily accessible and must be rated no more than 10 A.

Grounding the server

This server is intended for installation with an isolated DC return (DC-I) and is to be installed in a CBN per NEBS GR-1089. To avoid the potential for an electrical shock hazard, you must reliably connect an earth grounding conductor to the server. The earth grounding conductor must be a minimum 6 AWG connected to the earth ground studs on the rear of the server. The safety ground conductor must be connected to the chassis stud with a Listed closed two-hole crimp terminal having 5/8-inch pitch. The nuts on the chassis earth ground studs must be installed with a 10 in-lbs of torque. The safety ground conductor provides proper grounding only for the server. You must provide additional, proper grounding for the rack and other devices installed in it.

Over-current protection

Over-current protection UL-listed circuit breakers must be provided as part of each host equipment rack and must be incorporated in the field wiring between the DC source and the server. The branch circuit protection is rated minimum 75 VDC, 10A maximum per feed pair. If the DC power system for the equipment rack is installed with more than 10 A of protection, you must provide supplemental protection for the server. The overall current rating of a maximum configured server is 8 A.

External disk array The external disk array has the following DC power requirements:• power source voltage: -48V• power consumption: 530W• current: 11A



Procedure 4-1 To inspect a 9900 WNG package

The following are assumptions:

• The delivery receipt is available to check against the contents that you received.

• The 9900 WNG Central and Detector are packaged separately, each in their own carton.

1 Check that all materials that are noted on the packing slip are accounted for.

2 Visually inspect the package to be sure there is no visible damage to the shipping container.

3 Perform one of the following:

a If the server is damaged, record the problems on the shipping manifest and report the damage to the transport company.

b If server is not damaged go to step 4.

4 Carefully remove the chassis from the carton. If you use a box cutter to cut the outer carton, exercise caution and ensure that you do not damage the chassis.

5 Remove the anti-static bag that surrounds the chassis only when you are ready to install the chassis.

4.4 Installing the 9900 WNG server in a rack

You can install the 9900 WNG Central or Detector to a rack or cabinet.

PrerequisitesEnsure the following:

• secure all tools for anchoring and installing the brackets and rack• follow all safety instructions• verify that the rack is properly bolted and braced and is well grounded to a

grounding electrode• refer to the rack manufacturer documentation for instructions

Danger Ensure the following safety measures are taken:

• Only trained and qualified personnel should anchor and install the rack.

• Only trained and qualified personnel should mount the chassis.• Always wear an electrostatic discharge (ESD) preventive wrist or

ankle strap in contact with bare skin. Always connect the ESD strap with a banana plug to a proper ESD grounding point, typically located off the front of the equipment rack.



Rack installation

Each 9900 WNG server includes a rack mount kit to install the server in a 19-in rack, with four extension brackets to support a 23-in rack. Procedure 4-2 describes how to assemble the rack mount for a 4-post rack. Procedure 4-3 describes how to assemble the rack mount for a 2-post rack.

Procedure 4-2 To install the 9900 WNG in a 4-post rack

Before you begin to install your system in the rack, carefully read any safety instructions, cautions and warnings that are associated with the installation activities.

• If you are installing more than one system, install the first system in the lowest available position in the rack.

• Because of the size and weight of the system, never attempt to install the system in the mounting rails by yourself.

1 Attach the two inner rails (marked LEFT and RIGHT) to the chassis, each with three 8-32x1/4 SEMS screws, as shown in Figure 4-1.

Figure 4-1 Attaching inner rails to the 9900 WNG

2 Attach the universal front mounting bracket to the chassis, each with two 8-32x1/4 SEMS screws.

Caution Before you install systems in a rack, install the front and side stabilizers on stand-alone racks or the front stabilizer on racks joined to other racks. Failure to install stabilizers accordingly before installing systems in a rack could cause the rack to tip over, potentially resulting in bodily injury under certain circumstances. Always install the stabilizers before installing components in the rack.

Note The universal front mounting bracket can be flipped to position the system further forward in the rack, as shown in Figure 4-2.



Figure 4-2 Universal front mounting bracket

3 Using two 8-32 KEPS nuts per L-bracket, assemble L-brackets to the outer rail's four outermost threaded studs. (Installation kit contains both EIA and ETSI L-brackets.) 23-in. Figure 4-3 shows the EIA L-brackets.

Figure 4-3 Outer rail assembly (EIA L-brackets)



4 Install the outer rail subassemblies into the rack using ten or twelve (19" or 23" kits, respectively) 10-32x1/2 SEMS screws. If bar-nuts are used, they must be installed such that all threads are aligned vertically, ensuring the center hole is not skewed with respect to the holes on the rack rail. Figure 4-4 shows the mounting bracket assembly.

Figure 4-4 Mounting bracket assembly

5 Slide the system into the rack making sure the inner rails are captured by the outer rails. Support the weight of the system until the lock features on the inner rails engage with the slot features on the outer rails. An audible click is heard. Figure 4-5 shows how to insert the 9900 WNG.

Note 1 If mounting a 1U system in a 1U confined space, four 2U bar-nuts are included to replace the 1U bar-nuts. The 2U bar-nuts need to be installed in the 1U space either above or below the 1U space where this kit is being mounted. When installing multiple 1U systems, the 2U bar-nuts must be used in the next to last kit.

Note 2 L-brackets must be adjusted front-to-back to fit rack depth. The distance between the front equipment mounting rail and rear equipment mounting rail cannot exceed 24 inches.

Note 3 Mounting brackets must be adjusted based on rack depth.



Figure 4-5 Inserting the 9900 WNG

Figure 4-6 9900 WNG lock features

6 Install two 10-32X1/2 SEMS screws to hold the universal front mounting brackets to either the L-brackets or the rack's equipment mounting rails (23-in. or 19-in., respectively). Figure 4-7 shows the 9900 WNG installed using mounting brackets.

Note After engaged, the lock features must be released to remove the system from the rack. To release the lock features, depress the two latches with the blue arrows (one on either side) downward. While depressing the lock features and supporting the system weight, pull the system out. Pressure can be released after the lock features disengage from the outer rail. Figure 4-6 shows the lock features.



Figure 4-7 Installing the 9900 WNG using mounting brackets

Figure 4-8 EIA wide adapter bracket installation

Procedure 4-3 To install the 9900 WNG in a 2-post rack

1 Attach the two inner rails (marked LEFT and RIGHT) to the chassis, each with three 8-32x1/4 SEMS screws.

2 Attach the universal front mounting bracket to the chassis, each with two 8-32x1/4 SEMS screws, as shown in Figure 4-9.

Note If installing into a 19-inch 4-post rack that has EIA wide hole spacing, the EIA wide adapter bracket must be used. Install this bracket onto the face of the L-brackets using the same 10-32x1/2 SEMS screws that fasten the L-brackets to the rack's front equipment mounting rails. Figure 4-8 shows the EIA wide adapter bracket.



Figure 4-9 Attaching mounting brackets to the 9900 WNG

Figure 4-10 Universal front mounting bracket

3 Using three 8-32 KEPS nuts per L-bracket, assemble the appropriate L-brackets and the 2-post mounting bracket to the outer rail. (The kit contains both EIA and ETSI L-brackets.) The 2-post mounting bracket is installed onto the two front-most studs, overlapping the front L-bracket and sharing two threaded studs with it. 23-inch EIA L-brackets are shown in Figure 4-11.

Note The universal front mounting bracket can be flipped to locate the system further forward in the rack, as shown in Figure 4-10.



Figure 4-11 EIA L-bracket assembly

4 Install the two outer rail subassemblies in the rack using twelve 10-32x1/2 SEMS screws or other appropriate fasteners. If bar-nuts are used, they must be installed such that all threads are aligned vertically, ensuring the center hole is not skewed with respect to the holes on the rack rail. Figure 4-12 shows the outer rail subassemblies.

Figure 4-12 Outer rail subassemblies

5 Slide the system into the rack making sure the inner rails are captured by the outer rails. Support the weight of the system until lock features on the inner rails engage with the slot features on the outer rails, as shown in Figure 4-13. An audible click is heard.

Note 1 If mounting a 1U system in a 1U confined space, four 2U bar-nuts are included to replace the 1U bar-nuts. The 2U bar-nuts need to be installed in the 1U space either above or below the 1U space where this kit is being mounted. When installing multiple 1U systems, the 2U bar-nuts must be used in the next to last kit.

Note 2 L-Brackets must be adjusted front-to-back to fit rack channel depth.



Figure 4-13 Inserting the 9900 WNG

Figure 4-14 9900 WNG lock features

6 Install two 10-32X1/2 SEMS screws to hold the universal front mounting bracket to the 2-post mounting bracket, as shown in Figure 4-15.

Note After engaged, the lock features must be released to remove the system from the rack. To release the lock features, depress the two latches with the blue arrows (one on either side) downward. While depressing the lock features and supporting the system weight, pull the system out. Pressure can be released after the lock features disengage from the outer rail. Figure 4-14 shows the lock features.



Figure 4-15 Attaching the 2-post mounting bracket

4.5 Grounding a DC-powered server

9900 WNG equipment powered using a DC power supply must be properly grounded. The ground terminal cable has the following requirements:

• The copper wire that is used for grounding must be a 6 AWG copper wire.• Double lug terminals must have 45° angle tongue.• The ring terminal must have an inner diameter of 1/4 inch (5 to 7 mms) on a 5/8

inch (1.5875 cm) spacing with a width of 0.48 inches.

Figure 4-16 Grounding terminals: 9900 WNG rear view

The length of the grounding wire depends on the location of the router and the proximity to proper grounding facilities. Two grounding screws are located on the rear side of the server.

See section 4.2 for more information about DC power connections.



Prerequisites and safety precautionsThe ground wire has the following requirements:

• The server must be connected to a reliable earth ground. The earth ground wire must be installed in accordance with local safety standards.

• The server ground wire must be connected directly to the cabinet or frame ground which is ultimately connected to earth ground. Do not connect the server ground point to the VRTN path of the DC supply.

See section 3.2 for more information about safety requirements.

Procedure 4-4 To prepare the ground wire

1 Using a wire-stripping tool, strip the insulation from the wire.

2 Slide the open end of the ground lug (accessory box) over the exposed area of the prepared wire.

3 Using a crimping tool, crimp the ground lug to the wire.

Procedure 4-5 To ground the server

1 Remove the nuts and washers from the ground lugs on the rear side of the server, on the top left side.

2 Using the prepared ground wire, place the ground lug through the two server ground screws.

3 Install locking washers and nuts. Torque the nuts to 10 in-lbs.

4 Connect the opposite end of the grounding cable to the appropriate grounding point at your site to ensure adequate server ground according to local safety codes.

Danger 1 Before powering-up the shelf, ensure the ground terminals are connected to the protective PE of the building.

Danger 2 Ensure the power is turned off before making power connections, and after the power connection is made, do not touch the power terminals.



4.6 Connecting the cables

The cable connections required for the 9900 WNG depend on the configuration of your network and the external ports on your 9900 WNG Detector devices. In general, you need to create the following cable connections:

• a connection between the 9900 WNG Central and any associated 9900 WNG Detectors, either through a network or a direct cable connection

• a connection that provides the 9900 WNG Detector with an appropriate network traffic feed. See chapter 2 for more information about tap points and the network traffic feed.

• a connection between the 9900 WNG Central and the external disk drive• an optional connection between the 9900 WNG Central and a separate BMC

lights-out management network• an optional connection between the 9900 WNG Detector and a separate BMC

lights-out management network

Figure 4-17 shows the cable connections for a 9900 WNG system where the 9900 WNG Detectors are connected to the 9900 WNG Central using a LAN.

Figure 4-17 9900 WNG cable requirements using a LAN

Figure 4-18 shows the cable connections for a 9900 WNG system where a 9900 WNG Detector is connected directly to the 9900 WNG Central using a cross-over cable.

9900 WNG Central

Managementnetwork

External disk drive

Ethernet cable

Ethernet cable

Network Traffic

Tap points

SAS cable

9900 WNG Detector

1

LAN

2

12

9900 WNGDetector

9900 WNGDetector

21209



Figure 4-18 9900 WNG cable requirements using a direct connection

9900 WNG Central external ports

Table 4-5 describes the external ports on the 9900 WNG Central.

Table 4-5 9900 WNG Central external ports

9900 WNG Detector external ports

Table 4-6 describes the external ports on the 9900 WNG Detector.

9900 WNG Central

Managementnetwork

External disk drive

Ethernet cable Ethernet cable

Network Traffic

Tap points

SAS cable

9900 WNG Detector

1

LAN

2

12

9900 WNGDetector

9900 WNGDetector

21210

External port Function

Ethernet port 1 Provides access to the 9900 WNG Central GUI, CLI, and web-based reports. The port can be connected to a network that provides communication between the 9900 WNG Central and any 9900 WNG Detectors. This port can also be used to connect to a BMC lights-out management network.

Ethernet port 2 Used to connect the 9900 WNG Central to a 9900 WNG Detector or a BMC lights-out management network. If neither of these connections are required, then the port is unused.

SAS port Used to connect the 9900 WNG Central to an external disk array



Table 4-6 9900 WNG Detector external ports

Cable connectionsPerform Procedure 4-6 to connect cables to 9900 WNG Detector servers. Perform Procedure 4-7 connect cables to a 9900 WNG Central server

Procedure 4-6 To connect cables for a 9900 WNG Detector

1 Connect a Ethernet cable to Ethernet port 1 on the 9900 WNG Detector. If you are directly connecting to a 9900 WNG Central, use a cross-over cable. If you are connecting to a router or patch panel, use a straight cable.


a To connect the 9900 WNG Detector to a management LAN, connect the other end of the Ethernet cable to a router or patch panel.

b To connect the 9900 WNG Detector directly to the 9900 WNG Central, connect the other end of the Ethernet cable to Ethernet port 2 on the 9900 WNG Central.

3 If you are using a separate BMC lights-out management network, connect the Ethernet cable for the BMC network to Ethernet port 2 on the 9900 WNG Detector.

4 Connect cables for designated network taps in your network to the ports on the capture card. The ports available, and the cables required, depend on the capture card that is installed in the 9900 WNG Detector.

5 Repeat steps 1 to 4 for all other 9900 WNG Detectors.

External port Function

Ethernet port 1 Used to connect the 9900 WNG Detector to the 9900 WNG Central, either using a network or directly using a cross-over cable

Ethernet port 2 Can be used to connect the 9900 WNG Detector to a BMC lights-out management network

Packet capture card Used to connect the 9900 WNG Detector to a network traffic feed. A packet capture card has one of the following sets of ports:• one 10Gb/s port, which requires an XFP optical transceiver• four 1Gb/s copper SFP ports• four 1Gb/s optical SFP ports

Caution Connecting the 9900 WNG to a router is only recommended if the 9900 WNG and the router are on the same grounding plane, either isolated or integrated. Otherwise, Alcatel-Lucent recommends using a demarcation patch panel, and the Ethernet cable shields must terminate at the ground.



Procedure 4-7 To connect cables for a 9900 WNG Central server

1 Connect the 9900 WNG Central to your OAM network by performing the following:

i Connect an Ethernet cable to Ethernet port 1 on the 9900 WNG.

ii Connect the other end of the cable to a router or patch panel in your OAM network.

2 If you need to connect the 9900 WNG Central directly to a 9900 WNG Detector, perform the following:

i Connect a cross-over Ethernet cable to Ethernet port 2 on the 9900 WNG Central.

ii Connect the other end of the cable to Ethernet port 1 on the 9900 WNG Detector.

3 If you need to connect the 9900 WNG Central to a separate BMC lights-out management network, perform the following:

i Connect an Ethernet cable to Ethernet port 2 on the 9900 WNG Central

ii Connect the other end of the cable to a router or patch panel in your maintenance network.

4 Connect the 9900 WNG Central to the external disk array using a mini-SAS cable.

Connecting power cablesConnect the power cables to each server and the power source. See chapter 5 for information about how to power up the system.

Note You cannot connect the 9900 WNG Central to a separate BMC lights-out management network and directly to a 9900 WNG Detector at the same time, as both connections use Ethernet port 2.


5 Powering up, powering down, and resetting 9900 WNG components

5.1 Powering up and down the 9900 WNG Central and Detector overview 5-2

5.2 Powering up and down the 9900 WNG Central 5-2

5.3 Powering up and down a 9900 WNG Detector 5-4

5.4 Powering up, powering down, or resetting the 9900 WNG Detector or Central using the BMC device 5-5



5.1 Powering up and down the 9900 WNG Central and Detector overview

You can power up, power down, and reset the 9900 WNG Central and Detector servers.

Powering up the 9900 WNG Central and DetectorYou can power up a 9900 WNG Central or Detector locally by using the power switch on the control panel of the 9900 WNG Central and Detector server. The power switch controls the system power.

Powering down the 9900 WNG Central and DetectorYou can power down a 9900 WNG Central or Detector on the 9900 WNG Central or Detector and using a CLI command. You must have the sudo role to power down a 9900 WNG Central or Detector.

5.2 Powering up and down the 9900 WNG Central

Perform Procedure 5-1 to power up a 9900 WNG Central. You can also power up the 9900 WNG Central remotely using the BMC device, as described in section 5.4.

Perform Procedure 5-2 to power down the 9900 WNG Central server.

Procedure 5-1 To power up 9900 WNG Central

1 Ensure that the unit is plugged in and that the power cables are connected.

2 Locate the power switch on the control panel. The control panel is located in the front panel of the 9900 WNG Central, on the top right corner. Figure 5-1 shows the 9900 WNG Central Control panel.



Figure 5-1 9900 WNG Central control panel

3 Press and release the power switch. The following LEDs are green:

• NIC LED• PWR LED

Procedure 5-2 To power down the 9900 WNG Central

1 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2.

2 Power down the 9900 WNG Central by typing:

system shutdown ↵

The following in an example of the output:

Broadcast message from root (pts/2) (Fri Jan 18 09:21:31 2008):

The system is going down for system halt NOW!



5.3 Powering up and down a 9900 WNG Detector

Perform Procedure 5-3 to power up a 9900 WNG Detector device. You can also power up the server remotely using the BMC device, as described in section 5.4.

Perform Procedure 5-4 to power down a 9900 WNG Detector device.

Procedure 5-3 To power up a 9900 WNG Detector

This procedure takes approximately 5 min to complete.

1 Ensure that the unit is plugged in and that the power cables are connected.

2 Locate the power switch on the control panel. The control panel is located on the front panel of the 9900 WNG Detector device, on the upper-right corner. Figure 5-2 shows the 9900 WNG Detector Control panel.

Figure 5-2 9900 WNG Detector Control panel

3 Press and release the power switch. The following LEDs are green:

• NIC LED• PWR LED



Procedure 5-4 To power down the 9900 WNG Detector


2 Access the Detector tab on the Topology view to obtain the IP address of the 9900 WNG Detector to power down by typing:

detector detectorname ↵

where detectorname is the name or IP address of a 9900 WNG Detector

3 Power down the 9900 WNG Detector by typing:

system shutdown ↵

The following is an example of the output:

Broadcast message from root (pts/1) (Fri Jan 18 09:20:27 2010):

The system is going down for system halt NOW!

Connection to 1.1.1.2 closed.

5.4 Powering up, powering down, or resetting the 9900 WNG Detector or Central using the BMC device

Perform Procedure 5-5 to power up, power down, or reset a 9900 WNG Detector Central using the BMC device.

Procedure 5-5 To power up, power down, or reset a 9900 WNG Detector or Central using the BMC device

1 Ensure that the following tasks have been completed:

• The BMC interface has been configured, as described in Procedure 7-2.• The IPMI management utility has been installed on the machine (Linux or

Windows) from which you need to access the BMC.

2 Power up, power down, or reset a 9900 WNG Detector or Central by typing:

hwreset [-d|u|c] -N nodename -U admin -P password ↵

The following example shows the hwreset command that was used to power down a 9900 WNG Detector or Central with IP address 1.1.1.2 and remote password admin:

hwreset -d -N 1.1.1.2 -U admin -P admin ↵

hwreset ver 1.30

Opening connection to node 1.1.1.2...

-- BMC version 0.62, IPMI version 2.0



hwreset: powering down ...

chassis_reset ok

hwreset: IPMI_Reset ok

hwreset: completed successfully

The following example shows the hwreset command that was used to power up a 9900 WNG Detector or Central with IP address 1.1.1.2 and remote password admin:

hwreset -u -N 1.1.1.2 -U admin -P admin

hwreset ver 1.30




chassis_reset ok



The following example shows the hwreset command that was used to reset or power cycle a 9900 WNG Detector or Central with IP address 1.1.1.2 and remote password admin.

hwreset -c -N 1.1.1.2 -U admin -P admin

hwreset ver 1.30




chassis_reset ok




Commissioning

6 License requirements 6-1

7 Mandatory configuration procedures 7-1



6 License requirements

6.1 Licensing overview 6-2

6.2 Obtaining a license file 6-3

6.3 Installing the license file on the 9900 WNG Central 6-3



6.1 Licensing overview

A valid product activation license file must be obtained and installed on the 9900 WNG Central. The license file determines the releases of the 9900 WNG that can be installed. The license file supports specific releases of the 9900 WNG. For example, if you have a license file for Release 2.1, you can install the 9900 WNG, Release 2.1 or earlier; a release later than 2.1 is not supported.

Typically, the license file is already installed on your system, but you can obtain the license file by contacting your Alcatel-Lucent account representative.

Table 6-1 describes the parameters that are in the license file.

Table 6-1 License file

See chapter 35 for information about how to view the current license status and license violation system events.

License limit exceededWhen the number of observed sessions exceeds 85% of the maximum limit, a warning is sent to the NMS by an SNMP trap. This warning also appears on the GUI System Events View. When the number of sessions exceeds the limit, a critical system event alarm is generated. When the number of sessions drops below 80% of the session maximum, the license limit exceeded condition is cleared automatically.

License expiration

A license expires if an expiration date is specified in the license. Otherwise, the license is a permanent license. When a license has an expiration date, the license expires within 12 hours after the end of the day that is specified by the expiration date in the license. A license expiration check is performed every 12 hours, unless the license expiration field is specified as permanent. When a license expires, a critical system event is generated and an SNMP trap is sent to the northbound NMS.

Parameter Description

Hostid The hostid must match the hardware hostid of your 9900 WNG Central machine.

Version The version number must indicate a later version of the 9900 WNG product release than what is currently installed on 9900 WNG Central.

Expiration Date

The license is valid until the expiration date and time. After the license expires, the 9900 WNG in inoperable. You can obtain a permanent license that does not expire.

Max Sessions The maximum number of simultaneous active subscriber sessions that can be viewed in the network at any time across all of the 9900 WNG Detectors. If the number of sessions exceeds the license maximum session limit, the following events may occur:• the system operates up to the session limit• key information that is related to additional subscriber sessions is lost• anomaly events and report information are not accurate because of lost

information



Retrieving license expiration dataLicense expiration warnings start five days before the expiration date and then every 12 h until the license is renewed or expires. To view these warnings, use one of the following:

• show license CLI command• System Events View in the GUI

6.2 Obtaining a license file

You must obtain a valid 9900 WNG product activation license file (alu9900.lic) from your Alcatel-Lucent representative. Only one license file is required by the 9900 WNG. To obtain a license, you must have the following information:

• maximum number of simultaneous mobile subscriber data sessions aggregated from all 9900 WNG Detectors that you need to support

• hostid that matches the 9900 WNG Central• duration of license

Before you obtain a license, you need the host identifier of 9900 WNG Central. The host identifier should match the serial number in the license file. Perform Procedure 6-1 to obtain the host identifier of 9900 WNG Central.

Procedure 6-1 To obtain the host identifier of 9900 WNG Central

1 Log in to the CLI, as described in Procedure 14-1 or 14-2.

2 Display the hostid by typing:

show hostid ↵

The hostid is displayed.

6.3 Installing the license file on the 9900 WNG Central

Licenses are installed on the 9900 WNG through a license file (alu9900.lic) that you copy to the 9900 WNG Central using the load license CLI command. The load license command copies the license file to the 9900 WNG Central. After the data in the license file has been verified and validated, the 9900 WNG Central is activated.

Note The license file can be updated on the 9900 WNG Central at any time using the load license command which forces Central to reread and revalidate/reprocess the file; an expiring license can be reloaded without downtime.



Perform Procedure 6-2 to install a new license on the 9900 WNG Central server. A new license may be required in the following cases:

• the initial install of the product license on a new system• the license has expired or is near the expiration date and a new one has been

obtained to extend the expiration date• a license has been obtained to increase the number of monitored simultaneous

mobile sessions• the system has been upgraded to a new release and a new license has been

obtained to activate the software

Procedure 6-2 To install a new license on the 9900 WNG Central

This procedure allows the license file to be imported from a USB memory stick or SCP.

1 Log into the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2.

2 Type:

load license location_type location ↵

wherelocation_type is USB or SCPlocation is an SCP location, if you are using SCP

The 9900 WNG Central verifies and validates the license file. Information about the license is loaded into the 9900 WNG; for example, version, expiration date, quantity, and issue date.


7 Mandatory configuration procedures

7.1 Mandatory configuration procedures overview 7-2

7.2 Mandatory configuration procedures 7-2



7.1 Mandatory configuration procedures overview

Mandatory configuration procedures are the tasks that you must perform—in the order they are listed—to configure and provision the 9900 WNG Central and Detector for the first time.

See chapter 12 for the optional configuration procedures that you may need to perform, depending on the configuration of your network.

7.2 Mandatory configuration procedures

Perform the tasks that are listed in Table 7-1, in the order they are listed, to configure the 9900 WNG system.

Table 7-1 Mandatory configuration procedures

Note(1) Repeat this task for each 9900 WNG Detector.

Procedure 7-1 To perform the prerequisites to configure the management interface and BMC LAN on a 9900 WNG server

1 Install the 9900 WNG Central and Detector servers in equipment racks. See chapter 4 for more information.

2 Connect all necessary cables. See chapter 4 for more information.

3 Save the 9900 WNG Central license key as alu9900.lic on a USB storage device. See chapter 6 for more information.

Task See Procedure

To perform the prerequisites to configure the management interface and BMC LAN on a 9900 WNG server

7-1

To configure the management interface and BMC LAN on the 9900 WNG Central and Detector (1)

7-2

To provision the 9900 WNG Central 7-3

To provision the 9900 WNG Detector server (1) 7-4



4 Ensure that you have an LMT available to configure the 9900 WNG Detector and Central servers. The LMT can be a laptop or workstation. The examples in this chapter assume the use of a laptop.

5 Obtain the following information:

• 9900 WNG Central• IP address• hostname• DNS servers

• 9900 WNG Detector • IP address• hostname• DNS servers

• IP address of the NTP server

Procedure 7-2 To configure the management interface and BMC LAN on the 9900 WNG Central and Detector

1 Perform Procedure 7-1 to complete the prerequisites.

2 Connect your LMT to the management interface on the 9900 WNG.

3 On the LMT, open a terminal emulation program and create a serial connection to the 9900 WNG. Table 7-2 lists the properties for the serial connection.

Table 7-2 Serial connection properties

4 At the prompt, log in as root.

If you are accessing the BMC on the 9900 WNG for the first time and you do not know the password, contact your Alcatel-Lucent technical support representative.

You are prompted to enter a new root password after you log in.

5 Start the network configuration script by typing:

run /sdbin/networkConfig ↵

The network configuration script menu appears:

Attribute Value

Speed 9600bps

Data bits 8 bits

Parity None

Stop bits 1

Flow control None

Terminal emulation VT1000



1) Configure Interfaces

2) Set Hostname

3) Set DNS

4) Configure BMC

5) Exit

Please select an option

6 When prompted, start the interface configuration tool by typing:

1 ↵

7 Use the arrow keys to select the Edit a device params option, and press the space bar.

8 Select the eth0 option, and press the space bar. The configuration menu for Ethernet port 0 appears.

9 Configure the attributes, as described in Table 7-3.

Table 7-3 BMC ethernet port attributes

10 Click on OK, and then click on Quit. The network configuration script menu is displayed.

11 Specify the hostname of the 9900 WNG by typing:

2 ↵

hostname ↵

where hostname is the hostname of the 9900 WNG

12 Specify the IP address of the DNS server for the 9900 WNG by typing:

3 ↵

IP.address ↵

where IP.address is the IP address of the DNS server for the 9900 WNG

13 Open the BMC LAN configuration menu by typing:

4 ↵

The BMC LAN configuration menu appears:

1) Set IP

Attribute Value

Static IP The IP address of the 9900 WNG

Netmask The network mask for the 9900 WNG

Default gateway IP The IP of the gateway for the 9900 WNG



2) Change Password

3) Exit

Please select an option

14 Configure the BMC LAN IP information by typing:

1 ↵

15 When prompted, enter the IP address, network mask, and IP gateway for the BMC interface.

16 Configure the password for the BMC LAN by typing:

2 ↵

password

where password is the new password for the BMC LAN

17 Exit the configuration script by typing:

3 ↵

5 ↵

18 Restart the 9900 WNG by typing:

reboot ↵

Procedure 7-3 To provision the 9900 WNG Central

1 Log in to the 9900 WNG Central as root using SSH, as described in Procedure 14-1.

2 Specify the IP address of the NTP server for the 9900 WNG Central by typing:

ntp server add IP_address ↵

where IP_address is the IP address of the NTP server.

3 Start the NTP server by typing:

ntp enable ↵

4 Add your license file to the 9900 WNG Central by typing:

load license USB ↵

start_central ↵

See chapter 6 for more information about licenses.



5 Add a new user to the 9900 WNG Central, as described in Procedure 36-1.

6 Repeat step 5 to add new users, as required.

Procedure 7-4 To provision the 9900 WNG Detector server

1 Log in to the 9900 WNG Central as root using SSH, as described in Procedure 14-1.

2 Register the new 9900 WNG Detector with the 9900 WNG Central by typing:

detector add IP_address name group ↵

where IP_address is the IP address of the 9900 WNG Detector, name is the name of the 9900 WNG Detector, and group is the group to which the 9900 WNG Detector belongs.

3 Log in to the 9900 WNG Detector remotely by typing:

detector detector_name ↵

where detector_name is the name of the 9900 WNG Detector that you specified in step 2.

4 Configure the NTP server address for the 9900 WNG Detector by typing:

ntp server add IP_address ↵

where IP_address is the IP address of the 9900 WNG Central.

5 Enable NTP on the 9900 WNG Detector by typing:

ntp enable ↵


Hardware maintenance

8 Replacing CRUs 8-1



8 Replacing CRUs

8.1 CRU overview 8-2

8.2 Replacing hardware precautions 8-2

8.3 Replacing a power supply 8-3

8.4 Replacing a hard disk drive 8-4

8 Replacing CRUs


8.1 CRU overview

CRUs are components that can be removed and replaced by service provider personnel without technical assistance or special training from Alcatel-Lucent.

Table 8-1 describes the CRUs on the 9900 WNG Central and Detectors that you can use for ordering.

Table 8-1 CRUs on the 9900 WNG Central and Detector servers

Table 8-2 lists where to find more information.

Table 8-2 CRU information

8.2 Replacing hardware precautions

The following are installation safety precautions:

• Follow all installation instructions.• Remove rings and watches before beginning the procedure to avoid a short across

the high-current power supply output terminals • Never install telecommunication wiring or connections during lightning storms

or in wet areas.• Never touch uninsulated wires or terminals unless power has been disconnected

at the interface.

Orderable item Description Comm code

300988870 SPARE, HARD DISK DRIVE, 147GB SAS, FOR ALU9900WNG CENTRAL/DETECTOR

409073657

300988888 SPARE, POWER SUPPLY, AC PWR INPUT, FOR ALU9900WNG CENTRAL/DETECTOR

409073632

300988896 SPARE, POWER SUPPLY, 48VDC PWR INPUT, FOR ALU9900WNG CENTRAL/DETECTOR

409073640

For information about See

9900 WNG Detector and Central server installation Chapter 4

Hardware status and fault reporting Chapter 37

Hardware Failure system events Section 38.13

8 Replacing CRUs


Electrostatic discharge precautionsComponents are sensitive to ESD. The following are precautions to prevent injury or damage from electrostatic discharge:

• Wear a grounding strap when working with any parts of the system. Minimum acceptable precautions include a grounded wrist or heel strap that is attached to the frame and a grounded, static-dissipating floor mat.

• Work in an area that is protected against electrostatic discharge. Use conducting floor and bench mats that are conductively connected to the rack electrostatic protection bonding point.

• Wear working garment made of 100% cotton to avoid electrostatic charging.• Ensure that the rack is grounded.

8.3 Replacing a power supply

Perform Procedure 8-1 to replace a faulty power supply on a 9900 WNG Central or Detector. Perform this procedure when troubleshooting or when fault clearance procedures indicate that there is a need to replace a power supply.

Procedure 8-1 To replace the power supply

This procedure requires the following tools and materials:

• antistatic wrist strap• electrostatic discharge mat• a replacement power supply module

This procedure typically takes 10 min to perform.

1 Power down the device, as described in Procedure 5-2 (9900 WNG Central) or 5-4 (9900 WNG Detector).

2 Disconnect the appropriate power cord. The power cord connections for DC and AC power supply modules are shown in Figure 8-1.

Note The AC cord is a standard cord that plugs into an AC receptacle. To disconnect it, pull the plug from the power supply.

The DC connection has a short cable that is attached to the power supply on one end, and a connector on the other end. That connector plugs into the permanently connected power feed that has the mating connector. Power can be removed by either separating the connectors, or, if the power feeds are attached on an upstream circuit protector (breaker or fuse), to remove power, open the circuit protector.

8 Replacing CRUs


Figure 8-1 Power supply module

3 Press the green safety lock down and hold.

4 Grasp the handle, pull the module out, and place it on the electrostatic discharge mat.

5 To insert a new power supply, press and hold the green safety lock downward and slide the power supply module into the chassis slot.

6 Reconnect the power cables or close the circuit protector, and then power up the unit. After a few minutes, the unit powers up.

7 Verify that the power supply module that you just installed is functioning properly by checking the green power LED.

If the power LED reports power supply failure, contact your Alcatel-Lucent technical support representative.

8.4 Replacing a hard disk drive

Each drive has two small LEDs located just to the left of the green release button.

When a hard disk drive is operating properly, the lower LED is green and is illuminated steadily and the upper LED is amber. When a drive is faulted, the green LED is dark and the amber LED is illuminated steadily.

Hard disk drive bay numbering is shown in Figure 8-2.

8 Replacing CRUs


Figure 8-2 Hard drive numbering

When you remove a hard disk drive, a major alarm is generated. The alarm continues to be generated even after you have replaced the hard drive.

The CLEI labels are shipped in a three-label set. The replacement hard disk drive should be affixed with two text CLEI labels. The third (2D) CLEI label, shipped loose with the drive, should be affixed to the carrier after the drives are swapped. The old 2D label on the carrier have the serial number of the drive embedded in the data, so it should be covered with the new label.

Perform Procedure 8-2 when troubleshooting or when fault clearance procedures indicate that there is a need to replace a hard disk drive.

Procedure 8-2 To replace a hard disk drive

This procedure requires the following tools and materials:

• Antistatic wrist strap• Electrostatic discharge mat• A replacement hard disk drive• CLEI label for the replacement hard disk drive

This procedure typically takes 5 to 10 min to perform.

1 Attach the antistatic wrist strap to the grounding lug on the equipment rack.

2 On the lower-left front panel of the 9900 WNG Detector or Central server, locate the faulty hard disk drive.

Danger A wrist strap must be worn that is attached to the cabinet framework at an ESD grounding point. Hold components only at the edges or on the insertion and removal facilities. Always observe general ESD instructions.

Caution Ensure that you are removing a faulty hard disk drive. Removing an operating hard disk drive can cause system failure!

8 Replacing CRUs


3 Remove the front bezel using the following instructions:

a Disconnect the cables from the front panel USB port and / or serial port connectors.

b Loosen the bezel retention screw from the right side (A).

c Rotate the bezel outward as shown and remove (B).

Figure 8-3 Front bezel

4 Remove the drive tray by pressing the green button, opening the lever, and pulling out the hard drive/tray assembly.

Figure 8-4 Hard drive tray assembly, removed from the HDD bay.

5 Remove the four screws securing the hard drive to the tray. Remove the hard drive and place it on an antistatic discharge mat.

8 Replacing CRUs


Figure 8-5 Hard drive unscrewed from the tray

6 Locate the old CLEI label on the tray and cover it with the new CLEI label.

7 Install the new drive into the tray and secure it with four screws.

8 With the drive tray locking lever in the fully open position, slide the hard drive/tray assembly into the chassis opening until it stops. Close the lever, pressing it until it snaps shut.

8 Replacing CRUs


Figure 8-6 Replacement hard drive assembly before insertion into chassis

9 Replace the bezel on the device.

a Align the four tabs on the left side of the bezel with the slots in the front panel. Then, rotate the free end of the bezel to the closed position.

b Snap the front bezel into place and tighten the screw at the right edge of the bezel (if used).

c Re-connect the serial port and USB cables if they are used.

10 Verify that the major alarm has cleared.


Software maintenance and upgrades

9 Managing software 9-1



9 Managing software

9.1 9900 WNG software upgrade overview 9-2

9.2 Software upgrade CLI commands 9-2

9.3 Software repositories 9-3

9.4 Software upgrades and updates 9-5

9 Managing software


9.1 9900 WNG software upgrade overview

You need to upgrade the software on the 9900 WNG Central and Detector servers when there are:

• OS updates or patches are available that the 9900 WNG needs• 9900 WNG application software updates

Software upgrades and updates for the 9900 WNG are performed using the software management tools that are described in Table 9-1.

Table 9-1 Software management tools

You can use the 9900 WNG Central, an external repository, or a USB memory stick as the software repository. See section 9.3 for more information.

CLI commands are used for software upgrades and updates. See section 9.2 for more information about CLI commands and section 9.4 for more information about upgrade procedures.

9.2 Software upgrade CLI commands

CLI commands are used for 9900 WNG software upgrades and updates. You must have the sudo privilege on the 9900 WNG Central. Table 9-2 describes the CLI upgrade commands.

Software management tool

Description

RPM A core component of the Red Hat Enterprise Linux Operating System. RPM is a command line driven package management system that is capable of installing, uninstalling, verifying, querying, and updating computer software packages. Each software package consists of an archive of files along with information about the package such as its version, a description, and the like.

Yum A software package manager tool for installing, updating, and removing packages and their dependencies on RPM-based systems. It automatically computes dependencies and determines what should occur to install packages on the product. Yum makes it easier to maintain groups of machines without having to manually update each one using RPM.

9 Managing software


Table 9-2 CLI upgrade commands

The following is an example of the install software central command:

install software central aware-central-0.7-11984

The following is an example of the update software central command:

update software central aware-central

9.3 Software repositories

You can use any of the following as a software repository:

• the 9900 WNG Central (on a disk that is reserved for software updates or upgrades)

• an external repository that is not on the 9900 WNG Central server• a USB memory stick

CLI command Description

show software repo all Displays all of the 9900 WNG application and OS packages that are in the repository

show software repo alu9900 Displays the 9900 WNG Central and Detector application packages in the repository that can be installed

show software repo central Displays the 9900 WNG Central application packages in repository that can be installed

show software repo detector Displays the 9900 WNG Detector application packages in repository that can be installed

show software installed central Displays the 9900 WNG Central application packages that are installed

show software installed central [all] Displays all of the 9900 WNG Central application and OS packages that are installed

show software installed detector <detectorName>

Displays the 9900 WNG Detector application packages that are installed

show software installed detector all <detectorName>

Displays all of the 9900 WNG Detector application and OS packages that are installed on a specific 9900 WNG Detector

install software central <packageName> Installs the specified 9900 WNG Central application or OS package on the 9900 WNG Central

update software central [packageName] Updates a 9900 WNG Central application or OS package to the latest version that is available in the repository

install software detector <detectorName> <packageName>

Installs the specified 9900 WNG Detector application or OS package on a specific 9900 WNG Detector

install software detector <detectorName> [packageName]

Updates a 9900 WNG Detector application or OS package to the latest version that is available in the repository

Note For the install CLI commands, the packageName contains the version of the software package to be loaded. For the update CLI commands, you do not need to specify the version of the software package because the most current version of the software package that is in the repository is loaded.

9 Managing software


The 9900 WNG Central and Detectors are upgraded independently of each other on a per machine basis. The 9900 WNG Central can serve as the repository for 9900 WNG Detectors.

Configuring the 9900 WNG Central server as the software repositoryPerform Procedure 9-1 to configure the 9900 WNG Central server as the software repository.

Procedure 9-1 To configure the 9900 WNG Central as the software repository

When you use the 9900 WNG Central server as the software repository, the area that is reserved on the hard disk for the repository is at: /var/www/aware-yum.


2 Enable the 9900 WNG Central Repository by typing:

repo enable central ↵

3 Perform Procedure 9-5 to upgrade software on the 9900 WNG Central using the 9900 WNG Central as the repository.

Displaying the enabled software repositoryPerform Procedure 9-2 to display the enabled software repository.

Procedure 9-2 To display the enabled software repository

1 Access the CLI, as described in Procedure 14-1 or 14-2.

2 Display the enabled software repository by typing:

show repoStatus ↵

The following output example shows which external repository is enabled:

external repository enabled. (https://yumuser:get-updates@ mh.lucent.c om/aware-current/)

central repository disabled.

local repository disabled.

Yum proxy is disabled.

9 Managing software


9.4 Software upgrades and updates

Software updates or upgrades are software packages that provide fixes and or new features and functions for software releases that are already released. Table 9-3 lists the procedures to load software upgrades or updates.

Table 9-3 Software upgrades or updates procedures

Upgrading softwareThe following procedures describe how to upgrade software on the 9900 WNG Central.

To See Procedure

To upgrade software on the 9900 WNG Central and Detector using the 9900 WNG Central repository

9-3

To upgrade software on the 9900 WNG Central and Detector using an external software repository

9-4

To upgrade software on the 9900 WNG Central and Detector using a USB removable hard drive as the software repository

9-5

To display the software packages that are in the software repository 9-6

9 Managing software


Procedure 9-3 To upgrade software on the 9900 WNG Central and Detector using the 9900 WNG Central repository

1 Perform Procedure 9-1 to configure the 9900 WNG Central as the software repository.

2 Import the RPMs into the repository on the 9900 WNG Central server by performing one of the following:

a Import the software packages from a USB memory stick that is installed in the 9900 WNG Central server by typing:

repo import usb ↵

b Import the software packages from a secure file copy from an external machine by typing:

repo import scp user@host:/pathname ↵

3 Start the software upgrade or update by performing one of the following:

a Upgrade or update the software on the 9900 WNG Central server by typing:

update software central packageName ↵

where packageName is the name of the software to upgrade or update

The command updates all of the 9900 WNG Central servers and OS packages that are available in the repository.

b Upgrade or update the software on the 9900 WNG Detector server by typing:

update software detector detectorName packageName ↵

wheredetectorName is the name of the 9900 WNG DetectorpackageName is the name of the software to upgrade or update

Note The CLI command searches for /repo on the USB memory stick. All USB memory sticks that contain the 9900 WNG and/or OS software upgrades/updates are created by your Alcatel-Lucent technical support representative.

Note The path in the CLI command must be the path of an existing software repository that was initially created by your Alcatel-Lucent technical support representative.

Note Executing the update software central packageName only updates the package name that is included in the command line.

9 Managing software


The command updates all of the 9900 WNG Detectors and OS packages that are available in the repository.

Procedure 9-4 To upgrade software on the 9900 WNG Central and Detector using an external software repository


2 Configure the repository location by typing:

repo setExternal repo URL ↵

where URL is https://yumuser:get-updates@hostname/path

3 Enable the repository by typing:

repo enable external ↵





The command updates all of the 9900 WNG Central application and OS packages that are available in the repository.



wheredetectorName is the name of a specific 9900 WNG DetectorpackageName is the name of the software to upgrade or update

Note Executing the update software detector detectorName packageName only updates the package name that is included in the command line.

Note Executing the update software central packageName command only updates the package name that is included in the command line.

9 Managing software


The command updates all of the 9900 WNG Detectors and OS packages that are in the repository.

Procedure 9-5 To upgrade software on the 9900 WNG Central and Detector using a USB removable hard drive as the software repository

1 Logged into the CLI on the 9900 WNG Central with the sudo privilege, as described in Procedure 14-1 or 14-2.

2 Install the USB memory stick that has been provided by your Alcatel-Lucent technical support representative into the 9900 WNG Central server.

3 Type:

repo mount usb ↵

4 Enable the USB repository by typing:

repo enable local ↵





The command updates the 9900 WNG Central server and OS packages that are available in the repository.



wheredetectorName is the name of a specific 9900 WNG Detectorwhere packageName is the name of the software to upgrade or update

Note Executing the update software detector detectorName packageName command only updates the package name that is included in the command line.

Note Executing the update software central packageName updates only the package name that is included in the command line.

9 Managing software


The command updates the 9900 WNG Detectors and OS packages that are available in the repository.

Displaying software packagesPerform Procedure 9-6 to display the software packages that are in the software repository.

Procedure 9-6 To display the software packages that are in the software repository

1 Access the CLI with the user or admin privilege, as described in Procedure 14-1 or 14-2.

2 Enter the following CLI command:

show software repo option ↵

where option is one of the options that are listed in Table 9-4.

Table 9-4 Show software repo CLI command options

Note Executing the update software detector detectorName packageName only updates the package name that is included in the command line.

Option Description

all Displays all of the 9900 WNG application and OS packages that are in the repository and can be installed

alu9900 Displays the 9900 WNG Central and Detector application packages that are in the repository and can be installed

central Displays the 9900 WNG Central application packages that are in the repository and can be installed

detector Displays the 9900 WNG Detector application packages that are in the repository and can be installed

9 Managing software


Alcatel-Lucent 9900WIRELESS NETWORK GUARDIAN | RELEASE 2.1U S E R G U I D E


U S E R G U I D E





Disclaimers






9900 WNG overview

10 9900 WNG system 10-1

11 9900 WNG new features 11-1



10 9900 WNG system

10.1 9900 WNG overview 10-2

10.2 9900 WNG Detector and Central 10-4

10.3 9900 WNG external user interfaces 10-7

10 9900 WNG system


10.1 9900 WNG overview

The 9900 WNG monitors wireless data subscriber traffic and network signaling traffic to identify behaviors that threaten the performance of wireless data networks. The 9900 WNG performs the following monitoring tasks:

• analyzes subscriber IP traffic using the hints extracted from wireless signaling traffic

• profiles the behaviors of the network and endpoints (including subscribers and servers)

• detects and reports anomalous behaviors • provides broad detection capabilities for issues that affect networks such as:

• battery drain anomalies where IP layer activity causes excessive subscriber device battery drain

• signaling anomalies where IP layer activity cause excessive amount of signaling events in the wireless network

• RNC overload • source of traffic that is not requested or wanted by wireless subscribers• port scans for vulnerabilities and service exploitation (vertical port scans and

horizontal port scans)• always active subscribers who have anomalously high usage of the radio channel• high usage subscribers who consume significant amounts of bandwidth• subscribers using peer-to-peer applications that may violate end-user agreements• ICMP router discovery abuse that may disrupt active subscriber sessions• flooded mobile, where a subscriber session is overwhelmed by unsolicited traffic• battery drain anomalies from distributed sources where subscriber device battery is

drained by unwanted traffic from multiple sources• high signaling subscribers who contribute large amounts of signaling load to the

networkFor information about the attacks, see chapter 33.

• detects low-volume behaviors that consume anomalously high radio access network resources

• generates mobile flow records• determines how subscriber IP traffic affects multiple layers of the network by

measuring the consumption of network resources, such as air resources, signaling overhead, and bandwidth

Key 9900 WNG functions

Table 10-1 describes the 9900 WNG the key functions for wireless data operators.

Table 10-1 Key 9900 WNG functions

Key function Description

Operations Service providers can determine which subscribers, servers, and applications are the most significant contributors of non-value-added traffic and load on the network, so they can remove that traffic from their network. The benefit is more efficient use of the installed base.

(1 of 2)

10 9900 WNG system


Key 9900 WNG benefits

Table 10-2 describes the 9900 WNG the key benefits for wireless networks.

Table 10-2 Key 9900 WNG benefits

Planning Service providers can establish a baseline measurement of network use at the individual subscriber level, allowing more accurate predictions of network capacity trends. The benefit is better capacity planning and network architectures, along with savings in network build-out strategies.

Engineering Service providers can ensure that packet transmissions from devices and networks are consistent with the design and are not being sent fraudulently. The benefit is a more predictable network performance, per design and specification

Security Service providers can detect a new class of wireless-specific DOS attacks targeted at the signaling layer and exhausting RF channels, as well as the mobile devices that are directly or surreptitiously participating in the attacks. The benefit is reduced network outages and downtime.

Marketing Service providers gain better ways to determine the network cost associated with supporting any application, thereby enabling applications-level ROI calculations. The benefit is increased awareness of the overall cost of delivering specific applications and services.

Key function Description

(2 of 2)

Key benefit Description

Wireless networks have unique limited resources

With the increase in sophistication of wireless devices and networks, increasingly complex threats have also emerged. Wireless networks, by nature of having limited air spectrum that must be shared, are susceptible to abuses of RF and mobile device signaling resources. These could include malicious attacks, but are also caused by the normal behaviors of IP applications. Detecting threats to wireless networks has proven to be highly challenging. Threats can originate from within the network and from the Internet. Network threats can exist at very low volumes or appear as normal activity.

New wireless traffic behaviors threaten the capacity of wireless resources

Wireless networks have limited resources with which to support the growing demand of data subscribers. In wireless networks, signaling resources and radio frequency capacity must be conserved and managed carefully to meet the ever-growing demands upon the network. The limited physical resources of wireless networks is another reason that a strong and effective security solution is needed.

Existing solutions are inadequate

Many products exist in the market that address IP traffic management and control. However, these products do not address the needs of wireless data networks because they do not measure the impact that the traffic has on wireless resources. New solutions are required that strictly offer protection to the network gateway, the packet core, and the wireless access node. The solution must offer protection to the bearer and signaling path and the subscribers handset, and preserve air resources.

9900 WNG is an important new step

The 9900 WNG solution has been designed specifically to identify and address the behaviors that threaten the performance of wireless data networking. With the visibility offered by the 9900 WNG, operators can better operate, optimize, manage, monitor, and secure their networks.

10 9900 WNG system


10.2 9900 WNG Detector and Central

The main components of the 9900 WNG system include:

• 9900 WNG Central• 9900 WNG Detector

Figure 10-1 shows the 9900 WNG Detector and Central in a wireless network.

Figure 10-1 9900 WNG components in a wireless network

The connections between the 9900 WNG and other NEs in a wireless data CDMA network are shown in Figure 10-2.

10 9900 WNG system


Figure 10-2 Network architecture for a CDMA environment

The 9900 WNG supports UMTS networks. The connections between the 9900 WNG and other network elements in a UMTS network are shown in Figure 10-3.

Figure 10-3 Network architecture for a UMTS environment

9900 WNGDetector

9900 WNGCentral

NMS

Servers

ExternalSources

AAA

AAA

AAA

GGSN

GGSN

RNC

SGSN

RNC BTS

BTS

21186

10 9900 WNG system


9900 WNG Detector

Table 10-3 describes the 9900 WNG Detector based on the location.

Table 10-3 9900 WNG Detector

9900 WNG Central

Table 10-4 describes the 9900 WNG Central based on the location.


CDMA environment

In the network, a 9900 WNG Detector observes mirrored IP traffic between the AAA server and the PDSN, and between the HA and the PDSN. The 9900 WNG Detector monitors wireless traffic and reports anomalous behaviors to the 9900 WNG Central.The 9900 WNG Detector supports CDMA and UMTS technology at the same time.

Wireless network

The 9900 WNG Detector comprises purpose-designed hardware and software that monitors IP sessions and detects anomalous behaviors, registered to the individual subscriber level. The 9900 WNG Detector observes IP traffic mirrored from the packet core, as well as RADIUS traffic, interprets network events and states, and identifies anomalous traffic flow. The 9900 WNG Detector reports anomalies to the 9900 WNG Central to alert operators to take appropriate action.The 9900 WNG Detector identifies wireless specific anomaly events and notifies the 9900 WNG Central over a secure tunnel. All communication for configuration, bootstrap, and alarm reporting from the 9900 WNG Detector to the 9900 WNG Central component is through a SSL connection. The 9900 WNG Detector provides the following functionality:• supports up to two million packets per second or up to 4 Gb/s, whichever is

lower• supports up to one million subscriber sessions• supports up five million simultaneous flows• tracks information from the subscriber registration activities to associate the

dynamically assigned IP address with the user device identification and network path

• infers loads across the wireless data network by watching signaling and data traffic

• detects wireless 3G and 4G network anomaly behavior using proprietary algorithms

• monitors individual subscriber session behavior (Mobile Flow records)• monitors mobile-to-mobile and Internet-to-mobile traffic

UMTS environment

In the UMTS environment, the 9900 WNG Detector observes mirrored IP traffic on two interfaces: between the AAA Server and the SGSN (Serving GPRS Service Node) and between the SGSN and the GGSN (Gateway GPRS Service Node). It is expected that an available Ethernet port from each of these interfaces is available from a switch or router within the Service Providers network. To avoid congestion on the capture ports, the capture port speed shall match or exceed the snooped interface. The 9900 WNG Detector snoops the path to the mirrored AAA Server for information regarding active mobile IP data sessions and reports anomalous behavior to the 9900 WNG Central.The 9900 WNG Detector supports CDMA technology and Universal Mobile Telecommunications System (UMTS) technology at the same time.

10 9900 WNG system


Table 10-4 9900 WNG Central

10.3 9900 WNG external user interfaces

Figure 10-4 shows the components of the 9900 WNG and the associated interfaces.


CDMA environment

The 9900 WNG Central has an EMS and also supports a northbound system log and SNMP interface to network management systems, if required.

Wireless network

The 9900 WNG Central comprises hardware and software with which to manage a set of 9900 WNG Detectors. The 9900 WNG Central handles correlation and northbound reporting functions, and helps identify unwanted traffic on the network. The 9900 WNG Central uses application software to process anomaly event streams from the 9900 WNG Detector, generate alarms, generate daily and on-demand network usage reports, and report to northbound network and security operations platforms.The 9900 WNG Central collects event data and mobile flow records generated from multiple 9900 WNG Detectors that are deployed throughout a providers network and stores the information in a database. The 9900 WNG Central provides the following functionality:• configures and manages 9900 WNG Detectors in the system as well as itself• supports up to 10 Detectors• provides GUI and CLI capabilities• collects, stores, and reports event data and notifications from the Detectors• provides a status display of the 9900 WNG system and provides the ability to

relay status and alarm information on external and internal interfaces as needed by the configuration

• provides the WSP with a user-friendly means of observing, recording, and interpreting the alarms and reports on anomaly status

• downloads software upgrades to the Detectors• manages events at an aggregated average rate of 2500 events per second• manages servers at a peak rate of 10 000 events per second

UMTS environment

The 9900 WNG Central has an EMS and also supports a northbound system log and Simple Network Management Protocol (SNMP) interface to the Network Management Systems (NMS), if required.

10 9900 WNG system



The 9900 WNG external interfaces that are used to configure, monitor, and control NEs and their managed resources are:

See chapter 13 for more information about 9900 WNG external interfaces.

• 9900 WNG Central webpage• GUI• CLI

• NMS• SNMP• BMC


11 9900 WNG new features

11.1 9900 WNG Release 2.1 features 11-2



11.1 9900 WNG Release 2.1 features

Table 11-1 describes the features added in Release 2.1 of the 9900 WNG.

Table 11-1 9900 WNG Release 2.1 features

Feature Description Use

Platform, hardware, and system performance

Platform software and firmware

Platform software and firmware are upgraded to the current versions

Increase platform memory

Platform memory is increased to 64 Gbytes, which:• improves the system performance when running

user reports on systems with data flows that are greater than 400 Mbytes per day

• increases the capacity of the 9900 WNG Central

10 Gb/s tap port Supports an optional 10 Gb/s traffic input port on the 9900 WNG Detector. You can order the 9900 WNG Detector with four 1 Gb/s tap ports or one 10 Gb/s tap port.

To process the maximum line rate of 4 Gb/s, whether the line rate is from a 4 x 1 Gb/s or one 10G interface. See chapter 2 for more information about port cards.

Tracking of hand ups and hand downs

Supports the tracking of hand ups and hand downs counts at the session level across 2.5G and 3G technologies. The 2.5G and 3G filter in the Subscriber Cumulative Distribution web report can be used to view the subscriber distribution across subscribers who operate only in 2.5G and 3G networks.

External disk array Supports expanded redundant data storage for the 9900 WNG Central; for example 30 to 60 days of mobile flow and sessions record for forensic GUI reports, for approximately 400 days of long-term history for the web reports. The number of storage days can vary because of the network traffic load. A hot spare disk and RAID 5 configuration is used for increased reliability.

To store mobile flow and session records, and all of the long term data that is used for reporting.See chapter 4 for more information about the external disk array.

System administration

Incremental backups Supports the incremental backup of the reports database

To decrease the amount of time and resources to perform a backup of the reports database.See Procedure 39-2 to perform an incremental backup.

Automatic saving of configuration changes

Supports the automatic saving of 9900 WNG Detector configuration changes that were made using CLI commands. The changes are copied to the startup.xml file. The copy running startup CLI command is no longer required.

To reduce system administration and decrease configuration errors. See Table 14-8 for descriptions of CLI commands.

Monitoring

Disk failure monitoring

Supports an SNMP trap and system event for disk failures on the 9900 WNG Central and Detector. A hot spare disk configuration in the external array is the default configuration. The hot spare disk configuration automatically replaces a problem disk that is in the RAID 5 configuration.

To replace a failed disk. See section 38.13 for more information about the Hardware Failure system event. See Table 19-6 for more information about the HW Failure SNMP trap.

(1 of 6)



Enhanced 9900 WNG Central monitoring

Supports the monitoring of the 9900 WNG Central using a heartbeat, system event, and SNMP trap if the 9900 WNG Central stops processing some events

To provide extra reliability and automatic recovery.See Table 19-6 for more information about the Process Down SNMP trap event.

Additional statistics The show stats CLI command displays the current and peak rates of the 9900 WNG Detector traffic feed inputs. A system event is generated when the line rate is greater than or equal to:• 950 MB/s for a 1 Gb/s interface• 3900 MB/s for a 10 Gb/s interface

To determine whether the traffic feed input is reaching the maximum port line, which indicates a high probability that packets are being dropped before they reach the 9900 WNG Detector. See show stats in section 37.4 for more information.

Backhaul information

The show backhaul command displays the current and peak management backhaul communication rates between the 9900 WNG Detector and Central.

To size the backhaul communication from the 9900 WNG Detector to Central. See show backhaul in section 37.4 for more information for more information.

System events Supports the following system events:• Line rate thresholdto monitor the traffic feed

to the 9900 WNG Detector• Swap Usageto monitor potential performance

degradation because the 9900 WNG Central or Detector is swapping to the disk, which indicates the system memory is at the maximum capacity

• Hardware Failurefor the external disk array when a problem is identified by the 9900 WNG, which indicates that disk may need to be replaced

To detect and monitor problems.See the following for more information:• section 38.11 for the Line rate

threshold system event• section 38.14 for the Swap Usage

system event• section 38.13 for the Hardware Failure

system event

Advanced logging and monitoring CLI commands

Supports the following advanced logging and monitoring CLI commands:• show log database• show log compression• show log central-err

To facilitate monitoring of the system and troubleshooting system problems. See Table 14-8 for descriptions of CLI commands. See chapter 37 for information about monitoring the 9900 WNG Central and Detector.

User roles and privileges

User roles and privileges

Supports additional levels for the GUI and Web Reports role. GUI and Reports roles can be set to any or a combination of the following:• Subscriber• Network• Admin (only GUI role)• AppsDevices (only Reports role)• Anomaly• Demo

The Demo role is not for standard operations, but it can be used for demonstrations to hide sensitive information, such as APNs, realms, or subscriber IDs.The CLI role is unchanged.

To provide increased security by setting the access level for the GUI and Reports roles. See chapter 36 for more information about user accounts and roles.

Timeout for GUI and Web sessions

Supports the idleTimeout CLI command that sets a timeout for user sessions after a specified period of inactivity

To configure an idle timeout. See Procedure 36-14 for information about how to set the idle timeout.


(2 of 6)



CDMA device reporting

CDMA device reporting

Supports reporting for specific CDMA device manufacturer and model type, which are based on the input that is entered from the service provider device or subscriber database. The CDMAdeviceMode CLI command is used to configure the mode for the system. Only one mode can be supported at a time. The modes are:• manufacturerOnly• ranges• list

For UMTS/3GPP based devices, the manufacturer and model type identification is always supported, regardless of the CDMA device setting.

To provide device-related information for CDMA networks. See Table 14-8 for more information about the CDMAdeviceMode CLI command.

Subscriber session timeout

Subscriber session timeout

Supports a subscriber session timeout for sessions that have not sent or received data in two weeks

To provide protection against traffic feed issues or a lost RADIUS or signaling message.

Performance KPI

TCP Downlink Saturated Throughput performance KPI

Supports the TCP Downlink Saturated Throughput performance KPI. The saturated throughput KPI measures only the flows that have saturated TCP or that have passed the typical TCP slow start phase. This KPI appears in mobile flow and dashboard elements, and it is a parameter that can be used for plotting in web reports.

To provide an accurate measurement of the network capacity. See the following for more information:• Tables 27-4, 29-8, 29-9• Sessions and performance parameters

for network element reports in section 31.4

• Parameters overview for subscriber reports in section 31.7

Trend alerts

Trend alert enhancements

Support the configuration of an alert that is generated when a load parameter for a specific NE deviates from the past history, as determined by the 9900 WNG

To improve the accuracy of trends for specific load parameters which deviate from past history. See Table 14-8 for descriptions of pattern CLI commands. See section 22.3 for information about how to view trend alerts.

Network hops and path tracking

Increase number of network hops tracked by the 9900 WNG Detector

Supports the following number of hops that are tracked by the 9900 WNG Detector:• 60 000 RNC-Cell hops• 7500 SGSN-RNC hops (UMTS)• 7500 PDSN-RNC hops (CDMA)• 1500 GGSN-SGSN hops (UMTS)• 1500 HA-PDSN hops (CDMS)

RNC-Cell hops include 2.5G RNC equivalents (BSC- or MSC-based) and 3G RNC.The number of hops can by modified based on your operational needs. Contact your Alcatel-Lucent technical support representative.


(3 of 6)



Application mapping tables

Application mapping tables

Supports additional default application mappings to identify highly accessed URLs, such as Google, Facebook, and Yahoo.

To reduce effort for configuring the application map table.See Adding entries to the application map table in section 12.3 for information about how to update the application mapping table for Internet websites.

GUI

Provider parameter for the Roaming report

Supports the Provider parameter for HA, PDSN, GGSN, and SGSN NEs in the NE tables, which are automatically populated based on a list of known IP addresses that are used by service providers. You can also manually enter IP addresses for the Provider parameter, as previously supported.

To automatically display the provider name in the Roaming report for the HA, PDSN GGSN, and SGSN NEs. See Tables 24-1, 24-2, 24-5, and 24-6 and Roaming traffic report in section 31.2 for more information.

Logging of GUI reports

Supports audit logging of the following reports that are run from the GUI:• Network Element Report and Network Hop

Report that are accessed from the Network Forensic Report view

• Mobile Flow query• Subscriber Report

To use the show log gui CLI command to display information about the report input parameter, the user that runs the report, and the execution time. See chapters 25, 27, 29 for more information about the supported reports.See show log gui in section 37.2 fore more information.

Start and stop times for the Network Element Forensic report

Supports the setting of start and stop times for the Network Element Forensic report by zooming an area on the report plot output

To change the start and end times for the Network Element Forensic report so that the report can be run in shorter intervals, without manually entering start and stop times. See Procedure 25-1 for more information about how to configure and generate a network forensic report.

Anomaly History reports

Enhancements to the Anomaly History view, which displays the results of queries about anomaly and performance events

To display several history query results in multiple tabs. See section 22.4 for more information.

System Event History reports

Enhancements to the System Events History, which displays the results of queries about system events

To display several system history query results in multiple tabs. See section 26.4 for more information.

Export to file for Subscriber reports

Supports the export of path information To export flow, session, and path data.See sections 29.10 and 29.11 for more information.

Quicker display of the Overall Network Topology Graph

Improved response times for displaying the Overall Network Topology Graph and other reporting performance improvements

Plotting the performance KPIs in the Dashboard view

Supports plotting the performance KPIs, such as Downlink TCP throughput, RTT, and Packet Loss

To plot almost real-time performance KPIs in the Dashboard view. See Table 21-3 for more information.

CDMA device information

Supports additional CDMA device information, such as manufacturer and model information

To display device and manufacturing data. See section 31.9 for more information.

JRE 1.6 versions Supports all JRE 1.6 versions, with the exception of using the GUI CLI with the Chinese language on the end-user computer, which requires JRE 1.6 version 19 or later.


(4 of 6)



Chinese and Spanish languages

Supports the Chinese and Spanish languages on the GUI. You can customize and import from the CLI a new language resource file on the 9900 WNG Central.

To change the language of the GUI. See section 16.5 for more information.

Saturated Throughput measure

Supports the Saturated Throughput measure on the Mobile Flow details performance tab

To display the Saturated Throughput measure. See Table 27-4 for more information.

Subscriber and VIP group reporting

Subscriber and VIP group reporting

Supports groups of IMSI/NAI that represent subscribers. You can create the groups using the subscriberGroup import CLI command or the Group Manager interface.

To filter groups in some subscriber reports.See chapter 32 for more information about the Group Manager interface and Table 14-8 for information about the subscriberGroup CLI command.

Subscriber group filter

Supports subscriber groups as a filter on the following reports:• Subscriber Cumulative Distribution• Subscriber Top Mobiles (single day, multiple

parameter)• Devices Performance KPI by

Manufacturer/Model

To configure a filter to display a report about a group of subscribers. See Tables 31-40, 31-41, and 31-43 for more information.

Web-based Group Manager interface

Supports a web-based Group Manager interface from the 9900 WNG Central webpage to:• create subscriber groups• search for subscribers groups• view or modify subscribers groups

To decrease effort for reporting information about subscribers. See chapter 32 for more information.

Web reports

Realm/APN reports Supports the Realm/APN comparison table which collects the data that is associated with UMTS APNs or CDMA realms, and displays the information in one table. The Realm/APN resource breakdown pie charts indicate the relative usage across the top Realm/APNs.

To report information about APNs/realms. See Realm/APN comparison table report in section 31.7 for more information.

Additional Network Element reports

Supports additional Network Element reports in the main reporting web interface. The reports are:• Network Element Comparison tables for the

Cell, RNC, SGSN, or GGSN/HA NEs in UMTS networks and Cell, RNC, PDSN, or HA NEs for CDMA networks

• Multi-Element Comparison tables for the Cell, RNC, SGSN, or GGSN NEs in UMTS networks, and Cell, RNC, PDSN, or HA NEs in CDMA networks

• Cell Cumulative distribution function tables for traffic and session/performance for UMTS networks, and traffic and session/performance for CDMA networks

To display all of the data that is associated with one or more NEs. You can use the exported data for additional analysis.See Network elements reports in chapter 31 for more information.

NE Comparison Table Supports an NE Comparison Table that has one row per NE. The table can be sorted by a specific parameter. Separate tables are provided for Cell, RNC, SGSN/PDSN, and GGSN/HA NEs.

To display information about multiple NEs for comparison purposes. See Network elements reports in chapter 31 for more information.

Multi-Element Time Trend table

Supports the Multi-Element Time Trend table that collects the hourly data for several NEs in one table. You can use an input parameter to report information for the entire day or specific hours.

To display information for multiple NEs in one time-trend table. See Network elements reports in chapter 31 for more information.


(5 of 6)



Subscriber group reports

Supports Subscriber group reports To report information about subscriber groups.See Procedures 32-1 to 32-4 for more information.

Browser-based reports interface

Filtering using wildcards

Supports the percentage sign (%) as a wildcard character in the Mobile ID/IMSI filter in the following reports:• Overall subscriber cumulative distribution• Top mobiles

To expand searches using a wildcard character. See Table 31-40 and Table 31-44 for more information.

Hop report plotting increments

Supports the plotting of hop reports in daily, hourly, and minute increments

To plot Hop reports for a configurable interval. See Time Resolution in section 31.5 for information about how to set the plotting interval.

Decimal values to identify cells

Supports specifying the MCC, MNC, LAC and CID for UMTS cells, or the SID, NID, and CID for CDMA cells using decimal values in the following reports:• Cell comparison table (CDMA)• Cell comparison table (UMTS) • Cell multi-element time-trend table (CDMA) • Cell multi-element time-trend table (UMTS) • Cell cumulative dist. (CDMA; traffic)• Cell cumulative dist. (CDMA; session & perf)• Cell cumulative dist. (UMTS; traffic) • Cell cumulative dist. (UMTS; session & perf)

To provide decimals values as filter criteria for CDMA and UMTS cells. See Tables 31-11, 31-12, and 31-15 to 31-20 for more information.

2.5G, 3G, and 4G access filtering

Supports filtering by 2.5G, 3G, and 4G access on the Overall subscriber cumulative distribution report. The4G LTE is not supported.

To filter by 2.5G, 3G, and 4G access. See Table 31-40 for more information.

Top Applications report

The Top Applications web report provides information about all of the configured applications and the top unconfigured applications. The report is based on an application category.

To display the number of subscribers for configured applications, regardless of whether the applications are on the Top Application list. See Top applications reports in section 31.8 for more information.

Reports performance improvements

Multiple performance improvements for the reports interface; for example, device reporting results are displayed faster than in previous releases

Motive customer care API

Web services-based Motive customer care API

Provides the interface with the Alcatel-Lucent Motive customer care product. The information that can be retrieved using the API includes:• overall data usage• device types used• anomaly events which may have affected the

subscriber• specific application usage• whether the subscriber had accessed an area of

the network that was experiencing network congestion

To allow customer care technicians to access specific usage data for the subscribers that require assistance. See chapter 20 for more information.


(6 of 6)




Configuration procedures

12 Optional configuration procedures 12-1



12 Optional configuration procedures

12.1 Optional configuration procedures overview 12-2

12.2 9900 WNG Detector optional configuration procedures 12-2

12.3 9900 WNG Central optional configuration tasks 12-16



12.1 Optional configuration procedures overview

Optional configuration procedures are the tasks that you can choose to perform to modify the defaults of some parameters or if you need to change settings to achieve desired operation of the system or outputs.

See chapter 7 for the mandatory configuration procedures that you must perform.

12.2 9900 WNG Detector optional configuration procedures

Table 12-1 lists the tasks that you can perform for the 9900 WNG Detector.

Table 12-1 9900 WNG Detector optional configuration tasks

Specifying the 9900 WNG Detector deployment mode

The deploymentMode CLI command specifies the 9900 WNG Detector deployment mode. By default, the system auto detects Mobile IP address ranges from RADIUS accounting records. The autodetectMobilesfromAAA CLI command enables and disables the auto detection of IP address ranges.

When the deployment mode is set to SimpleIPOnly, you can specify the range of mobile IP addresses. When the deployment mode is MobileIPOnly or simpleIPandMobileIP, the system automatically obtains the home agent IP address from the mobile IP.

Perform Procedure 12-1 to specify whether the 9900 WNG Detector device analyzes mobile IP traffic, simple IP traffic, or both. By default, the 9900 WNG Detector analyzes mobile IP traffic only.

Task See Procedure

To specify the 9900 WNG Detector deployment mode 12-1

To configure an RNC load threshold 12-2

To configure RNC-to-PCF IP address mapping 12-3

To configure RNC-to-SAI mapping 12-4

To specify the mobile IP address range 12-5

To modify the anomaly event throttle rate 12-6

To add subnets to a whitelist 12-7

To modify the mobile dormancy timeout value 12-8

To include, exclude, clear, and show VLAN IDs to process 12-9

To disable the reporting of an anomaly event 12-10

To specify the intensity level for a reported anomaly event 12-11

To add a 9900 WNG Detector 12-12

To copy 9900 WNG Detector configuration files to another 9900 WNG Detector 12-13

To delete a 9900 WNG Detector 12-14



Procedure 12-1 To specify the 9900 WNG Detector deployment mode

This procedure is typically performed during initial installation.

1 Log in to the CLI with the admin privilege by performing one of the following:

a SSH, as described in Procedure 14-1 or 14-2

b Console login

c LMT

2 Log in to the 9900 WNG Detector, as described in Procedure 14-3.

3 Specify the deployment mode by typing:

deploymentmode option ↵

where option is one of the command line options that is described in Table 12-2

Table 12-2 deploymentMode command options

4 Display the deployment mode setting by typing:

show deploymentMode ↵

Configuring the RNC load thresholdPerform Procedure 12-2 to configure different RNC load thresholds to match varying capacity of different deployed RNCs in the network.

Option Description

MobileIPOnly (default)

The 9900 WNG Detector analyzes the Bearer Mobile IP traffic in IP-IP tunnels only.The 9900 WNG Detector ignores simple IP packets, except mobile IP signaling and RADIUS AAA packets. With this setting, the 9900 WNG Detector auto-discovers HAs, PDSNs, SGSNs, GGSNs, and mobile IP address ranges.

SimpleIPOnly The 9900 WNG Detector analyzes the Simple IP packets only, and ignores IP-IP tunneled packets and MobileIP signaling. Typically used for backward compatibility with older devices deployed in the field.

simpleIPandMobileIP The 9900 WNG Detector analyzes IP-IP tunneled packets and SimpleIP packets.



Procedure 12-2 To configure an RNC load threshold


a SSH, as described in Procedure 14-1 or 14-2.

b Console login

c LMT

2 Log in to the 9900 WNG Detector remotely, as described in Procedure 14-3.

3 Configure the RNC load threshold value by typing:

rncLoadThreshold set rnc_ID value1 value2 ... valueN ↵

where rnc_ID is the RNC identifier that is used in reports and the RMS GUIvalue1 is an integer value between 0 and 10 000 000value2 to valueN are optional, additional integer values between 0 and 10 000 000

4 Repeat step 3 to configure additional RNC threshold values, as required.

5 Display the RNC load threshold settings by typing:

show rncLoadThreshold all ↵

Configuring CDMA RNC-to-PCF IP address mapping

The mapping of the PCF IP addresses to RNC elements enables the 9900 WNG to report information for each RNC. PCF IP addresses are derived from RADIUS accounting records.

The 9900 WNG uses the mapping to identify the signaling load for each RNC without requiring a physical connection to an RNC, which allows for multi-vendor operation. The performance data from an RNC is used to report RNC overload anomaly events.

Perform Procedure 12-3 to map a CDMA RNC element to one or more PCF IP addresses. The RNC-to-PCF mapping allows you to identify a particular RNC, given the PCF IP address obtained from AAA accounting records.

Note The RNC load threshold attributes are set to the default values when you provision RNC using the rncPcfMap (for CDMA RNC) or rncSaiMap (for UMTS RNC) CLI commands. The global default can be retrieved using the show detectionThresholds rncOverload command. This command allows service providers to tune the threshold value for RNCs depending on the RNC capacity.



Procedure 12-3 To configure RNC-to-PCF IP address mapping


a SSH, as described in Procedure 14-1 or 14-2

b Console login

c LMT



a Enter multiple IP addresses in a single command by typing:

rncPcfMap addlist RNC_ID IP_address ↵

where RNC_ID is the RNC identifier to which you need to map IP addresses, and IP_address is a list of IP addresses separated by spaces. For example, 100.1.1.1 100.2.2.2.

b Enter IP addresses using prompts by typing:

rncPcfMap add RNC_ID ↵

where RNC_ID is the RNC identifier to which you need to map IP addresses.

You are prompted to enter IP addresses. When you are finished entering addresses, press ↵ on a blank line.

4 Display the RNC-to-PCF mapping entries by typing:

show rncPCFmap all ↵

Configuring UMTS RNC-to-SAI mapping

The mapping of the SAI to RNC elements enables the system to report traffic for each RNC. SAI mappings are derived from RADIUS accounting records.

The 9900 WNG uses the mapping to identify the signaling load on each RNC without requiring a physical connection to an RNC, which allows for multi-vendor operation. The performance data from an RNC is used to report RNC overload anomaly events.

Perform Procedure 12-4 to map a UMTS RNC element to one or more SAIs. A SAI is used to identify an area that consists of one or more cells that belong to the same Location Area.

The RNC-to-SAI mapping identifies a specific RNC, given the SAI is obtained from AAA accounting records.

Note 1 This procedure is optional, but is highly recommended by Alcatel-Lucent.

Note 2 You cannot map the same PCF IP address to two different RNC IDs.



Procedure 12-4 To configure RNC-to-SAI mapping

1 Log in to the CLI with the admin privilege, as described in Procedure 14-1 or 14-2.



a Go to step 4 to map an SAI to an RNC ID.

b Go to step 5 to map multiple SAIs an RNC ID. You cannot specify the same SAI IP address to two different RNC IDs.

4 Map an SAI to an RNC ID by typing:

rncSaiMap add rncID ↵

where rncID the RNC identifier string, which identifies the RNC in reports and in the GUI

You are prompted to add additional SAI mappings.

The following is an example:

rncSaiMap add rnc_801

Add Sai Address:1234567890abc0

Add Sai Address:1234567890abcd

Add Sai Address:

OK.

Go to step 6.

5 Map multiple SAIs to an RNC ID by typing:

rncSaiMap addlist rncID saiIP1 ... saiIPx ↵

whererncID is the RNC identifier string, which identifies the RNC in reports and in the GUIsaiIP1 to saiIPx are 14 character hexidecimal strings, seperated by a space


rncSaiMap addList rnc801 1234567890abc0 ↵

6 Verify the RNC-to-SAI mapping entries by typing:

show rncSaiMap all ↵

The following is an example of the information that appears:

RNC 801

Note This procedure is optional, but is highly recommended by Alcatel-Lucent. If the RNC is not mapped to one or more SAIs using this procedure, GUI pages, real time traffic patterns, in progress sessions, and UMTS RNC-related reports for the UMTS RNCs cannot be displayed.



1234567890abc0

1234567890abcd

RNC myRNC_name_is_IH_UMTS_LAB_RNCID_532AAAAAAAAAAAAAAA

Specifying the mobile IP address range

You use the mobileIPsubnets CLI command to specify the range of IP addresses for a mobile device.

Perform Procedure 12-5 to specify the range of IP addresses for mobile devices. Alcatel-Lucent recommends that you perform this procedure when the 9900 WNG Detector deployment mode is set to SimpleIPonly, as described in Procedure 12-1.

Procedure 12-5 To specify the mobile IP address range




a Go to step 4 to specify an IP address for the mobile device.

b Go to step 5 to specify multiple IP address for the mobile device.

4 Specify an IP address for the mobile device by typing:

mobileIPSubnets add ↵

You are prompted to enter an IP address.


Add subnet: 1.1.1.1/24


Add subnet:

OK.

Go to step 6.

5 Specify multiple IP address for the mobile device by typing:

mobileIPSubnets addlist IPaddress1 IPaddress2 ... IPaddressx ↵

where IPaddress1 to IPaddressx are the list of IP address




mobileIPSubnets addlist 1.1.1.1/24, 2.2.2.2/24

6 Verify the mobile IP address entries by typing:

show mobileIPSubnets ↵

The mobile IP addresses appear.

Modifying the anomaly event throttle rate

Perform Procedure 12-6 to modify the maximum rate at which a 9900 WNG Detector sends anomaly events to the 9900 WNG Central. By default, anomaly events are throttled to the 9900 WNG Central at a maximum rate of 10 000 Kbytes/s.

Procedure 12-6 To modify the anomaly event throttle rate



3 Modify the event rate by typing:

eventrate anomalyEvents rate ↵

where rate is an integer, in kb/s

4 Verify the new event rate setting by typing:

show eventrate anomalyEvents ↵


Anomaly Events will be throttled to Central at a maximum rate of

10000 KBytes/sec.

Adding subnets to a whitelist

You use the whitelist CLI command to add subnets to the whitelist. The 9900 WNG ignores traffic from subnets that are in the whitelist. Anomaly events are not generated for subnets that are in the whitelist. You can use CLI commands to delete subnets from or to clear the whitelist. Perform Procedure 12-7 to specify the subnets that are included in the whitelist.

Procedure 12-7 To add subnets to a whitelist






a Go to step 4 to add one subnet to the whitelist.

b Go to step 5 to add multiple subnets to the whitelist.

4 Add a subnet to the whitelist by typing:

whitelist add ↵

You are prompted to add subnets.

The following is an example of the information that is displayed.


Add subnet:

successfully added subnet(s)

Go to step 6.

5 Add multiple subnets to the whitelist by typing:

whitelist addList subnet1 subnet2...subnetx ↵

where subnet1 to subnetx are the subnets to add to the whitelist. Use a space to separate the subnets.


whitelist addList 1.1.1.1/24, 2.2.2.2/24

successfully added subnet(s)

6 Verify the subnets in the whitelist by typing:

show whitelist ↵


2 whiteListedSubnets

1.1.1.1/24

2.2.2.2/24

Modifying the mobile dormancy timeout value

Perform Procedure 12-8 to specify the mobile dormancy timeout value, in s. By default, the mobile dormancy value is set to 5 s.



Procedure 12-8 To modify the mobile dormancy timeout value



3 Specify a mobile dormancy value by typing:

dormancy timeout ↵

where timeout is a value from 0 to 1000 s. The default is 5.

4 Verify the mobile dormancy timeout setting by typing:

show dormancy ↵

The following example shows a mobile dormancy timeout of 10 s:

mobileDormTimeout = 10

Specifying the VLANs from which packets are captured

Perform Procedure 12-9 to specify the VLANs from which a 9900 WNG Detector captures packets to process. You can configure a 9900 WNG Detector to process packets only from a specified VLAN or to process all packets, except the packets from specified VLANs. By default, a 9900 WNG Detector analyzes packets from all VLANs.

Procedure 12-9 To include, exclude, clear, and show VLAN IDs to process




a Go to step 4 to include VLAN IDs.

b Go to step 5 to exclude VLAN IDs.

c Go to step 6 to show VLAN IDs.

d Go to step 7 to clear VLAN IDs.

4 Specify the VLAN IDs that the 9900 WNG Detector captures packets for by typing:

captureVLAN include vlan1 vlan2 ... vlanN ↵

where vlan1 to vlanN are VLAN IDs from 0 to 4095

In the following example, the first command configures Detector99 to process only packets from VLAN IDs 15 and 95. The second command verifies the settings.

detector:detector99# captureVLAN include 15 95



Packets will only be processed from VLANs: 15 95

detector:detector99# show captureVLAN

captureVLAN include 15 95

5 Specify the VLAN IDs that the 9900 WNG Detector does not captures packets for by typing:

captureVLAN exclude vlan1 vlan2 ... vlanN ↵

where vlan1 to vlanN are VLAN IDs from 0 to 4095

In the following example, the first command configures Detector99 to ignore packets from VLAN ID 101:

captureVLAN exclude 101

All packets will be processed except from VLANs: 101

6 Display the captured packets by typing:

show captureVLAN ↵

The following shows the information that appears.

captureVLAN exclude 101

7 Clear all settings and configure the 9900 WNG Detector to process packets from all VLAN IDs by typing:

captureVLAN clear ↵

The following example clears all settings and configures Detector99 to process packets from all VLANs:

detector: detector99# captureVLAN clear

No VLAN filtering will be done, all packets will be processed

Disabling the reporting of specific anomaly eventsPerform Procedure 12-10 to disable the reporting of specific anomaly events.

Procedure 12-10 To disable the reporting of an anomaly event





3 Disable the reporting of a specific event by typing:

anomalyEventmask event_type off ↵

where event_type is one of the following values: all, alwaysActive, batteryAttackDistributed, batteryAttackSingleSrc, floodMobileDistributed, floodMobileSingleSrc, highSignalingSubscriber, highUsage, p2pMobile, portScanHoriz, portScanVert, rncOverload, sigAttackSingleSrc, routerDiscoveryAbuse, or unwantedSrc.

The following example disables event generation for always active event:

anomalyEventMask alwaysActive off

Event type AlwaysActive is disabled.

4 Verify the anomaly event mask settings by typing:

show anomalyEventmask all ↵

The following example shows the information that appears.

sigAttackSingleSrc threshold 0

rncOverload threshold 0

batteryAttackSingleSrc threshold 0

portScanVert threshold 0

portScanHoriz threshold 0

alwaysActive threshold 0

highUsage threshold 0

unwantedSrc threshold 0

p2pMobile threshold 0

batteryAttackDistributed threshold 0

floodMobileSingleSrc threshold 0

floodMobileDistributed threshold 0

highSignalingSubscriber threshold 0

routerDiscoveryAbuse threshold 0

Specifying the intensity level for reporting anomaly eventsPerform Procedure 12-11 to specify the intensity level at which a 9900 WNG Detector reports an anomaly event. By default, the system reports anomaly events with intensity level greater than 0.



Procedure 12-11 To specify the intensity level for a reported anomaly event



3 Specify the intensity at which an anomaly event is reported by typing:

anomalyEventmask event_type intensity ↵

where event_type is one of the following values: all, alwaysActive, batteryAttackDistributed, batteryAttackSingleSrc, floodMobileDistributed, floodMobileSingleSrc, highSignalingSubscriber, highUsage, p2pMobile, portScanHoriz, portScanVert, rncOverload, sigAttackSingleSrc, routerDiscoveryAbuse, or unwantedSrcintensity is a value from 0 to 5

The following example shows how to configure the 9900 WNG Detector to report always-active subscriber events only if the event is at intensity level 2 or higher:

detector99# anomalyEventMask alwaysActive 2

Event type AlwaysActive was previously enabled, however it is now enabled for the event intensity values above 2.

4 Verify the current settings by typing:

show anomalyEventMask all ↵

The following example shows the information that appears:

sigAttackSingleSrc threshold 0

rncOverload threshold 0

batteryAttackSingleSrc threshold 0

portScanVert threshold 0

portScanHoriz threshold 0

alwaysActive threshold 2

highUsage threshold 0

unwantedSrc threshold 0

p2pMobile threshold 0

batteryAttackDistributed threshold 0

floodMobileSingleSrc threshold 0

floodMobileDistributed threshold 0

highSignalingSubscriber threshold 0



routerDiscoveryAbuse threshold 0

Adding a detector to a 9900 WNG systemPerform Procedure 12-12 to add a detector to an existing 9900 WNG system.

Procedure 12-12 To add a 9900 WNG Detector

1 Install the 9900 WNG Detector device in an equipment rack, as described in section 4.4.

2 Connect all the necessary cables, as described in section 4.6.


4 Add a detector to the 9900 WNG Central by typing:

detector add IP_detector name group ↵

whereIP_detector is the IP address of the detectorname is the name of the specific 9900 WNG Detectorgroup is the group of the detector

5 Configure the management interface and lights-out management interface on the 9900 WNG Detector, as described in Procedure 7-2.

6 Provision NTP on the 9900 WNG Detector by typing:

ntp server add ntp-server ↵

where ntp-server is the IP address of the NTP server

7 Enable NTP on the 9900 WNG Detector by typing:

ntp enable ↵

8 If the software repository is on 9900 WNG Central, update the software on the 9900 WNG Detector by typing:

repo enable central ↵

9 Return to the 9900 WNG Central CLI by typing:

exit ↵

10 Update the 9900 WNG Detector software by typing:

update software detector name ↵

where name is the name of the 9900 WNG Detector for the updated software



Copying files from a 9900 WNG DetectorPerform Procedure 12-13 to copy configuration files from one 9900 WNG Detector to another 9900 WNG Detector in the same 9900 WNG system (that is, connected to the same 9900 WNG Central). You can use this procedure to simplify the configuration of multiple 9900 WNG Detectors.

Procedure 12-13 To copy 9900 WNG Detector configuration files to another 9900 WNG Detector


2 Copy the 9900 WNG Detector configuration file to another 9900 WNG Detector by typing:

copy detector source destination ↵

wheresource is the name of a provisioned 9900 WNG Detector from which you are copying configuration filesdestination is the name of the destination 9900 WNG Detector

3 Verify that the configuration files have been successfully copied to the destination 9900 WNG Detector by typing:


where detector_name is the name of the destination 9900 WNG Detector for the configuration file

dir ↵


appMapping.xml

lastrunning.xml

laststartup.xml

startup.xml

Deleting a 9900 WNG DetectorPerform Procedure 12-14 to administratively delete a provisioned 9900 WNG Detector.



Procedure 12-14 To delete a 9900 WNG Detector


2 Delete a 9900 WNG Detector by typing:

detector delete detector ↵

where detector is the name of a 9900 WNG Detector

3 Verify that the 9900 WNG Detector has been deleted by typing:

show detectors ↵

Only the connected and provisioned 9900 WNG Detectors appear.

12.3 9900 WNG Central optional configuration tasks

Table 12-3 lists the tasks that you can perform for the 9900 WNG Central.

Table 12-3 9900 WNG Central optional configuration tasks

Adding entries to the application map table

The application map table is used to create user-defined application configurations for reporting detailed information for system resources and performance metrics. Each application is identified by an application name. Related applications are grouped by an application category. Resource and performance for the applications appear are displayed in web reports and on the GUI, as described in Table 12-4.

Task See Procedure

To upgrade software on the 9900 WNG Central and Detector using the 9900 WNG Central repository

9-3

To specify the NMS servers and configure SNMPv1/v2c settings 19-1

To configure SNMPv3 settings 19-2

To configure SNMP for anomaly, trend, and congestion alerts 19-14

To configure the application map table 12-15

To enable the security event manager feed 12-16

To load a saved login banner 12-17

To generate and display a public key 12-18



Table 12-4 Location of information from the application map table

Built-in Configurations

The 9900 WNG provides built-in configurations that identify the applications. Table 12-5 lists the built-in configurations and their associated category.

Table 12-5 Built-in Configurations

Default configurations

The 9900 WNG identifies applications based on a combination of server IP addresses, ports, and protocols. The 9900 WNG provides default configurations for traffic to and popular servers, such as Google, Yahoo, Apple, and Microsoft. Based on the server port, traffic to and from ther servers, the 9900 WNG provides additional classifications for the server. For example, the traffic to and from Google servers on ports 143, 110, 25, and 993 are classified as Gmail. The traffic to and from Apple servers on port 5223 are classified as Apple Push Notification, which is for Apple iPhone devices.


Web reports The Applications report provides application specific information for resources and performance metrics for subscribers, devices, RNCs, and APNs. See section 31.8 for more information.

GUI Application information appears in the following:• Top Applications tabs in the Subscriber report; see section 29.7• Flow/Session tab in the Subscriber report; see section 29.10• Top Applications tab in the Network Forensic report (detailed); see

section 25.3• Mobile Flow forensic report; see section 27.1

Note The applications cannot be removed. However, the applications can be moved to the Other category.

Built-in configuration Category

BitTorrent P2P_MOBILE

Gnutella

eDonkey

FTP FTP

VPN VPN

RTSP streaming RTSP streaming



Procedure 12-15 To configure the application map table


2 Add an application to the application map table by typing:

applicationMap add appname appcategory server_IP/server_subnet port/ANY protocol/ANY ↵

where appname is the unique name of an applicationappcategory is the application category. Application categories are used to group related application names; for example, IMAP, POP3, and SMTP can be classified as e-mail.server_IP/server_subnet port is an IP address or subnet, expressed in the format AAA.BBB.CCC.DDD or AAA.BBB.CCC.DDD/n (a subnet), and each part is a value from 0 to 255 and and n is the number of bits in the network prefix.port is the server port number or use ANY if the port number is not known.protocol is the protocol name or number; for example, TCP or 6. If the protocol is not known, use ANY

Go to step 3 to delete an application from the application map table.

Go to step 4 to update an application name or application category from the application mapping by typing

Go to step 5 to import multiple applications.

3 Delete an application from the application mapping by typing

applicationMap delete all/appname/appcategory ↵

where all/appname/appcategory is all applications, an application name, or application category

4 Update an application name or application category from the application map table by typing:

applicationMap update appname/appcategory new_appname/new appcategory ↵

whereappname/appcategory is an application name or application categorynew_appname/appcategory is the new name of the application category

Note Application reports can be generated using the appname or appcategory.



5 Import multiple applications by performing one of the following:

a Import multiple application configurations from a CSV file using SCP by typing one of the following:

applicationMap import add scp user@host:/path ↵

applicationMap import replaceall scp user@host:/path ↵

where user@host:/path is the location of the file in the local or remote host

b Import multiple application configurations from a CSV file that is on a USB disk by typing one of the following:

applicationMap import add usb filename ↵

applicationMap import replaceall usb filename ↵

where filename is the name of the file on the USB to be imported

For example, the following commands create a WEB category for all traffic that goes to 2 WAP proxies and to a class C subnet that contains the customer portal web servers, which is accessed through https (port 443) and http (port 80):

applicationmap add wapproxy01 WEB 1.1.144.144 ANY TCP ↵

applicationmap add wapproxy02 WEB 1.1.144.145 ANY TCP ↵

applicationmap add customerportal WEB 1.1.212.0/24 443 TCP ↵

applicationmap add customerportal WEB 1.1.212.0/24 80 TCP ↵

The following are examples of commands to create a Blackberry category for three Blackberry servers:

applicationmap add blackberry01 Blackberry 1.1.1.140 15771 ANY ↵

applicationmap add blackberry02 Blackberry 1.1.145.141 15771 ANY ↵

applicationmap add blackberry03 Blackberry 1.2.145.142 ANY ANY ↵

6 Verify the application map entries by typing:

show applicationMap all ↵

The following appears:

appname category server_ip port protocol

------------------------------------------------------------------------

Note The CSV files must use the following format:

appname,appcategory,server_ip/subnet,port,protocol



FTP.inferred OTHER ANY ANY ANY

VPN VPN ANY ANY ANY

rtsp-streaming RTSP-streaming ANY ANY ANY

P2P:Gnutella P2P_MOBILE ANY ANY ANY

P2P:Edonkey P2P_MOBILE ANY ANY ANY

P2P:Bittorrent P2P_MOBILE ANY ANY ANY

See Application configuration priority rules in this section for information about how the 9900 WNG determines which configurations in the application map table to use.

Application configuration priority rules

The following are the rules for configurations in the application map tables:

1 When there are two application configurations with server_ip/subnets, the application configuration that has a more specific network prefix has the higher priority.

Using the following two application mappings, appname2 has the higher priority because appname2 has a larger network prefix and any traffic to or from 10.1.1.X maps to appname2. Traffic to or from 10.1.Y.Z is mapped to appname1:

appname1 appcategory1 10.1.0.0/16 ANY ANY


2 When there are two application mapping with the same server_ip/subnet, but one application mapping uses ANY for a generic port and another application mapping uses a specific port number, the application mapping with the specific port number has a higher priority.

Using the following two application mappings, appname3 has the higher priority. All traffic to 10.1.1.X to and from port 80 are mapped to appname3 and traffic to the other ports are mapped to appname2.


appname3 appcategory2 10.1.1.0/24 80 ANY

Enabling the security event manager feed

Procedure 12-16 describes how to enable the security event manager feed.



Procedure 12-16 To enable the security event manager feed


2 Enable the security manager feed by typing:

securityMgrFeed enable ↵

Loading a saved login banner

Procedure 12-17 describes how to load a saved login banner.

Procedure 12-17 To load a saved login banner



a Go to step 3 to load the banner from the USB.

b Go to step 4 to load the banner from the SCP.

3 Load the banner from the USB by typing:

load banner usb ↵

The banner is loaded from the /banner directory on the USB.

4 Load the banner from the SCP by typing:

load banner scp_location ↵

where scp_location is the location of the SCP

The banner is loaded from the SCP.

Generating a public key

You can use the 9900 WNG CLI to generate and display a public key for your account. You can register your public key with a remote server to validate your login; for example, by adding it to the ~.ssh/authorized_keys file, which eliminates the need to provide a password when you manage files at that location. The tasks you can accomplish using your public key depend on your network configuration and operating systems. Procedure 12-18 describes how to generate and display your public key.



Procedure 12-18 To generate and display a public key


2 Generate a public key for your account by typing:

genPublicKey ↵

3 Display the public key by typing:

show publickey ↵

4 Record the public key or copy it to a secure location.


Internal and external interfaces

13 Interfaces overview 13-1

14 CLI 14-1

15 PC client installation 15-1

16 GUI 16-1

17 9900 WNG Central webpage 17-1

18 BMC 18-1

19 SNMP 19-1

20 Motive API 20-1



13 Interfaces overview

13.1 Interfaces overview 13-2

13.2 Logging in to 9900 WNG interfaces 13-3



13.1 Interfaces overview

Table 13-1 describes the interfaces that can be used to configure, monitor, and control NEs and their managed resources.

Table 13-1 9900 WNG interfaces

Figure 13-1 shows the 9900 WNG components and the associated interfaces.

Interface Description See chapter

Internal

Central webpage

The 9900 WNG Central webpage and related pages provides access to 9900 WNG reports and to the GUI.

17

GUI The 9900 WNG EMS is a software application that resides on the 9900 WNG Central. The 9900 WNG EMS manages the 9900 WNG components including the 9900 WNG Central itself and the 9900 WNG Detectors.The 9900 WNG GUI is a graphical user interface developed to support all OA&M activities on the 9900 WNG system. The EMS user interface supports fault management, configuration management, performance management, security management, and system administration. 9900 WNG Central displays key information on the GUI in real time.

16

CLI The CLI provides a text-based command interface for issuing 9900 WNG OA&M commands on 9900 WNG Central and Detector.

14

External

BMC The 9900 WNG system supports basic BMC functionality, which is a location-independent remote access to the 9900 WNG Central and Detector, to respond to critical incidents and to perform maintenance. Both the 9900 WNG Central and Detector include a hardware module that provides the BMC functionality. The BMC module is independent of the server and it connects to the network on an independent Ethernet connection. If the 9900 WNG Central or Detector is out of service, the module can support remote system operations.You can use the BMC to:• view the server hardware status from a remote location• turn on, turn off, or reset the server from the remote location

18

SNMP The 9900 WNG Central supports the following SNMP commands:• GET• SET• TRAP

All SNMP interactions with the 9900 WNG Detector use the 9900 WNG Central. The 9900 WNG Central supports SNMP version v1, v2c, and c3 and can be configured for any of these versions. The 9900 WNG Central generates SNMP traps to integrate with a northbound network interface management functions from a bidirectional monitoring, control, and management interface.

19

Motive API Motive is an Alcatel-Lucent product that provides a unified care environment for end-to-end visibility of the network with automated problem analysis and resolution.

20

NMS The NMS is a combination of hardware and software used to monitor and administer a network. Network management functions include activities, methods, procedures, and tools that pertain to the operation, administration, maintenance, and provisioning of a network system. The NMS receives SNMP traps from the 9900 WNG Central.



Figure 13-1 9900 WNG interfaces

13.2 Logging in to 9900 WNG interfaces

Table 13-2 where to find information about how to log into each interface.

Table 13-2 Logging in procedures for 9900 WNG interface

Interface See Procedure

Central webpage 17-1

GUI 16-1

CLI 14-1 to 14-3




14 CLI

14.1 CLI overview 14-2

14.2 Logging in to the CLI 14-6

14.3 Changing modes and target servers 14-8

14.4 CLI command syntax 14-12

14.5 CLI navigation tips 14-12

14.6 CLI commands 14-14

14 CLI


14.1 CLI overview

The CLI provides a text-based command interface for performing 9900 WNG OA&M commands on the 9900 WNG Central and Detector including:

Accessing the 9900 WNG Central and DetectorYou can access the 9900 WNG Central and Detector using the 9900 WNG Central CLI. The privileges for the CLI role are:

• sudo • admin• user

There modes that are used to execute CLI commands are:

• user• enable• sudo

To execute a CLI command, you need the appropriate privilege. Users can switch modes, if their privilege allows switching modes. After you log in to the 9900 WNG Central, you can change your privilege, or move from the 9900 WNG Central to a 9900 WNG Detector in any mode. See “Changing modes and target servers” in this section for more information.

Table 14-1 lists where to find more information about CLI procedures.

Table 14-1 CLI information

• user administration• process management (start, stop,

and restart)• backup and restore• loading license• viewing log file• detector configuration parameters

• detector detection parameters• detector configuration management• central configuration• software upgrade• SNMP configuration• report deletion• Motive customer care


Roles CLI roles, privileges, and modes in this section

Privileges

Modes

Changing modes Changing modes and target servers in this section

Changing target servers

CLI prompts CLI prompts in this section

(1 of 2)

14 CLI


CLI roles, privileges, and modes

Table 14-2 describes the privileges that can be used in the CLI.

Table 14-2 CLI roles

Table 14-3 lists how each privilege maps to a mode. Your privilege determines the CLI commands that you can execute. See “Changing modes and target servers” in this section for more information.

Table 14-3 CLI privileges and modes

Log in to the CLI on the 9900 WNG Central Section 14.2

Log in to the CLI on the 9900 WNG Detector

Change privileges in the CLI Section 14.3

Change from the 9900 WNG Central or Detector in the CLI

CLI command syntax Section 14.4

CLI navigation tips Section 14.5

CLI commands Section 14.6


(2 of 2)

Privilege Description

sudo Access to commands that require the highest level of server privileges, which includes:• UNIX type commands

• shutdown• reboot• user add, delete, and modify• NTP configuration

• backup, restore, add, or delete a 9900 WNG Detector• start, stop, and restart application processes• software upgrade commands

admin Access to the user and enable levels of the CLI, which includes configuration of the 9900 WNG Central and Detector

user Access to only the user-level CLI commands, which are mainly read-only commands

reportonly Access to only the change password CLI command. The account in the CLI is used to create the Reports role, which provides access to reports.

demoony Access to only the user level CLI commands, which are mainly read-only commands. The GUI does not display IP addresses for the demoonly role.

Privilege Mode

sudo enable admin

sudo

(1 of 2)

14 CLI


Changing modes and target servers

Each privilege and the mode that is associated with the CLI command determines the CLI commands that you can use. See section 14.6 for information about the CLI commands for each privilege.

To navigate to different modes, you need the appropriate privileges, as listed in Table 14-3. A user with the sudo privilege can access all of the modes; a user with the user privilege can access only the user mode. The user cannot move up to the admin or sudo mode. You can only move up or down one mode level at a time, as shown in Figure 14-1. For example, to move from sudo mode to the user mode, you must move from the sudo mode, to the enable mode, and then to the user mode. See Procedure 14-4 for information about how to change modes.

Figure 14-1 Changing modes

You can change from the 9900 WNG Central to a 9900 WNG Detector or change from a 9900 WNG Detector to the 9900 WNG Central. You must use two separate CLI commands to change your mode and target server. Figure 14-2 shows the commands that are required to move between modes and target servers. Table 14-4 lists the modes and whether you can move up or down on the 9900 WNG Central or Detector, if you have the required privilege. The prompts identify your location and mode, as listed in Table 14-5. Table 14-7 lists where to find information about how to change modes and target servers.

admin

user

Privilege Mode

sudo enable admin

(2 of 2)

21171

Centralmode

Detectormode

Detectorenable mode

Detectormode

Centralenable mode

Centralmode

14 CLI


Figure 14-2 CLI commands to move between modes and target servers

Table 14-4 CLI modes

CLI prompts

The CLI prompt indicates your privilege level and whether you are on the 9900 WNG Central or Detector, as listed in Table 14-5.

Table 14-5 CLI prompts

See section 14.3 for information about how to change roles and target servers.

CLI timeout

When you are logged in to 9900 WNG Central or Detector using the CLI, you are logged out from the CLI session after one hour of inactivity. See section 14.2 for information about how to log in to the CLI.

Mode User Enable Sudo

User Up

Enable Down Up

Sudo Down

Account 9900 WNG Central prompt 9900 WNG Detector prompt

sudo central:sudo# detector:detector_name:sudo#

admin central# detector:detector_name#

user central> detector:detector_name>

21172

central>

enable exit

sudo exit

enable

detector name

central

detector name

central

detector name

central

exit

sudo exit

detector:name>

detector:name#

detector:name:sudo

central#

central:sudo#

14 CLI


14.2 Logging in to the CLI

Table 14-6 lists where to find information about how to log in to the CLI on the 9900 WNG Central and Detector.

Table 14-6 CLI log in procedures

Logging in to the CLI on the 9900 WNG CentralPerform Procedure 14-1 to log in to the CLI on the 9900 WNG Central from a Windows or UNIX platform. To log in to the CLI, you must have a user, admin, or sudo role, and an SSH client.

Perform Procedure 14-2 to access the CLI on the 9900 WNG Central using the GUI.

Procedure 14-1 To log in to the CLI on the 9900 WNG Central from a Windows or UNIX platform using SSH


a To log in from a UNIX platform, open a terminal window and type:

ssh user@hostname ↵

whereuser is your 9900 WNG usernamehostname is the host name of the 9900 WNG Central server

The CLI prompt indicates your mode and whether you are on the 9900 WNG Central or Detector, as listed in Table 14-5. By default, you are logged in to the 9900 WNG Central with the user mode. Go to step 3.

b To log in from a Windows platform, use the information that is included with your SSH client to open a connection to the 9900 WNG Central server. Go to step 2.

2 Enter your password when prompted.

To See Procedure

9900 WNG Central

To log in to the CLI on the 9900 WNG Central from a Windows or UNIX platform using SSH

14-1

To log in to the CLI on the 9900 WNG Central from the GUI 14-2

9900 WNG Detector

To log in to the CLI on the 9900 WNG Detector 14-3

Note To log in to the CLI, you must have a user, admin, or sudo privilege.

14 CLI



a To switch to the enable mode, go to step 4.

b To switch to the sudo mode, go to step 5.

4 Change to the enable mode by typing:

enable ↵

Go to step 6.

5 Change to the sudo role by typing:

enable ↵

sudo ↵

6 To display commands that are available for your role, enter a question mark (?). If you have an admin or user role, you can perform higher level roles in the CLI, as described in Procedure 14-4.

You can access CLI command on the 9900 WNG Detector, as described in Procedure 14-3.

Procedure 14-2 To log in to the CLI on the 9900 WNG Central from the GUI

1 Start the 9900 WNG Central GUI from the 9900 WNG Central webpage, as described in Procedure 17-1. The 9900 WNG Central GUI appears.

2 Double-click on CLI from the navigation tree. When you access the CLI from the GUI for the first time, a message warning that the authenticity of the host cannot be established may appear. Click on the Yes button to continue. The CLI window appears. You are logged into the 9900 WNG Central with the user mode.

The CLI prompt indicates your mode and whether you are on the 9900 WNG Central or Detector, as listed in Table 14-5. See step 3 in Procedure 14-1 for information about how to access the sudo and admin privileges.

If you have an admin or sudo privilege, you can assume higher-level modes on the CLI, as described in section 14.3. To display commands that are available to your role, enter a question mark (?).

Accessing the CLI on the 9900 WNG DetectorPerform Procedure 14-3 to log in to the CLI on the 9900 WNG Detector.

Note To log in to the CLI, you need a user account on the 9900 WNG Central.

14 CLI


Procedure 14-3 To log in to the CLI on the 9900 WNG Detector

1 Log in to the CLI for the 9900 WNG Central, as described in Procedure 14-1 or 14-2.

2 Log in to a 9900 WNG Detector by typing:


where detector_name is the name of a 9900 WNG Detector

14.3 Changing modes and target servers

You can switch modes to move up or down a level or switch from the 9900 WNG Central to a 9900 WNG Detector in any mode. Table 14-7 lists where to find the procedures to change your mode, target server, or your mode and target server.

Table 14-7 Changing modes and target servers procedures

Procedure 14-4 To change your mode on the 9900 WNG Central or Detector

See Table 14-4 for the mode levels and whether you can move up or down a level.

1 Log in to the 9900 WNG Central, as described in Procedure 14-1 or 14-2.


a Go to step 3 to change from the user to the sudo mode on the 9900 WNG Central.

b Go to step 4 to change from the user to the sudo mode on a 9900 WNG Detector.

c Go to step 5 to change from the sudo to the user mode on the 9900 WNG Central, change from the sudo to the user mode on a 9900 WNG Detector, or move to the mode one level down from your current mode.

3 Change from the user to the enable mode on the 9900 WNG Central by typing:

enable ↵

sudo ↵

The following prompt appears:

Task See Procedure

To change your mode on the 9900 WNG Central or Detector 14-4

To change target servers at the same mode 14-5

To change your mode and target server 14-6

14 CLI


central:sudo#

Go to step 5.

4 Change from the user to the enable mode on the 9900 WNG Detector by typing:

enable ↵

sudo ↵

The following prompt appears:

detector:detector_name:sudo#


Go to step 5.

5 To move to the mode one level down from your current mode, type:

exit ↵

The following is an example of how to change from the sudo mode to the user mode on the 9900 WNG Central:

Central:sudo# exit

Central# exit

Central>

The following is an example of how to change from the sudo mode to the user mode on the 9900 WNG Detector:

detector:detector_name:sudo# exit

detector:detector_name# exit

detector:detector_name>


Procedure 14-5 To change target servers at the same mode



a Go to step 3 to change from the 9900 WNG Central to a 9900 WNG Detector.

b Go to step 4 to change from the 9900 WNG Detector to a 9900 WNG Central.

14 CLI


3 Change from the 9900 WNG Central to a 9900 WNG Detector at the same mode by typing:


where detector_name is the name of the 9900 WNG Detector that you need to access

4 Change from the 9900 WNG Detector to a 9900 WNG Central at the same role level by typing:

central ↵

Procedure 14-6 To change your mode and target server



a Go to step 3 to change from the 9900 WNG Central to a 9900 WNG Detector in a different mode.

b Go to step 4 to change from a 9900 WNG Detector to a 9900 WNG Central in a different mode.

3 Change from the 9900 WNG Central to a 9900 WNG Detector at a different mode by performing one of the following:

a Change to the mode that you need on the 9900 WNG Central and then change to the 9900 WNG Detector by typing:


where detector_name is the name of the 9900 WNG Detector

The prompt that appears depends on your mode; see Table 14-5.

The following is an example of switching from the sudo mode on the 9900 WNG Central to the user mode on the 9900 WNG Detector:

central:sudo# exit

central# exit

central> detector detector_name



b Change to the 9900 WNG Detector and then the mode that you need on the 9900 WNG Detector by typing:



14 CLI


The following is an example of switching from the sudo mode on the 9900 WNG Central to the user mode on the 9900 WNG Detector:

central:sudo# detector detector_name

detector:detector_name:sudo# exit

detector:detector_name# exit



4 Change from a 9900 WNG Detector to the 9900 WNG Central in a mode by performing one of the following:

a Change to the mode that you need on the 9900 WNG Detector and then change to the 9900 WNG Central by typing:

central ↵

The prompt that appears depends on your mode; see Table 14-5.

The following is an example of switching from the user mode on the 9900 WNG Detector to the sudo mode on the 9900 WNG Central.

detector:detector_name> enable

detector:detector_name# sudo

detector:detector_name:sudo# central

central:sudo#


b Change to the 9900 WNG Central by typing:

central ↵

Change to the mode that you need on the 9900 WNG Central.

The following is an example of switching from the user mode on the 9900 WNG Detector to the sudo mode on the 9900 WNG Central:

detector:detector_name> central

central> enable

central# sudo

central:sudo#


14 CLI


14.4 CLI command syntax

The following conventions are used to describe the syntax of the CLI commands:

• Parameters appear in italics and represent one or more additional inputs that must be included in the command. Commands are listed alphabetically in a table.

• Braces enclose two or more choices that are separated by the pipe symbol (|). Enter only one of the choices as part of the command. Choices can include parameters.

• Brackets [] enclose optional input. Optional input can include parameters and choices. If brackets [] enclose two or more words that are separated by the pipe symbol (|), the input is optional and you enter only one of the choices as part of the command.

The following is an example of the user add syntax:

user add id password [cli role] [firstname] [lastname]

14.5 CLI navigation tips

This section describes navigation tips and shortcuts that you can use when you are using the CLI.

Displaying available commandsTo display the commands that are available to your login account when you logged into 9900 WNG Central or Detector, enter ?.

The following example shows the commands available for the admin login account on 9900 WNG Central:

central>

# comment

detector enter into detector mode

enable enter privileged mode

exit logs out of CLI

history display the current session's command

line history

logout logout of the command line interface

paging paging settings

ping four ICMP pings

show system information

user change password of current user

14 CLI


central# ?

# comment

applicationMap application Mapping

copy copy command

detector enter into detector mode

disable disabled view

exit exit this level

history display the current session's command line history

load load command

logout logout of the command line interface

paging paging settings

ping four ICMP pings

securityMgrFeed security Event Manager Enabling/ Disabling

show system information

snmpAgent snmp agent settings

sudo enter the root mode

user change password of current user

Using shortcuts

When you enter a command, you can type just enough characters to specify a unique string. The system fills in the rest of the name automatically.

For example, to enter the history command, you only need to type h and then press the Enter key:

central# h

1 enable

2 sudo

3 history

The shortcut applies only to command names and arguments; it does not apply to created variables, such as detector names, IP addresses, or accounts.

14 CLI


Command completion

You can enter a unique string from the name of the command, then press the Tab key and the system completes the command name or argument. The following example shows how the system completes the command when you enter rnc and then press the Tab key:

detector: central# rncP + Tab key

detector: central# rncPcfMap

When you press Enter, the system displays the options for the rncPcfMap command

detector:detector99# rncPcfMap

add addList clear delete deleteList

Scrolling through commandsYou can use the up and down arrow keys on your keyboard to display previously entered commands. To reenter a command that you have previously entered, press the Enter key.

Paging through the CLI outputBy default, paging is enabled on the CLI. When the output of a command spans several pages, you can press the space bar on the keyboard to display the next page.

If paging is disabled on your system, you can enable it on 9900 WNG Central by typing the following command:

central# paging enable ↵

You can disable the paging command by typing:

paging disable ↵

14.6 CLI commands

Table 14-8 lists the 9900 WNG CLI commands, their associated privilege, and how to use them. See Table 9-2 for CLI upgrade commands, See section 14.4 about command syntax.

Table 14-8 CLI commands

Command Privilege Description See

Detector Central

user

adm

in

sudo

user

adm

in

sudo

# comment Enter a comment after the #

(1 of 24)

14 CLI


anomalyEventmask anomalyEventType intensity

Sets the intensity for the specific anomaly event. The values for intensity are 0 to 5. The list of anomalyEventType is:• all (used to set the intensity setting for all

the anomaly events) • alwaysActive • batteryAttackDistributed• batteryAttackSingleSrc • floodMobileDistributed• floodMobileSingleSrc• highSignalingSubscriber• p2pMobile • portScanHoriz • portScanVert • rncOverload • routerDiscoveryAbuse• sigAttackSingleSrc • unwantedSrc

See Procedure for more information about how to set the intensity for the specific anomaly event.

Procedure 12-11

api add subnet <subnet> Adds subnets for Motive API access Procedure 20-4

api add user <id> <password>

Adds Motive API users Procedure 20-1

api delete subnet <subnet>

Deletes the Motive API subnet Procedure 20-5

api delete user <id> Deletes Motive API users Procedure 20-2

api deleteList subnet Deletes the list of Motive API subnets Procedure 20-5

applicationmap add appname category server_ip port protocol

Adds a new application mapping Procedure 12-15

applicationmap delete all Interactively selects and deletes the application mapping entries

applicationmap delete appname appname

Deletes the application mapping for a specific application name

applicationmap delete category category

Interactively selects and deletes the application mapping entries in a specific category

Procedure 12-15

applicationMap push Sends the current application mapping settings to all of the 9900 WNG Detectors

Procedure 12-15


Detector Central

user

adm

in

sudo

user

adm

in

sudo

(2 of 24)

14 CLI


applicationmap import import add | replaceAll usb | scp source

Uploads the application mappings in bulk from a fileadd option adds application mappings without changing the existing mappingsreplaceAll removes all of the existing mappings and adds the mappings that are in the filesource defines the file containing the application mapping records. The file can be imported through scp or usb. The imported file is parsed before the mappings are loaded in the system and if it has syntax errors, out of range/invalid data, duplicate records, appnames or serverIP, port, protocol combinations, an error message is generated and the command exits without adding any mapping.The file is in the CSV format.

Procedure 12-15

applicationmap update category curappname category

Changes the category setting for an existing application map entry

autoDetectMobilesFrom AAA [enable | disable]

Enables or disables the autoDetectMobilesFromAAA

backhaulTracking clear Resets the peak backhaul number

backup [all|config|security|db|logs|reports|license] [usb|scp location]

Backs up the 9900 WNG Central, which includes the following:• configuration files• security files• database• logs• reports• license files

Procedure 39-1

backup detector detector-id

Backs up a specific 9900 WNG Detector Procedure 39-5

backup incremental scp <location> | usb

Creates incremental backups in a specified location

Procedure 39-2

captureFilter expression expression

Sets the expression to filter capture packets

captureVLAN clear Clears the VLAN Procedure 12-9

captureVLAN exclude vland1 vlan2 ... vlanN

Sets the list of VLAN IDs that do not have their packets capturedvlan1...N = string with maximum 50 characters

Procedure 12-9

captureVLAN include vland1 vlan2 ... vlanN

Sets the list to VLAN IDs that have their packets capturedvlan1...N = string with maximum 50 characters

Procedure 12-9


Detector Central

user

adm

in

sudo

user

adm

in

sudo

(3 of 24)

14 CLI


CDMAdeviceMode manufacturerOnly | ranges | list

Specifies the CDMA device mode. The options are:• manufacturerOnlythe exact model of

CDMA device cannot be determined• rangesrequires an import of MEID/ESN and

the manufacturer and model for each range block. The same manufacturer and model device type may contain several blocks. The pESN resolution cannot be displayed.

• listrequires an import of each instance of device that contains a mapping of ESN or MEID to the manufacturer and model. The known subscriber NAI for the device can be optionally imported for resolving pESN hash conflicts for improved accuracy of pESN reporting. The list may also optionally contain the following:• Device Category, such as Data Card,

Smartphone, or WAP phone • Device OS, such as Blackberry, Android,

AppleOS, Symbian, or PalmOSThe Device Category and Device OS values can be determined by the service provider.

clearBatchDBcounts Resets failure counts

clearDroppedPacketCount Clears the dropped packet count that is kept in the 9900 WNG Detectors

clearMaxSubscriberSessionCount

Resets the high water mark for the license

copy Saves configuration to a file. The options are:• copy file file1 file2 (copies file1 to file2)• copy running to file2 (saves running

configuration to file2)• copy startup running (loads startup.xml and

makes it running configuration)• copy startup to file2 (saves startup.xml to

file2)

Procedure 12-13

copy detector source destination

Copies a 9900 WNG Detector configuration to another 9900 WNG Detector

Procedure 12-13

copyDetectorConfig usb|scp| source

Copies the configuration file to the 9900 WNG Detector

Procedure 12-13


Detector Central

user

adm

in

sudo

user

adm

in

sudo

(4 of 24)

14 CLI


date date Sets the system date.date = mmddHHMMCCYYwhere• mm = minute• CC = century• YY = year

Example:070823592008 sets the date to: Tue Jul 8 13:30:00 EDT 2008

DBflushHosts Deletes all of the database host data

delete config_file_name Deletes a specific configuration file. The startup configuration file cannot be deleted.

delete language gui <filename>

Deletes the language resource file

deploymentMode [SimpleIPOnly | MobileIPOnly | SimpleIPOnlyandMobileIPOnly

Sets the deployment mode for the 9900 WNG Detector to SimpleIP, MobileIP , or both

Procedure 12-1

detectionThresholds eventype threshold1 [threshold2] [threshold3] [threshold4] [threshold5]

Sets the event intensity thresholds values for a specific event type:• alwaysActivepermitted values: 0.0-1.0• batteryAttackSingleSrcpermitted values:

0.0-1.0• batteryAttackDistributedpermitted

values: 0.0-1.0• floodMobileDistributedpermitted values:

0.0-1.0• floodMobileSingleSrcpermitted values:

0.0-1.0• highSignalingSubscriberpermitted values:

0..10000• highUsagepermitted values: 0..100000000• p2pMobilepermitted: values 0..1000• portScanHorizpermitted values: 0..1000• portScanVertpermitted values: 0..1000• rncOverloadpermitted values:

0..10000000• routerDiscoveryAbusepermitted values:

0..100• sigAttackSingleSrcpermitted values:

0..1000• unwantedSrcpermitted values:

0..500000000

detector Starts the CLI for a 9900 WNG Detector

detector add [ipaddress] detectorname detectorgroup

Provisions a specific 9900 WNG Detector Procedure 7-4


Detector Central

user

adm

in

sudo

user

adm

in

sudo

(5 of 24)

14 CLI


detector delete detectorname

Deletes a specific 9900 WNG Detector Procedure 12-14

diff file1 file2 Displays the difference between two configuration files.• diff running startupthe difference

between running and startup configuration• diff startup lastrunningthe difference

between startup and lastrunning configuration

• diff test1.xml test2.xmlthe difference between test1.xml and text 2.xml

dir Lists the name of the existing configuration file on the 9900 WNG Detector

disable Returns to user mode from privileged mode

dormancy timeout Sets the Mobile dormancy timeout. The values are 0 to 1000.

Procedure 12-8

enable Enters the privileged mode

eventmask eventype [enable|disable]

Sets the mask value for the awareness events that are provided by eventype. The values for eventype are:• a11SessionUpdate• detectorTrafficUpdate• gtpSessionUpdate• HATrafficUpdate• mipSessionUpdate• MobileFlow• PDSNTrafficUpdate• RNCLoad• radiusSessionUpdate• subscriberSession • hopTrafficUpdate• pathTrafficUpdate• ranapSessionUpdate

eventrate anomalyEvents rate

Sets the send rate for anomaly events Procedure 12-6

eventrate awarenessEvents rate

Sets the send rate for awareness events

exit Next lower access level

grep log central-err <pattern>

Determines if there is pattern in the 9900 WNG Central error log

grep log compression <pattern>

Determines if there is a pattern in the compression log


Detector Central

user

adm

in

sudo

user

adm

in

sudo

(6 of 24)

14 CLI


export log logname user@host:/path

Exports the various log files that can be viewed from the CLI to an external hostFor the 9900 WNG Central view, the values for logname are:• gui• audit• webaccess• syslog• system

For the 9900 WNG Detector view, the values for logname are:• detector• syslog

grep applicationMap <pattern>

Displays the application mapping that meet the specific pattern

grep log audit|central|detector| gui|syslog|systemEvents|webAccess pattern

Searches for a pattern in logging details:• grep log audit patternsearch for pattern in

CLI logging details• grep log Central patternsearch for pattern

in Central logging details• grep log detector patternsearch for

pattern in Detector logging details• grep log gui patternsearch for pattern in

GUI logging details• grep log syslog pattern search for pattern

in Syslog logging details• grep log systemEvent patternsearch for

pattern in system event logging details• grep log webAccess patternsearch for

pattern in web access logging details

grep log database <pattern>

Searches for a pattern in the database log

grep log ipmi <pattern> Searches for BMC details that have a specific pattern

grep log motive <pattern> Searches for a pattern in the motive log

grep rncLaiMap <pattern> Displays the RNC-LAI mapping that has a specific pattern

grep rncPcfMap <pattern> Displays the RNC-PCF mapping that has a specific pattern

Procedure 12-3

grep rncSaiMap <pattern> Displays the RNC-SAI mapping that has a specific pattern

Procedure 12-4

grep users <pattern> Displays the users that have a specific pattern Procedure 36-13

guiDisconnect all | user user [clean | noclean]

Disconnects a specified user or all the connected GUI sessions. The clean option is used in upgrades to disconnect the existing sessions and reload the new configuration.

Procedure 36-10


Detector Central

user

adm

in

sudo

user

adm

in

sudo

(7 of 24)

14 CLI


history Displays the history of the CLI commands that were used by the logged in account

idleTimeout GUI | web <timeout>

Specifies the idle timeout for GUI and web users that have not had activity in a specified amount of time. The default is 0.Alcatel-Lucent recommends the timeout is set to a value that is greater than or equal to one day and the timeout can match any network timeout for subscriber sessions.

Procedure 36-9

ignoreDNSPackets enable | disable

Specifies whether DNS packets are ignored

install software central packageName

Installs a specific software package on a 9900 WNG Central

install software detector detectorName packageName

Installs a specific software package on a specific 9900 WNG Detector

load deviceTable umts | cdmaList | cdmaRange scp location | usb filename

Reload the device tables in different modes

load language gui scp <location> | usb <filename>

Loads the GUI language resource file. Procedure 16-3

load load banner [usb | scp location]

Loads a banner file. By default, the default banner file is loaded. The options are:• load from usb /banner directory• copy using scp

Procedure 12-17

load license [usb | scp location]

Loads the license file Procedure 6-2

load providerTable scp <location> | usb

Loads the providerTable from provider_ip_map.sql.bz2 to the specified location

load reportPackage [usb | scp location]

Imports the report package using a USB or SCP

load userguide [usb | scp location]

Imports the updated customer documentation using a USB or SCP

logLevel Specifies the log level value. The values are:• emergsystem is unusable• alertaction must be take immediately• critcritical conditions• errerror conditions• warningwarning conditions• noticenormal, but significant, conditions• infoinformational message• debuggingdebug-level message

logout Logs out of the CLI


Detector Central

user

adm

in

sudo

user

adm

in

sudo

(8 of 24)

14 CLI


lossRateThreshold intensity value

Specifies the loss rate threshold for the specific intensity level

mobileIPSubnets add Prompts you to enter Mobile IP subnets one at a time. Press Enter to end the input.

Procedure 12-5

mobileIPSubnets addList subnet [subnet...]

Adds the listed subnets to the existing list of Mobile IP subnets

Procedure 12-5

mobileIPSubnets clear Clears all of the Mobile IP subnets

mobileIPSubnets delete subnet

Deletes the subnets from the existing list of Mobile IP subnets

mobileIPSubnets deleteList

Deletes the listed subnets from the existing list of Mobile IP subnets

module a11 | gtpc | radius | mobileip enable | disable

Enables or disables various signaling decoder modules

moduleCounts gtpc | mobileip clear

Resets the gtpc or mobileip module counters

more config_file_name Displays the information contained in a specific configuration file

ntp disable Disables NTP service

ntp enable Enables NTP service Procedure 7-3

ntp server add Specifies the IP address of NTP servers Procedure 7-3

ntp server delete ip_address

Removes a server IP address from the list of configured NTP servers

packetCounts clear Resets all of the packet counts

paging disable Disables paging

paging enable Enables paging

peakLineRates clear Resets the peak line rate history for the 9900 WNG Detector traffic feed inputs

ping ip_address Displays the reachability status of a machine

repo disable central Disables the 9900 WNG Central repository

repo disable external Disables the external repository

repo disable local Disables the local repository

repo enable central Enables the 9900 WNG Central repository Procedure 9-3

repo enable external Enables the external repository Procedure 9-4

repo enable local Enables the local repository


Detector Central

user

adm

in

sudo

user

adm

in

sudo

(9 of 24)

14 CLI


repo import scp [package] Imports a repository on the 9900 WNG Central using SCP. To import only a specific package, replace package with a package name. If you do not provide an optional package name, all of the packages with the specific package name are imported.

Procedure 9-3

repo import usb [package] Imports a repository on the 9900 WNG Central using a USB device. To import only a specific package, replace package with a package name. If you do not provide an optional package name, all of the packages with the specific package name are imported.

Procedure 9-3

repo mount Mounts a repository from a USB device Procedure 9-5

repo proxy clear Deletes proxy server details

repo proxy set proxyServer port

Specifies the proxy server details

repo setExternal URL Specifies the repository to the external yum repository

Procedure 9-4

repo unmount Unmounts a repository

reports billingValidationMinimumBytes value

Specifies the minimum number of bytes that must be observed by a 9900 WNG Detector for a mobile session before that session is considered for a billing discrepancy. The setting prevents reporting on sessions with relatively small amounts of data. Replace value with a number from 0 to 2147483647.

reports billingValidationDifferenceThre value

Specifies the minimum number of bytes that must be observed by a 9900 WNG Detector for a mobile session before that session is considered for a billing discrepancy. This prevents reporting on sessions with relatively small amounts of data. value is a number from 0 to 2147483647.

reports delete [all | date date | between startdate endate]

Deletes reports. The options are:• delete all reports • delete reports of a particular day • delete reports between start date to end

date

reports maxReportableRealms realm

Specifies the maximum number of realms or APNs that are reported separately in realm-based generated reports. realm is a value from 1 to 100. The top MaxReportableRealms are used in the report. If the value of MaxReportableRealms is greater than the number of detected realms, all of the realms are reported.


Detector Central

user

adm

in

sudo

user

adm

in

sudo

(10 of 24)

14 CLI


restore [all| config| security|db|logs|reports|license] [usb|scp location]

Restores 9900 WNG information, which incudes:• configuration files• security files• database• logs• reports• license files

restore detector detector-id

Restores a 9900 WNG Detector Procedure 39-6

rncLoadThreshold clear all Resets all of the RNC load threshold values to the default values

rncLoadThreshold clear rncid rncid

Resets the RNC load threshold values for the specific RNC ID to the default.rncid = string with maximum of 50 characters

rncLoadThreshold set rncid value1 value2 ... valueN

Specifies the RNC load threshold values for the specific RNC ID. Enter the threshold values in one line, each separated by space.rncid is a string of up to 50 charactersvalue1 ... valueN is an integer between 0 and 10 000 000

Procedure 12-2

rncPcfMap add rncId Adds a list of RNC-PCF address mappings. Enter the address list all in one line, each separated by a space

Procedure 12-3

rncPcfMap addList rncId pcfIP [pcfIP...]

Adds a list of RNC-PCF mappings inputted sequentially

Procedure 12-3

rncPcfMap clear all Clears all of the RNC-PCF mapping

rncPcfMap clear rncId Clears the RNC-PCF mapping for the specific RNC

rncPcfMap delete rncId pcfIP pcfIP

Deletes a list of RNC-PCF address mappings. Enter the addresses in one line, each separated by a space)

rncPcfMap deleteList rncId

Deletes one or more RNC-PCF mapping for a specific RNC


Detector Central

user

adm

in

sudo

user

adm

in

sudo

(11 of 24)

14 CLI


rncPcfMap import scp|usb source

Uploads, in bulk, the RNC-PCF mappings from a file through SCP or USB. The imported file is parsed before the mappings are loaded to the system. If the file has syntax errors, invalid data, or duplicate records, the commands exits without adding any mapping and sends the messages to correct the records in the file.source is the file that contains the RNC-PCF mapping records. The syntax of the source file must be in the following format:rnc-group,pcf_ip_addressrnc-group,pcf_ip_addressrnc-group,pcf_ip_addresswhere rnc-group is a string and pcf_ip_address is a valid IP AddressFor example:RNC_TEST_2, 123.1.1.21RNC_TEST_2, 123.1.2.21BSC_CO_5, 113.1.1.22BSC_CO_5, 113.1.2.22BSC_CO_5, 113.1.1.23If a pcf_ip_address already existed with specified values for pcf_ip_address, and the import file includes more addresses within the same group, the pre-existing entries from this group are assigned to un-named group. Only the new mappings in the imported file belongs to this group.If the imported list includes a PCF address that is already in an existing group, the mapping is updated with the new group.

rncSaiMap add rncid Adds a list of RNC-SAI mappings. Enter the mappings in one line, each separated by a space.

Procedure 12-4

rncSaiMap addList rncid sai [sai...]

Adds list of RNC-SAI mapping inputted one after the other.rncid = string with maximum 50 characterssai = a hex string with exactly 14 characters

Procedure 12-4

rncSaiMap clear all Clears all values that are entered for the RNC-SAI mappings

rncSaiMap clear rncid Clears the RNC-SAI mapping for the specific RNC ID.rncid = string with maximum 50 characters

rncSaiMap delete rncid sai sai

Deletes a list of RNC-SAI mappings. Enter the list of mappings in one line, each separated by a space)rncid = string with maximum 50 characterssai = a hex string with exactly 14 characters


Detector Central

user

adm

in

sudo

user

adm

in

sudo

(12 of 24)

14 CLI


rncSaiMap deleteList rncid Deletes one or more RNC-SAI mapping for a specific RNCrncid = string with maximum 50 characters

rncSaiMap groupByLAC Automatically groups SAIs that do not belong to any RNC Group. The SAIs are grouped by their LAC (the first 10 characters of their value).

rncSaiMap import scp|usb source

Uploads RNC-SAI mappings from a file, in bulk, through SCP or USB. The imported file is parsed before the mappings are loaded to the system. If there are syntax errors, invalid data, or duplicate records, the command exits without adding any mapping and with a message that the records in the file must be corrected.The syntax of the source file must be in the following format:rnc-group,sairnc-group,saiwhere sai is a 14-character hexadecimal value and the starting character is 2 to 7 or 9rnc-group is a valid RNC group.For example:RNC_TEST_3, 26800600004cb5RNC_TEST_3, 800600004cb51BSC_CO_1, 268006eb2857f8BSC_CO_1, 268006eb2857f9BSC_CO_1, 268006eb28586eFor an example, if an existing RNC group called RNC-ABC has SAIs and the import file includes SAIs mapped to the RNC-ABC group. The preexisting entries from RNC-ABC are moved to the unnamed group and only the new mappings from the imported file are assigned to RNC-ABC.If the import file includes an SAI mapping that already exists in another group, the mapping is updated with the new group. If a mapping has the same SAI value as an RNC group, that mapping is rejected.

securityMgrFeed disable Disables the security event manager

securityMgrFeed enable syslogCollectorHost syslogCollectorPort netflowCollectorHost netflowCollectorPort

Enables the security event manager Procedure 12-16

service central restart Restarts the 9900 WNG Central

service central start Starts the 9900 WNG Central

service central stop Stops the 9900 WNG Central


Detector Central

user

adm

in

sudo

user

adm

in

sudo

(13 of 24)

14 CLI


service detector restart Restarts the 9900 WNG Detector

service detector start Starts the 9900 WNG Detector

service detector stop Stops the 9900 WNG Detector

service snmpAgent restart Restarts the SNMP agent

service snmpAgent start Starts the SNMP agent

service snmpAgent stop Stops the SNMP agent

show anomalyEventmask anomalyEventType

Displays the intensity setting for the specific anomaly event. The list of anomalyEventType is:• all (used to see the intensity setting for all

the anomaly events) • alwaysActive • batteryAttack • batteryAttackDistributed• floodMobileDistributed• floodMobileSingleSrc• highSignalingSubscriber• highUsage • p2pMobile • portScanHoriz • portScanVert • rncOverload • routerDiscoveryAbuse• sigAttack • unwantedSrc

show api users Displays Motive API users Procedure 20-3

show api stats Displays statistics for each Motive interface Procedure 20-6

show api subnets Displays the subnets for motive API access Procedure 20-4

show applicationMap all Displays all of the defined application mapping Procedure 12-15

show applicationMap category category

Displays the list of application mapping for the specific category. The category can be any string value.

show autoDetectMobilesFromAAA

Displays whether autoDetectMobilesFromAAA is enabled or disabled

show backhaul Displays the line rates for management interfaces that are between the 9900 WNG Detector and Central

show backhaul in section 37.4

show captureFilter Displays the filter that is used for capture

show captureVLAN Displays the VLAN IDs for the capture VLAN Procedure 12-9

show CDMADeviceMode Displays the setting for the CDMA device mode

show cliSessions Displays information about the active CLI sessions


Detector Central

user

adm

in

sudo

user

adm

in

sudo

(14 of 24)

14 CLI


show compressionStatus Displays the current daily summary and number of uncompressed tables until the next hourly summary

show database Displays the mysql information, such as open connections, process list, and list of queries

show deploymentMode Displays the deployment mode for a 9900 WNG Detector

Procedure 12-1

show detectionThresholds parameter value

Shows the event intensity thresholds values for a specific event type:• alwaysActive • batteryAttack • batteryAttackDistributed• floodMobileDistributed• floodMobileSingleSrc• highSignalingSubscriber• highUsage • p2pMobile • portScanHoriz • portScanVert • rncOverload • routerDiscoveryAbuse• sigAttack • unwantedSrc

show detectors Displays the list of 9900 WNG Detectors that are registered with the 9900 WNG Central

show diskArray Displays the disk status; for example, if the disk has failures or is running optimally

show dormancy Displays the mobile dormancy timeout value Procedure 12-8

show eventmask eventype Displays the mask setting for the events specified by the variable eventype. The values are:• a11SessionUpdate • detectorTrafficUpdate • mobileFlow • sessionUpdate• subscriberSession• hopTrafficUpdate

show eventrate anomalyEvents

Displays the send rate for anomaly events Procedure 12-6

show eventrate awarenessEvents

Displays the send rate for awareness events

show hostId Displays the platform hardware host ID Procedure 6-1

show hostname Displays the hostname of the 9900 WNG Central or Detector, depending on which server executed the command


Detector Central

user

adm

in

sudo

user

adm

in

sudo

(15 of 24)

14 CLI


show idleTimeout GUI | web

Displays the idle timeout for GUI and Web users Procedure 36-14

show ignoreDNSPackets Displays whether DNS packets are ignored

show interface all Displays information about the network interfaces

show interface name Displays information about a specific network interface

show inventory Displays hardware information for the 9900 WNG Central or Detector

show language gui Displays the language resource file Procedure 16-2

show license Displays the license and license violation details Procedure 35-1

show log audit Displays the CLI/GUI logging details

show log central Displays logging information for the 9900 WNG Central

show log central-err Displays the 9900 WNG Central error log

show log compression Displays the compression log

show log database Displays the mysql log

show log detector Displays logging information for a specific 9900 WNG Detector

show log gui Displays logging information for a specific GUI

show log ipmi Displays logging information for the BMC

show log motive Displays the motive log Procedure 20-7

show log syslog Displays system level logging information for the 9900 WNG

show log systemEvents Displays system event logging information for the 9900 WNG

show log webAccess Displays web access logging information

show logLevel Displays the log event settings

show lossRateThreshold Displays the loss rate threshold for different levels

show memory Displays the system memory information show memory in section 37.4

show mobileIPSubnets Displays the IP subnets that are used for mobiles Procedure 12-5

show module Displays the enabling status for signaling decoder modules

show moduleCounts gtpc | mobileip

Displays the gtpc or mobileip module counters

show ntp Displays the NTP configuration information for the 9900 WNG Central or Detector, depending on which server the command is executed


Detector Central

user

adm

in

sudo

user

adm

in

sudo

(16 of 24)

14 CLI


show packetCounts Displays the 9900 WNG Detector packet counts

show processes Displays the list of running processes

show reportTime [verbose]

Displays the earliest day of the reporting period and any missing data gaps, if verbose

show reports maxReportableRealms

Displays the maximum number of realms or APNs that are reported separately in the realm-based generated reports

show reports billingValidationDifferenceThreshold

Displays the difference between the observed bytes and the RADIUS reported bytes for a mobile session that causes the reporting of a billing discrepancy

show reports billingValidationMinimumBytes

Displays the minimum number of bytes that must be observed by a 9900 WNG Detector for a mobile session before that session is considered for a billing discrepancy

show repoStatus Displays the settings for all repositories Procedure 9-2

show rncLoadThreshold all Displays all existing RNC load threshold values Procedure 12-2

show rncLoadThreshold rncid rncid

Displays the RNC load threshold values for a specific RNC IDrncid = string with maximum 50 characters

show rncpcfmap all Displays the RNC-PCF mapping

show rncPcfMap discoveredPCFConfigured

Displays the discovered PCFs that are configured

show rncPcfMap discoveredPCFNotConfigured

Displays the discovered PCFs that are not configured

show rncpcfmap rncid rncid

Displays the RNC-PCF mapping for the specific RNC

show rncpcfmap summary Displays a summary of RNC-PCF mappings

show rncSaiMap all|rncid rncid

Displays all of the existing RNC-SAI mappings or the mapping for a specific RNC ID.rncid is a string of up to 50 characters

Procedure 12-4

show rncSaiMap discoveredSaiConfigured

Displays the discovered SAIs that are configured

show rncSaiMap discoveredSaiNotConfigured

Displays the discovered SAIs that are not configured

show rncpcfmap summary Displays a summary of RNC-SAI mappings

show runningConfig Displays the configuration that is currently running on the 9900 WNG Detector

show securityMgrFeed status

Displays whether the Security Event Manager is enabled or disabled


Detector Central

user

adm

in

sudo

user

adm

in

sudo

(17 of 24)

14 CLI


show snmpAgent community

Displays the list of SNMP communities

show snmpAgent groups Displays the SNMP groups Procedure 19-2

show snmpAgent hosts Displays information about the SNMP host (managers) that are used to forward traps

show snmpAgent info Displays information about SNMP, such as contact, location, and SNMP enabling

show snmpAgent users Displays the list of SNMP users Procedure 19-7

show snmpAgent views Displays the SNMP view details Procedure 19-2

show software installed central [all]

Displays information about the software that are installed on the 9900 WNG Central

show software installed detector

Displays information about the software that is installed on a specific 9900 WNG Detector

show software installed detector all

Displays information about the software that is installed on all 9900 WNG Detectors

show software repo [all|alu9900|central|detector]

Displays software package information Procedure 9-6

show stats Displays statistics for all of the mobile NEs, such as PDSN and HA. Statistics include, current and peak rates of the 9900 WNG Central or Detector traffic feed inputs

show stats in section 37.4

show subscriberGroup all | summary | groupName groupName

Displays subscriber group information

show system Displays all of the system information, such as CPU, memory usage, system name, location, and contactsSee for more information.

show system in section 37.4

show top Displays a snapshot of the UNIX top utility

show topology [element type]

Displays all of the mobile network elements, such as PDSN and HA, for all of a specific 9900 WNG Detector (in the detector view)


Detector Central

user

adm

in

sudo

user

adm

in

sudo

(18 of 24)

14 CLI


show trendAlert all | node nodeName elementType trendName

Displays the trend threshold values for different trendsValues for elementTypes are: HA_GROUP, PDSN_GROUP, RNC_GROUP.Settings for trendName are:• num_active_m• nnum_hoin num_hoou• i2m_pkts• i2m_flows• i2m_bytes• m2i_pkts• m2i_flows• m2i_bytes• m2m_pkts_up• m2m_flows_up• m2m_bytes_up• m2m_pkts_down• m2m_flows_down• m2m_bytes_down• down_rtt_mean• down_tcp_pkts• down_tcp_loss• uni_i2m_pkts• uni_i2m_flows• uni_i2m_bytes• uni_m2i_pkts• uni_m2i_bytes• ni_m2m_pkts_up• uni_m2m_flows_up• uni_m2m_bytes_up• uni_m2m_pkts_down• uni_m2m_flows_down• uni_m2m_bytes_down• loss_rate• rtt_mean• tcp_reset_i2m_pkts• tcp_reset_m2i_pkts• tcp_reset_m2m_pkts_down• tcp_reset_m2m_pkts_up• icmpunreach_i2m_pkts• icmpunreach_m2i_pkts• icmpunreach_m2m_pkts_down• icmpunreach_m2m_pkts_up• num_conn_setup_up• num_conn_setup_down

show uptime Displays the time of the 9900 WNG Central or Detector servers since the last reboot

show uniTCPFlows Displays the statistics for the unidirectional TCP


Detector Central

user

adm

in

sudo

user

adm

in

sudo

(19 of 24)

14 CLI


show users Displays the list of currently configured CLI and GUI users on the 9900 WNG Central.

Procedure 36-12

show version Displays the version of the 9900 WNG Detector

show whitelist Displays the whitelist subnets Procedure 12-7

snmpAgent add community community ro|rw|wo ipaddress

Specifies the community string that is used for SNMPv1/v2c get/set

Procedure 19-1

snmpAgent add group name [noAuthNoPriv|authNoPriv|authPriv] Read-view Write-view Notification-view

Specifies the access control rules for the group. The group name must be unique.

Procedure 19-4

snmpAgent add host v1 IpAddress port community | v2c IpAddress port community | v3 IpAddress port userName

Specifies the host for forwarded SNMP traps. IPaddress is the IP address of the trap recipient machine, port is the target port. For SNMP v1 or v2c, the community string is required. For SNMP v3, a user name is required to configure the trap host.

Procedures 19-1 and 19-2

snmpAgent add user username groupname [authProtocol] [authPassword] [privPassword]

Creates SNMP users. The authProtocol and authPassword parameters are required only when the user requires authorization or privacy, whereas privPassword is required for privacy support.

Procedure 19-3

snmpAgent add view view old [excluded | included]

Specifies the SNMP view. The SNMP view name should be unique.See Procedure for more information.

Procedure 19-2

snmpAgent add community community ro|rw|wo ipaddress

Adds the community string that is used for SNMPv1/v2c get/set


snmpAgent delete group name

Deletes the SNMP group with the group name Procedure 19-6

snmpAgent delete host IpAddress

Deletes the host from the trap-receiving host list

snmpAgent delete user user

Deletes the SNMP user with a specific name Procedure 19-5

snmpAgent delete view view

Deletes the SNMP view with a specific name

snmpAgent update contact contact

Sets the value of the SNMP contact string

snmpAgent update location location

Specifies the SNMP location string

snmpServer add ip Adds an NMS server to send SNMPv3 requests to the agent

Procedure 19-2

snmpServer addList ip[ip] [ip]...

Adds a list of NMS servers to send SNMPv3 requests to the agent

Procedure 19-2


Detector Central

user

adm

in

sudo

user

adm

in

sudo

(20 of 24)

14 CLI


snmpServer delete Deletes a NMS server from the list of allowed NMS servers that send SNMPv3 requests to the agent

snmpServer deleteList Deletes NMS servers one at a time from the list of allowed NMS servers that send SNMPv3 requests to the agent

snmp trap anomaly eventType intensity

Specifies the intensity of anomaly events. The SNMP trap for the selected event type is generated only if the event intensity is greater than or equal to the specified intensity. The values for intensity is 1 to 5, and off. Specify one of the following event types:• AlwaysActive• batteryAttackDistributed• batteryAttackSingleSrc• floodMobileDistributed• floodMobileSingleSrc• highSignalingSubscriber• highUsage• p2pMobile• portScanHoriz• portScanVert• rncOverload• routerDiscoveryAbuse• sigAttackSingleSrc• unwantedSrc

Procedure 19-14

snmp trap trendAlerts intensity

Specifies the intensity of trend alerts. The SNMP trap for the selected event type is generated only if the event intensity is greater than or equal to the set intensity. The values for intensity is 1 to 5, and off.

snmp trap congestionAlerts intensity

Specifies the intensity of congestion alerts. The SNMP trap for the selected event type is generated only if the event intensity is greater than or equal to the set intensity. The values for intensity is 1 to 5, and off. Sets the intensity of trend alerts. The SNMP trap for the selected event type is generated only if the event intensity is greater than the set intensity. The values for intensity is 1 to 5, and off.

subscriberGroup delete groupName [groupname ]

Deletes one or more subscriber groups. After a subscriber group is deleted, all of the subscribers which were contained in the group are ungrouped.


Detector Central

user

adm

in

sudo

user

adm

in

sudo

(21 of 24)

14 CLI


subscriberGroup import add|createOrReplace scp location |usb filename

Bulk uploading of the subscriber group-subscribers mappings from a file.The source specifies the file that contains the groupName-subscriber mapping records. The file can be imported using SCP or USB. The imported file is parsed before the mappings are loaded. If the file contains syntax errors, invalid data, or duplicate records, the mappings are not changed.A subscriber can be contained in multiple groups.The syntax of the file containing the mapping is: subscriber_groupName,NAI/IMSIwheresubscriber_groupName is the name of the subscriber group, which can contain up to 64NAI/IMSI (without realm) is an NAI/IMSI valueThe following describes the options:• addincrementally adds the subscribers to

the subscriber group. Use createOrReplace command to create new or replace existing groups

• createOrReplacecreates or overwrites one or more subscriber groups that are in the file

The following is a sample file: Sub1, 1234567890Sub1, 1234562890Sub2, 1234567890

system reboot Reboots the 9900 WNG Detector or Central, depending on which server the command is executed

system shutdown Halts the system after bringing it down Procedure 5-2

trendAlert remove | reset nodeName elementType trendName

Removes or resets the trend threshold values for the specified trend.elementTypes are: HA_GROUP, PDSN_GROUP, RNC_GROUPThe following are the trend names:• num_active_mn• i2m_flows• i2m_bytes• m2i_flows• m2i_bytes• num_conn_setup_up• num_conn_setup_down• airtime_up• airtime_down


Detector Central

user

adm

in

sudo

user

adm

in

sudo

(22 of 24)

14 CLI


trendAlert set nodeName elementType trendName threshold

Specifies the trend threshold values for a specific trend. A trend threshold can be configured for a trend that is recognized by combination of three fields: element type, trend name, and node name. Specify one of the following values for elementTypes are: HA_GROUP, PDSN_GROUP, RNC_GROUPThe list of trend names are:• num_active_mn • i2m_flows• i2m_bytes• m2i_flows• m2i_bytes• num_conn_setup_up• num_conn_setup_down• airtime_up• airtime_down

update software central packageName

Updates a specific software package on the 9900 WNG Central

Procedure 9-4

update software detector detectorName packageName

Updates a specific software package on a specific 9900 WNG Detector

Procedure 9-4

user add id password group firstname lastname

Creates a CLI, GUI, Web, or ReportOnly user account. The options for the group are user, admin, reportonly, sudo, or demoonly.

Procedure 36-1

user changePassword id If the command is used in sudo mode, you must specify the ID to reset the password of a specific user. If the command is used from the user or admin mode, your password is changed.


user delete id Deletes a specific the CLI, GUI, Web, ReportOnly, or Demoonly user

Procedure 36-11

user modify group CLI <id> <group>

Changes the CLI role for an account. The role can be user, admin, reportonly, or demoonly.

Procedure 36-5

user modify group GUI <id> <gui_role1> [gui_role2] [gui_role3] [gui_role4] [gui_role5]

Changes the GUI role for an account. The role can be NE, ano, subs, or admin.

Procedure 36-5

user modify group id group Changes a specific user role. The role cannot be upgraded to sudo.

user modify group Reports <id> <rep_role1> [rep_role2] [rep_role3] [rep_role4]

Changes a specific role for a Reports account. The roles NE, subs, apps, or admin.

Procedure 36-5

user modify name id firstname lastname

Modifies a specific user name Procedure 36-6


Detector Central

user

adm

in

sudo

user

adm

in

sudo

(23 of 24)

14 CLI


user modify PasswordAge id days

Resets the specific user current and future passwords to expire after the specified number of days

Procedure 36-8

user setDefaultPasswordAge days

Sets the default password for new and existing accounts. A current password lasts for the specified number of days.

Procedure 36-7

whitelist add Prompts you to enter whitelisted subnets one at a time. Press Enter to finish entering whitelisted subnets.

Procedure 12-7

whitelist addList subnet [subnet...]

Specifies one or more whitelisted subnets Procedure 12-7

whitelist clear Clears all of the whitelisted subnets

whitelist delete subnet Deletes the subnets from the list of whitelisted subnets

whitelist deleteList Deletes the whitelisted subnets one at a time. Press Enter to finish deleting the whitelisted subnets.


Detector Central

user

adm

in

sudo

user

adm

in

sudo

(24 of 24)

14 CLI



15 PC client installation

15.1 PC client installation overview 15-2

15.2 PC client installation 15-2

15.3 Launching the GUI client 15-3



15.1 PC client installation overview

The 9900 WNG EMS is a GUI client application that runs on your personal computer. You can use the GUI to manage 9900 WNG Central and Detector devices.

The GUI provides the following functions:

• secure PC-based GUI and CLI client interfaces to enable remote monitoring and administration

• threat analysis• SSH “cut-through” to 9900 WNG components• a view of the entire wireless network that is being monitored• on-demand reports

15.2 PC client installation

The 9900 WNG EMS is a software application that runs on the client PC. It is downloaded from 9900 WNG Central through the Java Web Start. The EMS manages 9900 WNG components (NEs), including the 9900 WNG Central and Detector.

The 9900 WNG Central web applications run on client terminal platforms that meet these conditions:

• Windows XP• Minimum screen resolution: 1024 x 768• Internet Explorer 6.0• Java 1.6 or later• Processor speed - a minimum of 1GHz

Provisioning your PCBefore you can run the GUI client on a machine, the machine must first be provisioned. Additionally, when your System Administrator changes the server certificate on the 9900 WNG Central server you must provision your PC again. Perform Procedure 15-1 to provision your PC.

Procedure 15-1 To provision your PC

1 Log into the 9900 WNG Central webpage, as described in Procedure 17-1.

2 Click on the link First-time user please click here to provision your PC.

3 Provide your WNG username and password to authenticate yourself when prompted.

4 After a successful provisioning, a message box appears with a Your PC has been successfully provisioned message. Click on the OK button.



If you cannot provision your PCI, click on the Common launch problems link located on the 9900 WNG Central webpage for troubleshooting information.

15.3 Launching the GUI client

Perform Procedure 15-2 to launch the GUI client. This procedure assumes that you have provisioned your PC as described in Procedure 15-1.

Procedure 15-2 To launch the GUI client

1 Log into the 9900 WNG Central webpage, as described in Procedure 17-1.

2 Click on Launch the GUI Client link.

3 Enter your 9900 WNG username and password. Ensure that the Server field contains the hostname of your 9900 WNG Central server.

After a successful login, the GUI client starts.

If you cannot launch the GUI, click on the Common launch problems link located on the 9900 WNG Central webpage for troubleshooting information.

Deployment by Java Web StartThe GUI is deployed using the Java Web Start technology, and is launched from the 9900 WNG Central webpage.

After your first execution of the program, its binary image is cached on your PC, so you do not have to download the program every time you execute it. You receive an automatic upgrade of the client program when the program is upgraded on the 9900 WNG Central.




16 GUI

16.1 GUI overview 16-2

16.2 Logging in to the GUI 16-2

16.3 GUI components 16-2

16.4 Common features and functions 16-6

16.5 Configuring the language on the GUI 16-8

16.6 Configuring preference settings 16-9

16 GUI


16.1 GUI overview

The 9900 WNG includes a GUI client application that runs on your personal computer. The GUI has the following key functions:

• Threat and performance analysis—The GUI is designed to allow you to view and analyze network threats and performance issues. The GUI is a dynamic interface that supports a variety of on-demand reports for real-time monitoring and analysis of network anomalies.

• Element management—you can use the GUI to manage 9900 WNG Central and Detector devices. The GUI supports the following features:

• secure PC-based GUI and CLI client interfaces to enable remote monitoring and administration

• SSH “cut-through” to 9900 WNG components using the CLI menu item in the navigation menu

Menu-based and dynamic navigationFor some views, the data is automatically generated from the events that the Detector monitors, such as anomaly, performance and system events. You can access such data by clicking on the associated item in the navigation menu. Other views are generated by actions you perform, either from the navigation menu, or from features embedded in the GUI view which allow you to navigate dynamically and generate detailed, current reports on demand, such as the forensic, mobile flow, and network forensic views.

16.2 Logging in to the GUI

Procedure 16-1 describes how to log in to the GUI.

Procedure 16-1 To log in to the GUI

1 Access the 9900 WNG Central webpage, as described in Procedure 17-1.

2 Click on the Launch GUI Client link. The log in pop-up window appears.

3 Enter your user name and password.

4 Choose the central server that you need to log in to from the Server drop-down menu.

5 Click on the Login button. The GUI appears with the Dashboard view displayed.

16.3 GUI components

The first time that you open the GUI client, the Dashboard View appears as shown in Figure 16-1

16 GUI


Figure 16-1 9900 WNG window components Dashboard View

Table 16-1 describes the 9900 WNG GUI window components.

The components in the GUI are persistent or variable. Persistent components remain visible in the GUI window and provide access to high-level navigation, commands, and monitoring functions. Variable components appear in the workspace panel. the layout and format of the workspace panel depend on the item that you select in the navigation menu.

Table 16-1 9900 WNG GUI persistent components

Main menu

Status bar

Navigation menu

Workspace panel

LED statusindicators

21132

Component Description See

Main menu Contains menu and submenu items:• File• Preferences• Help

Table 16-2 for a description of the Preferences commands

Status bar Displays the following items (from left to right):• User name and privileges• the name of the 9900 WNG Central server

that hosts the GUI• LED status indicators

Tables 16-3 and 16-4 for a description of the status LEDs

(1 of 2)

16 GUI


GUI menus

The GUI menu provides the top-level controls for the GUI client. Table 16-2 describes the menus.

Table 16-2 GUI menus

9900 WNG status indicators

The GUI displays LEDs that indicate the status of the database, anomaly events, and the 9900 WNG system. Table 16-3 describes the status LEDs.

Navigation menu Contains a list of items that represent the available GUI functions. Each item opens a specific view that appears in the workspace panel.Use the Navigate menu to navigate to a specific GUI function. You can navigate from one view to another without affecting the data in the views.

Table 16-5

Workspace panel The layout and content of this panel depends on the navigation menu item that you choose.The workspace panel is used to perform network performance monitoring and anomaly management


(2 of 2)

Menu Submenu or command Description See

File Exit command Provides access to the Exit command, which closes the GUI

Preferences Set Data Retrieval Size Provides options to change the default display settings for the GUI-based reports

Section 16.6

Filter Received Events

Set Subscriber Report Preferences

Topology Preferences

Reset Configuration Settings

Help About command Provides information about the following:• current version of the 9900 WNG• current version of Java • current OS• run time for the current GUI

session

16 GUI


Table 16-3 Status LEDs

Troubleshooting LEDs

Table 16-4 describes the color information for LEDs for troubleshooting.

Table 16-4 Troubleshooting LEDs

Status LED LED color Description

Database Green Indicates operations are normal, communication to Central database is healthy.

Yellow Indicates all connections in the database connection pool are currently being used. This should turn green after operations such as report generation or mobile flow queries are complete. This is not necessarily indicative of a problem, unless the LED stays yellow for an extended period of time. If it does stay yellow, exit the GUI and log back in.

Red Indicates communication to the Central database is down. See Table 16-4 for corrective action.

Unacknowledged Affects the ability to acknowledge / un-acknowledge and manually clear system events. It is recommended that you restart the GUI to fix this problem.

Events Green Indicates everything is normal, anomaly events are being received and communication to Central is healthy.

Yellow Indicates anomaly events are being received successfully although some communication with Central is not available. This affects the ability to acknowledge and manually clear anomaly events. Alcatel-Lucent recommends that you restart the GUI to fix this problem.

Red Indicates the GUI cannot receive anomaly events from Central. This could be a network communications problem or a problem with the Central machine. See Table 16-4 for corrective action.

System Green Indicates everything is normal, system health events are being received and communication to Central is healthy.

Yellow Indicates the system events are being received successfully although some communication with Central is not available. This affects the ability to acknowledge and manually clear system events. Alcatel-Lucent recommended that you restart the GUI to fix this problem.

Red Indicates the GUI cannot receive system events from Central. This could be a network communications problem or a problem with the Central machine. See Table 16-4 for corrective action.

LED color Solution

Red If all LEDs are red, there is either a network connectivity issue or the system is down. If you are able to access the 9900 WNG webpage but cannot authenticate yourself, contact your Alcatel-Lucent technical support representative. If you are unable to access the 9900 WNG webpage, check your network connectivity and/or verify that the 9900 WNG Central is powered up.

Yellow If the database LED is yellow, you are likely making too many report/database accesses.

Yellow/red If the system or anomaly LEDs are yellow/red, the GUI automatically retries and after the Central processes are up, these LEDs change to green.

16 GUI


Navigation menu and views in the workspace panel

Table 16-5 describes each of the items in the navigation menu, and where to find more information about the associated view.

Table 16-5 9900 WNG navigation menu

16.4 Common features and functions

Most of the views in the 9900 WNG GUI window have common components and features that allow you to change the contents of the view.

Sorting functions

The 9900 WNG includes a variety of ways to sort the data in the workspace panel. The sort functions depend on the report type that you view.

Tabular reports

Some tabular reports support the sorting of table data in ascending and descending order based on the column header that you choose. You can click on the column header to realign the order of the table for the following reports:

• Forensic View report tables• Topology Element Table

Navigation menu item

Description See

Dashboard View Provides a snapshot of all active subscribers and display potential problems in the network

Chapter 21

Real-Time Events View

Comprises three views:• Anomaly Events• Performance Events• Historic Events

Chapter 22

Forensic view Use this view to investigate threat events and analyze general mobile flow records, such as records that do not relate to an anomaly event.The Historic View tab contains a list of past forensic queries that are sorted from most recent to oldest.

Chapter 23

Topology and network forensics

Provides a view of the network elements observed by the 9900 WNG Detector while monitoring the network traffic. Includes Element tables and Network graphs

Chapters 24 and 25

System View Displays current events representing health alerts and troubleshooting.

Chapter 26

Mobile flow Displays usage records that combine the typical network flow information with wireless-specific information.

Chapter 27

CLI Provides SSH cut through to the Central CLI Chapter 28

Subscriber Displays reports about subscribers Chapter 29

16 GUI


• Mobile Flow records• Subscriber Anomaly Events tab• Network Forensic History tab

Report-specific filters

For all other filter operations, see the appropriate chapter for the GUI-based report.

Export functions

Table 16-6 describes the common export functions.

Table 16-6 Common Export functions

Calendar and time widget

The calendar and time widget can be accessed from all date- and time-based fields by clicking on the down arrow adjacent to the date/time field. You can use the calendar to select days in the past or future. The time field can be adjusted by the hour by clicking on the up/down arrows. You can also adjust the time by typing directly in the field. Click on the Now button to configure the current date and time.

Using the whois query

You can use the whois query on the GUI to identify the owner associated with either a Victim IP or an Attacker IP address shown in the Event Details panels (for example, the Anomaly Event Details panel or the Mobile Flow Event Details panel). To display the IP address of a victim or attacker, right-click on the IP address and choose whois. The whois query displays the following fields from the ARIN WHOIS database search.

Action Description View where used

Buttons

Export Opens a dialog box that allows you to choose the content (tabs) to be exported and the format: CSV, PDF, or both

Subscriber (all tabs)Network Forensic

Export to CSV Exports the data to a CSV file Anomaly HistoryForensic ViewMobile FlowSystem History

Export to PDF Exports the data to a PDF file Forensic View

Right-click options

Export table or selection to CSV

Exports the data to a CSV file Element Tables

16 GUI


Table 16-7 whois query fields

16.5 Configuring the language on the GUI

The 9900 WNG Central GUI supports localization in English, Spanish, and Chinese. The language displayed in the GUI matches the language configured on the terminal you are using to view the GUI. See your operating system documentation for information about configuring language options.

You can install a customized language resource file for the 9900 WNG; contact your Alcatel-Lucent representative for assistance in acquiring and configuring a language resource file. Table 16-8 lists the language configuration tasks you can perform and where to find more information.

Table 16-8 Configuring language procedures

Procedure 16-2 To display the current language resource file


2 Display the current language resource file by typing:

show language gui ↵

Fields

HostName CIDR OrgAbuseHandle

OrgName NetName OrgAbuseName

OrgID NetHandle OrgAbusePhone

Address Parent OrgAbuseEmail

City NetType OrgTechHandle

State/Province Comment OrgTechName

Postal Code RegDate OrgTechPhone

Country Updated OrgTechEmail

NetRange

Task See Procedure

To display the current language resource file 16-2

To install a language resource file 16-3

16 GUI


Procedure 16-3 To install a language resource file

Performing this procedure changes the displayed language for all users.


2 Install a new language resource file by typing:

load language gui location_type location ↵

wherelocation_type is USB or SCPlocation is the filename or SCP location of the language resource file. If the SCP location requires a password, you are prompted to enter the password.

The new language resource file is installed.

16.6 Configuring preference settings

The Preferences menu supports the configuration of the settings that are described in Table 16-9.

Table 16-9 Preference menu settings

Procedure 16-4 To change the default data retrieval settings

1 Log in to the 9900 WNG Central webpage, as described in Procedure 17-1.

2 Choose Set Data Retrieval Size from the Preferences menu. The Specify Page and Data Sizes window appears.

Setting Description See Procedure

Data retrieval setting Change the default data retrieval settings for anomaly events

16-4

Anomaly event setting Specifies the type of events that the system displays

16-5

Subscriber reports preferences Changes subscriber report preferences 16-6

Network graph preferences Specifies the number of cells to display in the network graph

16-7

Reset configuration settings Resets all preferences to the default setting 16-8

16 GUI


3 Change the settings for the fields, as described in Table 16-10. Select from settings in the drop-down menu to the right of each field.

Table 16-10 Data retrieval settings

4 Click on the Save button.

Procedure 16-5 To change the default event reporting settings


2 Choose Filter Received Events from the Preferences menu. The Filter Received Events window appears. By default, all event types are selected.

3 Choose one of the following options to change the default settings:

a Select the types of anomalies that you need to display in the GUI-based reports. Table 16-11 lists the anomaly events in the order that they appear in the Filter Received Events window. See chapter 33 for a detailed explanation of each type of event.

Table 16-11 Anomaly events filter

Note The number of events that you display can affect the system performance. The system required more time to process a large number of events than a small number of events of the same type.

Option Description Values See

Max outstanding Events Shown in Network View/Current View

Specifies the number of events that are shown in the Anomaly Events view

20, 50, 100, 500 (default), 1000

Anomaly Events view in chapter 22

Max Incidents Shown in the History View

Specifies the number of events that are shown in the Anomaly History view

500 (default), 1000, 1500, 2000, 2500

Anomaly History view in chapter 22

Max Events shown in Forensic/Subscriber View

Specifies the number of events that are shown in the Forensic View and Subscriber Views

20, 50, 100, 500 (default), 1000

Chapter 23 (Forensic View)

Chapter 29 (Subscriber View)

Maximum Flow Records per Mobile FLow Query

Specifies the number of events that are shown in the Mobile Flow View

100, 200 (default), 500, 1000

Chapter 27

Event name Description

SIGATTACK_SINGLE_SRC Signaling attack from a single source

(1 of 2)

16 GUI


b Click on the Select All button to display all types of anomaly events in the the views.

c Click on the Deselect All button to deselect all events.

4 Click on the OK button to save the filter preferences.

Procedure 16-6 To modify subscriber report preferences

1 From the 9900 WNG GUI, go to the Preferences drop-down menu and select Set Subscriber Report Preferences. The Set Subscriber Reports references widow appears.

2 Configure the parameters in the Preferences dialog box, as described in Table 16-12.

Table 16-12 Subscriber report preferences

HIGH_SIGNALING_SUB High signaling subscriber

RNC_OVERLOAD RNC overload

BATTERYATTACK_SINGLE_SRC Battery attack from a single source

BATTERYATTACK_DISTRIBUTED Battery attack from a group of sources

FLOOD_MOBILE_SINGLE_SRC Flood mobile from a single source

FLOOD_MOBILE_DISTRIBUTED Flood mobile from multiple sources

PORTSCAN_VERT Vertical port scan

PORTSCAN_HORIZ Horizontal port scan

ALWAYS_ACTIVE_SUB Always active airtime subscriber

HIGH_USAGE_SUB High usage subscriber

P2P_MOBILE Peer-to-peer mobile

UNWANTED_SRC Unwanted source of traffic

ROUTER_DISCOVERY_ABUSE ICMP router discovery abuse

Parameter Description Value

Minimum Observed Byte Threshold in bytes

Specifies the minimum number of bytes that must be observed by a 9900 WNG Detector for a mobile session before that session is considered for a billing discrepancy. This prevents reporting on sessions with relatively small amounts of data.

1000 (default)

(1 of 2)

Event name Description

(2 of 2)

16 GUI


Note(1) The GUI settings do not affect other users or the daily/weekly/monthly billing discrepancy report

that is set using the CLI.


Procedure 16-7 To configure Network Graph preferences

1 From the main menu, choose Topology Preferences from the Preferences menu. The Topology Preferences window appears.

2 Choose a value from the Limit Base Station drop-down menu. The options are 25, 50, 100, or 200 (default).

3 Click on the Save & Close button.

Procedure 16-8 To reset default configuration settings


2 Choose Reset Configuration Settings from the Preferences menu. The Delete Configuration Settings dialog box appears.

3 Click on the Yes button to reset the preferences.

Discrepancy Difference Threshold in bytes (1)

Specifies the difference between the observed bytes and the bytes reported by RADIUS for a mobile session. If the threshold is reached or exceeded, the system reports a billing discrepancy.

1000 (default)

Restore defaults button

Restores the values in the form to the default values

Parameter Description Value

(2 of 2)


17 9900 WNG Central webpage

17.1 9900 WNG Central webpage 17-2



17.1 9900 WNG Central webpage

The 9900 WNG Central webpage is the browser-based user interface from which you can access the following functions:

• open the browser-based reports interface• open the 9900 WNG Central client GUI• open the Group Manager• log out or change password• get SNMP MIBs• view customer documentation

Perform Procedure 17-1 to access the functions supported by the 9900 WNG Central webpage.

Procedure 17-1 To access the 9900 WNG Central webpage

1 Using a web browser, navigate to the 9900 WNG Central webpage. The location of the web page depends on the hostname of the 9900 WNG Central. For example, if the hostname of your 9900 WNG Central is CentralHostName, use https://CentralHostName.

2 Enter your username and password and click on the Login button. The 9900 WNG Central home page appears.

3 Choose one of the links in Table 17-1, which describes the functions that you can access and where to find more information.

Note Users with the reportonly privilege cannot view the GUI link.

Note The 9900 WNG Central converts HTTP queries into HTTPS queries. For example:

http://centralhostname is converted to https://centralhostname



Table 17-1 Links on the 9900 WNG Central home page

Link Description See

Get reports Browser-based reports provide you with information about short and long-term trends in network events and activities. The reports are web-based and accessed by using a browser.

Chapter 30 for information about how to access and use browser-based reports. See chapter 31 for detailed information about each type of report that you can generate.

Launch the GUI Client

The 9900 WNG GUI client supports the following activities:• Threat and performance analysis in

real-time• Element management and SSH cut

through to the CLI for the 9900 WNG Central and Detector

Chapter 16 for information about how to access and use the 9900 WNG GUI. See chapters 21 to 29 for information about the types of real-time reports that you can generate.

Group Manager The Subscriber Group Manager webpage enables you to create subscriber groups which you can use to classify and manage a large number of subscribers

Chapter 32 for information about how to create and manage subscriber groups

Get SNMP MIBS Download the 9900 WNG MIB file Section 19.9

View 9900 WNG Users Guide




18 BMC

18.1 BMC 18-2

18 BMC


18.1 BMC

The BMC provides system administrators with remote access to the 9900 WNG Central and Detectors. If the 9900 WNG Central or Detector hardware fails for any reason, the system administrator can access the status of the hardware and take corrective action.

BMC firmware enables server management functions, such as remote reset and remote power off, even when the server operating system is down. The BMC LAN interface is configured with a separate IP address to enable remote access. The IPMI Management Utilities are used to send commands to the BMC firmware. These commands include accessing the firmware system event log, launching the remote console, and performing remote power off. The IPMI Management Utilities must be installed on the machine from which the system administrator wants to access BMC. The IPMI Management Utilities can be installed on a Linux or Windows platform.

Table 18-1 lists where to find more information about the BMC.

Table 18-1 BMC information


Configure the management interface and BMC LAN on the 9900 WNG Central


Monitoring the 9900 WNG Central and Detectors using the BMC Section 37.5

Powering up, powering down, or resetting a 9900 WNG Central or Detectors using the BMC

Procedure 5-5

IPMI CLI commands Table 14-8


19 SNMP

19.1 SNMP interface 19-2

19.2 Configuring SNMPv1/v2c 19-3

19.3 Configuring SNMPv3 19-5

19.4 SNMP user accounts 19-7

19.5 Managing SNMP components 19-9

19.6 Deleting SNMP components 19-10

19.7 Configuring SNMP for anomaly, trend, and congestion alerts 19-11

19.8 SNMP commands 19-12

19.9 SNMP MIBs 19-15

19 SNMP


19.1 SNMP interface

SNMP is a UDP-based network protocol that is used to monitor and manage complex networks. Table 19-1 describes the components in an SNMP-managed network.

Table 19-1 SNMP-managed network components

SNMP agents interprets management data on the managed systems as variables. The variables that are accessible using the SNMP interface are organized in hierarchies containing OIDs. The hierarchies, and other meta data, such as type and description of the variable, are described by the MIB. Each OID identifies a variable that can be read or set using the SNMP.

The SNMP specifies five core PDUs in version 1 and 2. Other PDUs were added to create SNMPv2c and then SNMPv3. The information between the agent and manager is exchanged in form of PDUs. SNMPv1 is the initial implementation of the SNMP. SNMPv1 and SNMPv2c have community (plain text) based authentication. However, the SNMPv3 architecture uses the USM for message security and the VACM for access control. See section 19.2 for more information about SNMPv1/v2c. See section 19.3 for information about SNMPv3.

The 9900 WNG Central supports the SNMP interface. There is an SNMP agent that is on the 9900 WNG Central and the SNMP agent monitors processes, hardware, and software in the 9900 WNG Central and Detectors. You can use the SNMP agent to configure one or more NMSs to communicate and share information.

A community, user-based authentication is required to communicate between the agent and manager. Table 19-2 describes the components of SNMP that must be configured.

Table 19-2 SNMP configurations


Managed device A network node that implements an SNMP interface that allows unidirectional (read-only) or bidirectional access to node-specific information. Managed devices exchange node-specific information with the NMSs. Managed devices, also known as NEs, can be any type of device, including, routers, access servers, switches, bridges, hubs, IP telephones, IP video cameras, computer hosts, and printers.

Agent A network-management software module that resides on a managed device. An agent has local knowledge of management information and translates the information to or from an SNMP-specific form and reports the information to the NMS.

NMS The higher level manager that monitors and manages a group of hosts or devices in the network.

Component Description SNMPv1/v2c SNMPv3

SNMP servers NMS servers that are allowed to send requests to the 9900 WNG Central

Community string Allows access the 9900 WNG MIB data

Hosts The destination NMS for SNMP traps

(1 of 2)

19 SNMP


See Table 14-8 for information about all SNMP CLI commands.

19.2 Configuring SNMPv1/v2c

SNMP versions 1 and 2 provide a level of security by using community strings, which, like public and private keys, are used to match valid requestors at the network component.

Perform Procedure 19-1 to specify the NMS servers and configure SNMPv1/v2c settings.

Procedure 19-1 To specify the NMS servers and configure SNMPv1/v2c settings

This procedure requires the following privileges:

• sudoto specify the NMS server entries • adminto configure the SNMPv1/v2c settings


2 Configure the NMS server by performing one of the following:

a Add one NMS server by typing:

snmpServer add IP_address ↵

where IP_address is the IP address of an NMS server.

The following example shows how to configure a single server using the add option.

central:sudo# snmpServer add 1.1.1.1

Saving firewall rules to /etc/sysconfig/iptables: [ OK ]

b Add multiple NMS servers by typing:

snmpServer addlist IP_address_1 IP_address_2 IP_address_n ↵

where IP_address_1 to IP_address_n are the IP addresses of the NMS servers

Views Restricts the user to have access to only the MIB

Groups Maps users to views. For each group, you can configure a read view, a write view, or both.

User accounts For communicating between the agent and manager. An authentication protocol, password, and privacy password are required, depending on the group and specified authentication type.

Component Description SNMPv1/v2c SNMPv3

(2 of 2)

19 SNMP


The following example shows how to configure multiple servers using the addlist option:

central:sudo# snmpServer addList 1.1.1.1 2.2.2.2 3.3.3.3


3 Verify the SNMP server entries by typing:

show snmpServer ↵

central:sudo# show snmpServer

target prot source destination

ACCEPT all 1.1.1.1 anywhere



4 Exit the sudo privilege and change to the admin privilege to configure SNMPv1/v2c settings by typing:

exit ↵

5 Add the SNMP community by typing:

snmpAgent add community community access IP_address ↵

wherecommunity is the community string used in GET/SET requestsaccess is set to read/write accessIP_address is the IP address of the NMS server that sends GET/SET requests

6 Add the SNMP host for the destination of the SNMP traps by typing:

snmpAgent add host version IP_address port community ↵

whereversion is v1 or v2cIP_address is the IP address of the NMS server that receives the trapsport is the port to which the trap is sentcommunity is the community string used to receive the traps

7 Update SNMP location information, as described in Procedure 19-8.

8 Update the SNMP agent contact, as described in Procedure 19-9.

19 SNMP


19.3 Configuring SNMPv3

SNMPv3 provides encryption and a USM for authentication and privacy services. The SNMPv3 with USM protects the system against:

• modification of information• masquerading the identity of an authorized entity• message stream modification• disclosure of information

Perform Procedure 19-2 to specify the NMS servers and configure SNMPv3 settings.

Procedure 19-2 To configure SNMPv3 settings

This procedure requires the following roles:

• sudoto specify the NMS server entries • adminto configure the SNMPv3 settings


2 Provision the NMS server by performing one of the following:

a Add an NMS server by typing:

snmpServer add IP_address ↵

where IP_address is the IP address of the NMS server

b Add multiple NMS servers by typing:

snmpServer addlist IP_address_1 IP_address_2 IP_address_n ↵

where IP_address_1 to IP_address_n are the IP addresses of the NMS servers

3 Replace IP_address with the IP address an NMS server.

The following example shows how to configure a single server using the add option:

central:sudo# snmpServer add 1.1.1.1


The following example shows how to configure multiple servers using the addlist option:

central:sudo# snmpServer addList 1.1.1.1 2.2.2.2 3.3.3.3


4 Verify the SNMP server entries by typing:

show snmpServer ↵

19 SNMP


The following example shows the SNMP servers:

target prot source destination




5 Exit the sudo privilege and change to the admin privilege to configure the SNMPv3 settings by typing:

exit ↵

6 Verify that there are views. If there are views go to step 8. If there are no views, go to step 7 to create views.

The following example shows that SNMP views:

central# show snmpAgent views

View-name OID-tree Inclusion

noAuthView .1.3.6 INCLUDED

authMD5View .1.3.6 INCLUDED

authSHAView .1.3.6 INCLUDED

privView .1.3.6 INCLUDED

7 Create SNMP views by typing:

central# snmpAgent add view viewName oid excluded|included ↵

whereviewName is the name of an existing viewoid is the OID treeexcluded indicates exclude the object IDs from this viewincluded indicates include the object IDs in this view.

8 Add an SNMP group by typing:

snmpAgent add group groupName Access readView writeView notifyView ↵

where groupName is the name of a group AccessnoAuth is one of the following values: auth or privreadView is the name of an existing read view writeView is the name of an existing write view notifyView is the name of an existing notify view

9 Verify the group entries by typing:

show snmpAgent groups ↵

The following example shows the SNMP agent groups:

19 SNMP


Group-name Context Access Read-View Write-view Notify-view

NoAuthGroup noAuth noAuthNoPriv noAuthView noAuthView noAuthView

authMD5Group auth authNoPriv authMD5View authMD5View authMD5View

authSHAGroup auth authNoPriv authSHAView authSHAView authSHAView

privGroup priv authPriv privView privView privView

10 Add a user account by typing:

snmpAgent add user userName groupName [authProtocol] [authpassword] [privpassword] ↵

whereuserName is the name of a user accountgroupName is the group to which this user belongsauthProtocol can be MD5 or SHAauthpassword is the user passwordprivpassword is the privacy password

Enabling authentication and specifying a privacy password for a user are optional.

11 Add the SNMP host for the destination of SNMP traps by typing:

snmpAgent add host version IP_address port userName ↵

whereversion is v3IP_address is the IP address of the NMS server to receive the trapsport is the port to which the trap is sentuserName is the SNMPv3 username that is used to authenticate traps

12 Update SNMP location information, as described in Procedure 19-8.

13 Update the SNMP agent contact, as described in Procedure 19-9.

19.4 SNMP user accounts

The following procedures describe how to create and manage SNMP user accounts.

Note The authProtocol and authPassword parameters are required only when the user requires authorization or privacy. The privPassword parameter is required for privacy support.

19 SNMP


Procedure 19-3 To create an SNMP user account

Perform Procedure 19-2 to create an SNMP user account.

Procedure 19-4 To create a n SNMP group

Perform Procedure 19-2 to create an SNMP group.

Procedure 19-5 To delete an SNMP user account


2 Delete an SNMP user account by typing:

snmpAgent delete user user ↵

where user is the username of an account

A confirmation prompt appears.

3 Delete the account by typing:

Y ↵

Procedure 19-6 To delete an SNMP group


2 Delete an SNMP group by typing:

snmpAgent delete group name ↵

where name is the name of an SNMP group

3 Confirm the deletion by typing:

Y ↵

Procedure 19-7 To display SNMP user accounts


2 Display the SNMP user accounts by typing:

show snmpAgent users ↵

19 SNMP


Table 19-3 describes the information that appears for SNMP user accounts.

Table 19-3 show snmpAgent users command

19.5 Managing SNMP components

Table 19-4 lists where to find information about how to manage SNMP components.

Table 19-4 Managing SNMP components procedures

Procedure 19-8 To update SNMP location information


2 Update SNMP location information by typing:

snmpAgent update location location ↵

where location is the location of the SNMP server

Procedure 19-9 To update the SNMP agent contact


2 Update the SNMP agent contact by typing:

central# snmpAgent update contact contact ↵

where contact is the name of the contact at the SNMP location

Column Description

User-name The name of the SNMP user account

Group-name The group name that contains the SNMP user account

Access The access level for the SNMP user account, such as authNoPriv or no AuthNoPriv

Auth-Protocol The authorization protocol for the account, such as MD5

To See Procedure

To update SNMP location information 19-8

To update the SNMP agent contact 19-9

19 SNMP


19.6 Deleting SNMP components

Table 19-5 lists where to find information about how to delete SNMP components.

Table 19-5 Deleting SNMP components procedures

Procedure 19-10 To delete IP addresses from an SNMP server



a To delete an IP address from an NMS server, go to step 3.

b To delete multiple IP addresses from one or more NMS servers, go to step 4.

3 Delete an IP address from an NMS server requests by typing:

snmpServer delete IP_address ↵

4 Delete multiple IP addresses from one or more NMS servers by typing:

snmpServer deleteList ↵

You are prompted to enter the IP addresses.

Procedure 19-11 To delete an SNMP community


2 Delete the SNMP community by typing:

snmpAgent delete community community access IP_address ↵

wherecommunity is the community string used in GET/SET requestsaccess is set to read/write accessIP_address is the IP address of the NMS server that sends GET/SET requests

Task See Procedure

To delete an SNMP user account 19-5

To delete an SNMP group 19-6

To delete IP addresses from an SNMP server 19-10

To delete an SNMP community 19-11

To delete an SNMP host 19-12

To delete an SNMP view 19-13

19 SNMP


Procedure 19-12 To delete an SNMP host


2 Delete the SNMP host by typing:

snmpAgent delete host IP_address port ↵

whereIP_address is the IP address of the NMS server that receives the trapsport is the port number of the NMS server on which the traps are sent

Procedure 19-13 To delete an SNMP view


2 Delete the SNMP host by typing:

snmpAgent delete view viewName ↵

where viewName is the name of an existing view

19.7 Configuring SNMP for anomaly, trend, and congestion alerts

All of the system events are set as SNMP traps. However, by default, SNMP traps are not generated for the anomaly events, and congestion and trend alerts. Perform Procedure 19-14 to configure the 9900 WNG Central to send anomaly, trend, and congestion alerts as SNMP traps.

Procedure 19-14 To configure SNMP for anomaly, trend, and congestion alerts


2 Configure the types of anomalies that are reported as SNMP traps and the intensity level which the traps are generated by typing:

snmp trap anomaly anomaly intensity ↵

whereanomaly is the anomaly event for which an SNMP trap is generated. The values are: alwaysActive, batteryAttackDistributed, batteryAttackSingleSrc, floodMobileDistributed, floodMobileSingleSrc, highSignalingSubscriber, highUsage, p2pMobile, portScanHoriz, portScanVert, rncOverload, routerDiscoveryAbuse, sigAttackSingleSrc, or unwantedSrc.intensity is the event intensity value, which can be 1 to 5 and off. If an anomaly event with equal or greater intensity is generated, a corresponding trap is generated for the anomaly.

19 SNMP


3 Add the intensity level for congestion alerts, above which an SNMP trap is generated, by typing:

snmp trap congestionAlerts intensity ↵

where intensity is the event intensity value, which can be 1 to 5 and off. If a congestion alert with equal or greater than intensity is generated, a corresponding trap is generated.

4 Specify the intensity level for trend alerts above which an SNMP trap is generated by typing:

snmp trap trendAlerts intensity ↵

where intensity is the event intensity, which can be 1 to 5 and off. If a trend alert with equal or greater than intensity is generated, a corresponding trap is generated.

19.8 SNMP commands

The 9900 WNG Central supports the following SNMP commands:

• GET• SET• TRAP

The 9900 WNG Central handles all SNMP interactions. The 9900 WNG Central can integrate directly with a northbound network interface (NMS) by a bidirectional monitoring, control, and management interface. The 9900 WNG Central component generates all necessary traps to integrate with northbound network interface management functions.

SNMP SET

The SNMP SET request is used to change the state of the network to down or up.

SNMP GET

The SNMP GET request can be sent to the 9900 WNG Central from any northbound interface to access network interface details; for example, current state, packet counts, for of the 9900 WNG Central and Detectors.

SNMP TRAP

Table 19-6 describes the SNMP traps that are generated by the 9900 WNG Central and sent to the northbound interface.

19 SNMP


Table 19-6 SNMP trap events

SNMP trap event Description

AnomalyEvents If configured, an anomaly trap is generated for any of the following anomalies:• AlwaysActive• BatteryAttackDistributed• BatteryAttackSingleSrc• FloodMobileDistributed• FloodMobileSingleSrc• HighSignalingSubscriber• HighUsage• P2pMobile• PortScanHoriz• PortScanVert• rncOverload• routerDiscoveryAbuse• SigAttackSingleSrc• unwantedSrc

congestionAlerts A congestion alert trap is generated when the congestion level meets or exceeds the specified level. See Procedure 19-14.

CPU Usage Threshold The critical trap is generated when the CPU usage on the 9900 WNG Central or any of the 9900 WNG Detectors exceeds the threshold value. A trap is generated when the threshold value is greater than or equal to 90%. The trap is cleared when the usage value is less than or equal to 80%.

Disk Usage Threshold The critical trap is generated when the disk usage on the 9900 WNG Central or any of the 9900 WNG Detectors exceeds the threshold value. A trap is generated when the threshold value is greater than or equal to 90%. The trap is cleared with the threshold value is less than or equal to 80%. The partitions that are monitored are:• For the 9900 WNG Central:

• root• /aware• /awaredb• /tmp• /var• /dev/shm

• For 9900 WNG Detectors:• root• /tmp• /var• /aware

hwFailure The critical trap is generated at the 9900 WNG Central when there is a failure in the external disk array. The sub-object instance value for the trap is EXTARRAY.

licenseViolation (9900 WNG Central only)

The critical trap is generated when one of the following occurs:• when the maximum session exceeds a threshold value. A trap with warning severity

is generated when usage is greater than or equal to 85% and a trap with critical severity is generated when usage is equal to 100%. A warning trap is generated if the threshold is less than or equal to 95%. A clearing trap is sent when usage is less than or equal to 80%.

• if the license is not valid or the hostid is incorrect• when the license expired. A warning alarm is sent 5 days before the license expires

(1 of 3)

19 SNMP


lineRateExceeded The critical trap is generated when one of the following occurs:• the traffic feed input rate is greater than or equal to 950 Mbits/s for 1G card or

3900 Mbits/s for the 10G card. The event indicates a high probability that of packets are being dropped.

• the transmitting rate by the 9900 WNG Detector is greater than or equal to 30 Mbits/s or the receiving rate of the 9900 WNG Central is greater than or equal to 40 Mbits/s

The trap is cleared when:• the traffic feed input rate is less than or equal to 900 Mbits/s for 1G card or

3750 Mbits/s for the 10G card• the transmitting rate for the 9900 WNG and the receiving rate for the 9900 WNG

Central is less than or equal to 15 Mbits/s

The sub-object instances for the trap are:• PortA• PortB• PortC• PortD• BACKHAULRCV• BACKHAULXMIT

Link down The critical trap is generated from the 9900 WNG when a link between two components is down. The sub-object instance for the specific event can be anomaly channel, awareness channel, snmp channel, system event channel, sysmonToSECChannel, or centralToSECChannel.

Memory Usage Threshold The critical trap is generated when the memory usage on 9900 WNG Central or any of the 9900 WNG Detectors exceeds the threshold value. A trap is generated when the memory usage is:• greater than or equal to 97% for the 9900 WNG Central• greater than or equal to 98% for the 9900 WNG Detectors

The trap is cleared when the usage is:• less than or equal to 92% for the 9900 WNG Central• less than or equal to 93% for the 9900 WNG Detectors

noPacketsReceived The major trap is generated from the 9900 WNG when packets are not displayed on the capture interface for more than 60 s. The trap is cleared when the capture interface receives the packets.

queueThresholdExceeded A major trap is generated from the 9900 WNG when the queue threshold is full at the 9900 WNG Central or the usage is greater than or equal to 75% at the 9900 WNG Detector. The trap is cleared when the queue is not full at the 9900 WNG Central or the usage is less than or equal to 60% at the 9900 WNG Detector.

packetDropThresholdExceeded The informational trap is generated from the 9900 WNG when the packet drop threshold is exceeded. By default, a trap is generated when 1000 packets are lost in a 5 min interval.


(2 of 3)

19 SNMP


19.9 SNMP MIBs

SNMP-compliant devices, on the network components or agents, store data about the component in MIBS and return this data to the SNMP requestors. Procedure 19-15 describes how to access the SNMP MIBs.

Procedure 19-15 To access the SNMP MIBs


2 Click on the Get SNMP MIBs hyperlink. A download window appears.

3 Click on the Save button and navigate to the location to save the zipped file of the SNMP MIBs.

Process Down The critical trap is generated when any of the monitored processes on the 9900 WNG Central or Detector fail or a heartbeat is not detected at the 9900 WNG Central. A corresponding clearing trap is generated when the process returns to operation. The following processes are monitored:• For the 9900 WNG Central:

• Centrald• Compression• mysql• NTP Daemon• Snmp• System monitor• Tomcat

• For 9900 WNG Detectors:• Awared• NTP Daemon• System event reporter• System monitor

SNMP Access Attempt Failed (9900 WNG Central only)

The authorization failure trap is generated whenever there is an invalid attempt to access SNMP information from any northbound interface.

swapThresholdExceeded The critical trap is generated when the swap usage for the 9900 WNG Central or any of the 9900 WNG Detectors is greater than or equal to 50%. The trap is cleared when the usage is less than or equal to 10%.

trendAlerts A trend alert trap is generated when the trend level meets or exceeds the specified level.


(3 of 3)

19 SNMP



5 Navigate to the location of the zipped file of the SNMP MIBs, as chosen in step 3, and unzip the file. The following MIBs appear:

• ALU9900-ALARM-MIB.my• ALU9900-CENTRAL-MIB.my• ALU9900-DETECTOR-MIB.my• ALU9900-ROOT-REG.my• ALU9900-TC.my


20 Motive API

20.1 Motive API 20-2

20.2 Motive API security 20-3

20.3 Motive API user accounts 20-3

20.4 Motive API CLI commands 20-4

20 Motive API


20.1 Motive API

Motive is an Alcatel-Lucent product that provides a unified care environment for end-to-end visibility of the network with automated problem analysis and resolution. For more information about Motive, see:

http://www.motive.com/solutions/msm/msm.asp

The 9900 WNG provides an interface to Motive. The data from the 9900 WNG is used for advanced customer care support. The Motive product queries the 9900 WNG database to get information to resolve customer issues. By using the 9900 WNG and Motive, a service provider can offer advanced customer care for their customers, such as whether:

• the customer is receiving satisfactory data throughput on their mobile device• any configuration in the mobile device may be adversely affecting the customer

experience, such as DNS configurations • any data limitation issue may be adversely affecting the customer; for example,

the customer exceeded the bandwidth usage this month• any unsolicited traffic may be interfering with the resources of the customer

mobile device and any resulting in battery drain; for example, network attacks or port scans

• multiple mobile devices that the customer used have any device configuration issues

• any applications on the mobile device may adversely affect usability, such as:• peer-to-peer applications; for example, file sharing applications• viruses that are consuming excessive bandwidth• daemons; for example, e-mail client servers that periodically check for e-mails and

result in excessive signaling and airtime• the 9900 WNG identified the anomalies; for example, victims or originators of

excessive data usage• any network congestion caused a delay or disruption, and identify the congested

NE; for example, as an overloaded cell

The 9900 WNG provides a set of APIs to Motive. The APIs that use WSDL web service. The web services use HTTPS to ensure that the data exchange is secure, authenticated, and encrypted. The following additional layers of security are provided by the 9900 WNG:

• The Motive host (or the subnet) that sends the requests to 9900 WNG must be authenticated.

• Every API that sends messages must provide a username and password.

See section 20.2 for more information about security.

20 Motive API


20.2 Motive API security

the following security is provided for messages that are sent between the 9900 WNG and Motive API:

• The IP address of the Motive server, which starts the API, or the subnet must be configured.

• Every Motive transaction contains a username and password.• All of the data is encrypted.

CLI commands are used to configure the security functions for the Motive API. See Table 14-8 for information about the Motive API CLI commands.

20.3 Motive API user accounts

The following procedures describe how to create, delete, and display Motive API user accounts.

Procedure 20-1 To create a Motive API user account


2 Add the account and assign the password by typing:

api add user id password ↵

whereid is the username for the accountpassword is the password for the account, which contains 6 to 41 characters. Table 36-3 lists the special characters.

Procedure 20-2 To delete a Motive API user account


2 Delete a user account by typing:

api delete user id ↵

where id is the username of the account



Y ↵

20 Motive API


Procedure 20-3 To display Motive API user accounts

1 Log in to the CLI with the sudo or admin privilege, as described in Procedure 14-1 or 14-2.

2 Display the Motive API user accounts by typing:

show api users ↵

A list of Motive API user accounts appears.

20.4 Motive API CLI commands

Table 20-1 lists where to find information about CLI commands that are used the Motive API.

Table 20-1 Motive API CLI commands

Adding Motive API subnetsPerform 20-4 to add one or more Motive API subnets.

Procedure 20-4 To add Motive API subnets


2 Add a Motive API subnet by typing:

api add subnet subnet ↵

where subnet is the IP address of the Motive API subnet

You are prompted to add subnets.

The following is an example of the information that is displayed.

Add api subnet: 1.1.1.1/24

Add api subnet: 2.2.2.2/24

Add api subnet:

successfully added api subnet(s)

To See Procedure

To add Motive API subnets 20-4

To delete Motive API subnets 20-5

To display Motive API statistics 20-6

20 Motive API


Go to step 3.

3 Verify the Motive subnets by typing:

show api subnets ↵


2 ListedSubnets

1.1.1.1/24

2.2.2.2/24

Deleting Motive API subnetsPerform 20-5 to delete one or more Motive API subnets.

Procedure 20-5 To delete Motive API subnets



a Go to step 3 to delete one Motive API subnet.

b Go to step 4 to delete multiple Motive API subnets.

3 Delete a Motive API subnet by typing:

api delete subnet subnet ↵

where subnet is the IP address of a Motive API subnet

4 Delete all of the Motive API subnets by typing:

api deleteList subnet ↵

A confirmation request appears.

5 Delete the subnets by typing:

Y ↵

Displaying statistics and log filesPerform Procedure 20-6 to display Motive API statistics.

20 Motive API


Procedure 20-6 To display Motive API statistics


2 Display Motive API statistics by typing:

show api stats ↵

Statistics collected for the Motive API, which are the total number of transactions and average, minimum, and maximum durations for the following:

• applicationInfo• dataUsage• networkCongestion• subscriberInfo• subscriberIssues• deviceInfo

Procedure 20-7 To display Motive API log file

1 Log in to the CLI with the sudo or admin privilege, as described in Procedure 14-1 or 14-2.

2 Display Motive API log file by typing:

show log motive ↵

The log file contains the statistics that are collected for the Motive API, which are the total number of transactions and average, minimum, and maximum durations for the following:

• applicationInfo• dataUsage• networkCongestion• subscriberInfo• subscriberIssues• deviceInfo


GUI components

21 Dashboard view 21-1

22 Real-time Events views 22-1

23 Forensic View 23-1

24 Topology view 24-1

25 Network Forensics view 25-1

26 System View 26-1

27 Mobile Flow view 27-1

28 CLI view 28-1

29 Subscriber view 29-1



21 Dashboard view

21.1 9900 WNG Central Dashboard View overview 21-2

21.2 Dashboard View components 21-2

21.3 Plotting elements in the Dashboard View 21-5

21.4 Dashboard View components and controls 21-8

21.5 Configuring optional properties for dashboard elements 21-9

21.6 Modifying chart display properties 21-12

21.7 Moving a dashboard chart to a new dashboard 21-13

21 Dashboard view


21.1 9900 WNG Central Dashboard View overview

The 9900 WNG Central Dashboard View supports dragging and dropping of dashboard icons onto the dashboard.

The dashboard elements provide a snapshot of all active subscribers and display potential problems in the network such as excessive traffic on a specific HA or the health of the 9900 WNG Detector.

The following dashboard icons that represent NEs may appear on the dashboard depending on the network technology (CDMA or UMTS):

Dashboard features

The 9900 WNG Central dashboard provides the following features:

• You can dynamically change the number of columns (1 to 10) that appears for each NE dashboard view.

• The following dashboard preferences are automatically saved when you exit the GUI:

• dashboard NEs and placement on each of the dashboards• for incident and unidirectional NEs, individual threshold settings for each item and

which items are displayed in the NE• for plot NEs, chart properties including Parameter Selection, Network Elements

Selection, and Plots Color Selection• for plot NEs, Chart Duration and Chart Interval At Startup settings

• The GUI auto-discovers newly configured NEs and automatically updates the dashboard to show all configured Network Elements.

21.2 Dashboard View components

The first time that you open the GUI client, the Dashboard View appears and there are no elements in the dashboard view as shown in 16-1 in chapter 16. Figure 21-1 shows the components of the Dashboard View.

• HA• PDSN• CDMA RNC• Detector• GGSN

• SGSN• UMTS RNC• Incidents• Unidirectional

21 Dashboard view


Figure 21-1 9900 WNG window components Dashboard View

Table 21-1 describes the 9900 WNG Dashboard View components.

Table 21-1 9900 WNG Dashboard View components

Element icons

Element chartcontrols

Elementdisplay controls

Dashboard

Multi-dashboardcontrol

Intensitytables

Scroll bar

Minimizedelement

Elementchart

Dashboardcolumns

Dashboard

Columndisplaycontrol

Palettebutton

Icon palette

21177

Elementtitle bar


Dashboard components and controls

Dashboard Displays up to 12 element charts at a time

Icon palette Contains an icon for each type of element that you can display in the dashboard. See Dashboard elements for more information.

Element icons Represent the types of charts that you can plot in the dashboard. Drag and drop an icon to display the element chart in the dashboard.

Column display control Changes the number of columns in which the elements are displayed. You can view up to ten columns.

Dashboard columns

Palette button Toggles the display of the icon palette

Multi-dashboard control Returns the view of a new dashboard to the primary dashboard. See section 21.7 for information about how to move a plot to a new dashboard.

Dashboard element components and controls

Element chart Displays a graphical representation of the data that you can plot for each type of element. The x axis of a chart is always time. The y axis is configurable, as described in Procedure 21-2.

Intensity table Displays the intensity level of anomalous events and unidirectional flows

(1 of 2)

21 Dashboard view


Dashboard elements

The dashboard icon palette contains element icons that you drag and drop onto the dashboard view as shown in Figure 21-1. The element icons that appear in the palette depend on the data in the database. For example, UMTS icons do not appear unless one or more of the 9900 WNG Detectors has detected UMTS traffic. If traffic for a particular technology later appears while the GUI is operational, the corresponding icon automatically appear in the icon palette.

Table 21-2 lists the dashboard elements that are available and selectable from the icon palette.

Table 21-2 Dashboard elements that are available and selectable from the icon palette

Element title bar and display controls

Title identifies the type of element that is displayed in the dashboard. The displays controls are described in section 21.4.

Element chart controls Controls the display of the element chart. You use the context-sensitive drop down menus to plot the contents of the chart. See section 21.3 for information about how to use the controls and options.

Scroll bar Changes the time resolution of the element chart

Minimized element Displays the chart in a minimized format to enhance the usability of the dashboard workspace. You can collapse the view of the element chart using the element display controls, as described in Table 21-6


(2 of 2)

Dashboard element Description

Element charts

HA NE types that you can analyze in individual charts. You can select and compare multiple color-coded NEs based on parameters that you choose. See sections 21-3 and 21-5 for information about how to configure element charts.

PDSN

CDMA RNC

GGSN

SGSN

UMTS RNC

Detector

Element tables

Incidents Displays a view of the intensity and the count of events in the system. Each row represents a type of event. When you place your cursor on an event, a tooltip is displayed with additional information about the event. You can double-click on any row to open a dashboard plot for the specified event.

Unidirectional Highlights anomalous changes to unidirectional packet counts observed in the network. Excessive unidirectional traffic may indicate that an outage has occurred.

21 Dashboard view


21.3 Plotting elements in the Dashboard View

The following subsections describe how to:

• plot elements in the dashboard • configure the mandatory parameters to display the element chart

Maximum number of element plots

You can plot up to 12 elements in the dashboard at a time. This limit applies across all dashboards. For example, if you have 12 dashboards created with one NE in each, you will not be able to drag any additional NEs. Similarly, if you have 12 dashboards created and one dashboard has 12 NEs on it, you will not be able to drag additional NEs on any of the dashboards, including those with no NEs on them. When you reach the maximum number, the icon palette no longer appears and the palette button is dimmed.

You can plot only one Incidents table at a time. If you attempt to plot an additional table, the old one is removed and replaced by a new one.

Plotting procedures

Perform Procedure 21-1 to plot an element in the dashboard. After you plot the element, you must configure the parameters that you need to display in the element chart, as described in Procedure 21-2.

Procedure 21-1 To plot an element in the dashboard

1 Drag and drop an element icon to the dashboard from the icon palette. The element appears in the dashboard with the element chart controls displayed, as shown in Figure 21-1.

2 Repeat step 1 as required. You can add multiple plots of the same or of a different type from the icon palette.

Procedure 21-2 To configure mandatory parameters for element charts

1 Drag a network icon to the dashboard as described in Procedure 21-1.

2 In the Element Chart control view configure a value in the Plot drop-down menu. The drop-down menus are contextual and depend on the type of element and the value that you choose in the Plot menu. After you choose a value in the Plot, additional menus, if applicable, become active. The plot options are described in Tables 21-3 to 21-5.

21 Dashboard view


Table 21-3 Plot options

Table 21-4 RNC-specific plot options

Plot value Description Options

Active Mobiles Plot all active mobiles

Handoffs Plot all handoffs that occur in a specified direction

Direction (SGSN, PDSN, UMTS RNC, CDMA RNC):• In• Out• All

All traffic Plot all traffic that occurs in a specified direction using a specified unit of measure

Direction options:• M2I• I2M• M2M Up• M2M Down• All

Value options:• Bytes• Packets• Flows

Uni Directional Plot all unidirectional traffic that occurs in a specified direction using a specified unit of measure


Value options:• Bytes• Packets• Flows

TCP Reset Plot all TCP resets that occur in a specified direction


ICMP Unreachable Plot all ICMP unreachable events that occur in a specified direction


Performance Plot performance event of a specified type

KPI options:• Down RTT Max• Down RTT Min• Down RTT Mean• Saturated Throughput• Throughput• Path Loss

Plot Description Options

Connection Events Plot all connection events of a specified type

Event type options• Subscriber Orig Conn• Network Orig Conn• All

(1 of 2)

21 Dashboard view


Handoffs See Table 21-3.

All traffic

Uni Directional

TCP Reset

ICMP Unreachable

Performance


(2 of 2)

21 Dashboard view


Table 21-5 Detector-specific plot options

3 Click on the Go button to plot the data. The system generates the chart based on the specified parameters.

21.4 Dashboard View components and controls

This section describes how information is displayed in the Dashboard View, and how you can change the way that charts and tables are presented.

The Dashboard elements are automatically refresh every 60 s.


Events Plot a specified network anomaly event

Event type options:

• M2I PKTS, Flows, and Bytes

• I2M PKTS, Flows, and Bytes

• M2M PKTS, Flows, and Bytes Up

• M2M PKTS, Flows, and Bytes Down

• Active Mobiles• Uni M2I PKTS, Flows,

and Bytes• Uni I2M PKTS, Flows,

and Bytes• Uni M2M PKTS, Flows,

and Bytes Up• Uni M2M PKTS, Flows,

and Bytes Down• TCP-Resets I2M PKTS,

M2I PKTS, M2M UP PKTS, and M2M Down PKTS

• ICMP Unreachable I2M PKTS, M2I PKTS,

• ICMP M2M Up PKTS, Down PKTS

• SigAttacks Single Source

• RNC Overload• Battery Attack

Single Source• Port Scan Vertical• Port Scan

Horizontal• Always Active Sub• High Usage • Peer-toPeer

Mobile• Unwanted Src• Connection

Record• Mobile Flow• High Signaling

Subscribers• Battery Attack

Distributed• Flood Mobile

Single Source• Flood Mobile

Distributed• Router Discovery

Handoffs See Table 21-3.

All traffic

Uni Directional

TCP Reset

ICMP Unreachable

Performance

21 Dashboard view


Element display controls

Table 21-6 describes the element display controls that appear on the right side of the Element title bar, as shown in Figure 21-1.

Table 21-6 Element display controls

Axes controls

The x axis of a chart is always time. The y axis is configurable, as described in Procedure 21-2. You can change the x-axis time scale for a chart from 1 hour to 24 hours (the default is 24 hours).

The plots show the data for a 24-hour interval. You can view a shorter interval two ways:

• View a smaller region of the plot—place the mouse on the plot, hold down the left mouse button, and move the mouse down and to the left. To return to the 24-hour view, place the mouse on the plot, hold down the left mouse button, and move the mouse up and to the left.

• Move the slide bar below the plot to the right

21.5 Configuring optional properties for dashboard elements

After you plot a chart in the dashboard, you can modify the content of the chart by specifying chart properties or setting the intensity preferences for each type of dashboard element:

• Incidents and Unidirectional elements—you can set intensity preferences. Perform Procedure 21-3 to configure the intensity preferences for the Incidents or Unidirectional elements.

• GGSN, HA, PDSN, CDMA RNC, UMTS RNC, SGSN, and Detector NEs—you can specify chart properties including the parameters you need to plot, the NEs you need to compare, and the color to identify each NE. Perform Procedure 21-4 to configure the properties for charts.

Symbol Description

Double caret Expands or minimizes the dashboard element

Wrench icon Configures the properties for the element chart or intensity table

X Removes the dashboard element from the dashboard

Note The values for the last 1 hour are plotted every minute; values that older than 1 hour are plotted only every 6 minutes to improve the GUI performance.

21 Dashboard view


Procedure 21-3 To configure optional preferences for intensity tables

1 Left-click on the middle icon (wrench) on the right side of the title bar. The Intensity Preferences window appears. Figure 21-1 shows the Intensity Preferences window.

Figure 21-2 Intensity Preferences window

2 In the Intensity Preferences window, select the anomaly events that you need to plot or click the Select All button to plot all events in the system.

3 Set the intensity for each event type that you choose by doing the following:

i Highlight an item in the anomaly events list.

ii Set the intensity thresholds by dragging the top pointer (which represents the critical threshold) and the bottom pointer (which represents the warning threshold). The values are expressed in a range of 0 to 100. The value you choose also appears in numeric format in the field that indicates the color code associated with each threshold.

iii Repeat steps i and ii for each event type that you need to plot.

4 Click on the OK button to enable the settings.

21 Dashboard view


Procedure 21-4 To configure optional properties for element charts

1 Left-click on the middle icon (wrench) on the right side of the title bar. The Specify Chart Properties window appears with the Parameter Selection tab displayed. Figure 21-1 shows the Specify Chart Properties window.

Figure 21-3 Specify Chart Properties window

2 Select the parameters that you need to plot. The parameters are organized by type:

• Traffic Load• Unidirectional Traffic Only• Mobile Metrics• Performance KPIs• Networking Resets

3 Click on the Network Elements Selection tab to specify the NEs that you need to plot.

Note You can specify chart properties to display one property for multiple HAs or one HA with multiple parameters.

21 Dashboard view


4 Click on the Plots color Selection tab to specify the color for each NE that you need to plot. To change the color, perform the following sub-steps:

i Left-click on the color box adjacent to an NE. The Select Color widget opens

ii Choose a color from the Swatches, HSB, or RGB tabs.

iii Click on the OK button.

5 Click on the OK button to enable the settings.

21.6 Modifying chart display properties

The Dashboard View has a Properties menu that you can access by right-clicking on a selected chart.

Right-click customization options

You can customize the display properties for an element chart by right-clicking on the chart in the dashboard.

Table 21-7 describes the dashboard element properties.

Table 21-7 Dashboard element properties

Configuring chart display properties

The Dashboard View provides full customization of the chart display properties. Perform Procedure 21-5 to configure the chart display properties

Caution Right-click options are lost when the GUI is restarted. The only persistent items are the plots in the dashboard when you exit the GUI.

Property Description

Properties See Procedure 21-5

Save as Save the chart as a PNG image file to a directory

Zoom in / Zoom out Change the resolution of one or both axes in the chart

Auto Range

Select entries to plot Open the Specify Chart Properties window, as described in Procedure 21-4

Specify Chart Duration Changes the duration of the plot

21 Dashboard view


Procedure 21-5 To configure chart display properties

1 Right-click on a chart in the dashboard, and choose Properties. The Chart Properties window appears with the Title tab displayed.

2 In the Title tab, modify the title of the chart as follows:

• Textenter a title for the chart• Fontchoose a font type in which to display the title• Colorchoose a color in which to display the title

3 Click on the Plot tab to modify the chart as follows:

• Domain axis tabchoose a label, font, color, and tick (that is, the points in the chart) format

• Range axischoose a label, font, color, tick and range format• Appearancechoose a format and color for the plot line, the background color

for the chart, and the orientation (horizontal or vertical) for the plot line.

4 Click on the Other tab to modify the following:

• Background paintchoose a background color for the chart• Draw anti-aliasedselect this option to smooth the variations in the plot line.

The system automatically adjusts the y axis.• Other options in this window are dimmed and are not supported.

5 Choose OK. All changes take effect after the chart is refreshed.

21.7 Moving a dashboard chart to a new dashboard

Perform Procedure 21-6 to move a chart to a new dashboard.

Procedure 21-6 To move an chart to a new dashboard

1 Right-click on the title bar of the dashboard element. A pop-up window is displayed.

2 Click Move to New Dashboard. The NE is moved to a new dashboard. The dashboard also appears in the navigation menu under the Dashboard View. The new dashboard can be renamed.

3 Rename the new dashboard in the navigation tree if required. The default value for new dashboards is Dash#1, Dash#2, Dash#n.

21 Dashboard view



22 Real-time Events views

22.1 Real-time Events overview 22-2

22.2 Anomaly Events view 22-5

22.3 Performance Events view 22-10

22.4 Anomaly History view 22-12



22.1 Real-time Events overview

The 9900 WNG GUI supports monitoring and reporting of network events in real-time. You can display data about the following real-time events:

• Anomaly events• Performance events• Anomaly History

Data in the real-time events views are generated automatically by the 9900 WNG system. The real-time events views are intended for monitoring and diagnostic purposes, and are also the starting point for further investigation into anomalous network events.

Common features and components in the Real-time Events View

Figure 22-1 shows the Anomaly History view as an example of a real-time events view. This view contains GUI components that are common to all real-time events views.

Figure 22-1 Real-time Events common GUI components

Real-time Events common components

Table 22-1 describes the common components of the Real-time Events views.

Real-timeevents table

Table tabs Table column headings(event parameters)

Table rows(event

parametervalues)

Event Detailspanel

Eventcounter

Severityindicators

Tablecontrolbuttons

Event Detailsfields

21176



Table 22-1 Real-time Events common components

Columns in the Real-time Events View table

Table 22-2 describes the columns in the Real-time Events View and the types of views in which the columns appear.

Table 22-2 Real-time Events table columns


Real-time events table Displays data about the real-time events. Table 22-2

Severity indicators Display the severity and the status of the system events

Table 22-3

Table control buttons Control the behavior of the events table. Filter, clear, or export the data in the events table. Some panels contain additional controls to open other 9900 WNG GUI views.

Event counter Displays the number of events in the table

Event Details panel Displays detailed information about the event that is selected in the events table. The panel is the main location from which you begin to investigate an anomaly or performance event in real-time.

Table 22-7Table 22-9

Events Details fields Some fields are context-sensitive; they can be used to navigate dynamically to other views for information about the event.

Column Description Anomaly Performance Anomaly History

Sev Severity of the anomaly event. For more information, see Severity indicators for the Real-time Events View in this section.

Event Type Type of network anomaly event

Int Intensity of the attack. Each event has an intensity level. Reported values are 0 to 5, with 5 being the most intense. For a cleared event, the value reported is 0.

Latest Most recent occurrence of this type of attack

Detector Name of the 9900 WNG Detector on which the event was detected

Attacker Address of attacker

Cnt Number of incidents from this attacker

Creation Date and time that the event was detected.

Network Element The NE affected by the performance event

(1 of 2)



Severity indicators for the Real-time Events View

Table 22-3 describes the severity indicators that are displayed on the 9900 WNG GUI in the real-time events views.

Table 22-3 Severity indicators for real-time events

Param/Network Element

The content is context specific. If the event is a CONGESTION_ALERT, the column displays the NE (such as an HA, RNC, or PDSN) where the congestion is detected. If the event is a TREND_ALERT, the column displays the trend name.

Detector/NE Name of the 9900 WNG Detector on which the event was detected

Attacker/Param/NE Depending on event type, the content of the column can display:• NE name (in case of congestion alerts)• NAI (in case of port scans, high usage subscriber

etc.,)• IP Address (if the origin of the event is an

Internet source)• Multiple Sources (if the event is a distributed

battery attack in which the packets originate from multiple sources)

Column Description Anomaly Performance Anomaly History

(2 of 2)

Icon Severity and status Description

Critical Critical Anomaly Event, such as RNC Overload

Major Major Anomaly Event, such as:• Signaling Attack Single Src• Unwanted Source• PortScan Horizontal• PortScan Vertical• ICMP Router Discovery Abuse

Minor Minor Anomaly Event, such as:• Battery Attack Single Src• Battery Attack Distributed• P2P Mobile• Always Active Subscriber• High Usage Subscriber• Flood Mobile Distributed• Flood Mobile Single Src• High Signaling Subscriber

Warning Warning for an Event

(1 of 2)



22.2 Anomaly Events view

The purpose of the Anomaly Events view is to allow you to view and analyze the details of specific network events.

The following detailed information is displayed in this view.

• real-time events in the network • severity of the event• 9900 WNG Detector ID associated with the event• IP address of the attacker Mobile ID or Internet source• date and time of the event was creation and update • historic view of the events that were created and updated

Figure 22-2 shows the components in the Anomaly View.

Informational Informational System Event

Cleared Event is cleared

Critical/Cleared Critical Event that has been cleared

Major/Cleared Major Event that has been cleared

Minor/Cleared Minor Event that has been cleared

Warning/Cleared Warning for an Event has been cleared

Informational/ Cleared

Informational System Event that has been cleared

Icon Severity and status Description

(2 of 2)



Figure 22-2 Real-time Events Anomaly Events components

Anomaly Events view components

Table 22-4 describes the components of the Anomaly Events view.

Table 22-4 Anomaly Events view components

AnomalyEventtable

Table filters

Active fields

MobileFlow

buttonEvent counter

EventsDetailspanel

21133


Anomaly Events table

A system-generated table of all anomalies that are reported to the 9900 WNG Central from the 9900 WNG Detectors

Table 22-2 for a description of each column in the Anomaly Events table. See Table 22-5 for a list of anomaly events.

Severity indicators

Indicates the severity of the event Table 22-3

Table filters Filters the list of anomaly events by event type, Detector, or intensity

Procedure 22-1

Launch Mobile Flow button

Opens the Mobile Flow view for a detailed view about how the data traverses the network

Opening the Mobile Flow view

Event counter Displays the number of active events

Event Details panel

Displays details about the specified event Operations in the Anomaly Events Details panel

Active fields Context-sensitive fields that are used to navigate dynamically to other views for information about the anomaly event.



Anomaly event types

Table 22-5 lists the Anomaly event types. See chapter 33 for a detailed description of each type of event.

Table 22-5 Anomaly event types

Event Details in the Anomaly Events view

When you click on a row in the Anomaly events table, additional information about the event is displayed in the Event Details panel, as described in Table 22-6.

Table 22-6 Fields in the Events Details panel

9900 WNG event name Event name

Wireless attack events



BATTERY_ATTACK_DISTRIBUTED Battery attack from a group of sources

RNCOverload RNC Overload



ICMP_ROUTER_DISCOVERY_ABUSE ICMP router discovery abuse

Port scans and unwanted source events




Abusive subscriber events





Note The fields that appear in the Events Details panel depend on the technology (CDMA or UMTS) and the Event Type. A subset of the fields is displayed in the Event Details panel.

Fields

Attacker Intensity Active Time

Attacker IP RNC Id Active Ratio

Event Type Victim IP Up Bytes

(1 of 2)



Filtering Anomaly Events

You can filter events in the Anomaly Events view by Event Type, Detector, and Intensity. The filter is performed on the last 500 outstanding records that Anomaly Events view typically shows and does not show every outstanding event that meets the filter criteria.

Procedure 22-1 describes how to configure the Anomaly Events filter.

Procedure 22-1 To filter Anomaly Events

1 Locate the table control panel in the Anomaly Events table.

2 Configure one or more of the following filter preference fields:

a Event type drop down menu. Select one or more event types from the menu by clicking on the appropriate check boxes.

b Detector drop-down menu. Choose one of the following:

• the name of the 9900 WNG Detector that you need to monitor • All detectors

c Intensity.

The Contents of the Anomaly events table changes according to the filter preferences.

Start Time Victim Down Bytes

End Time #Ports Scanned #Orig Peers

Corr ID Port Scanned #Recv Peers

Severity #Hosts Scanned UpLink Vol

DownLink Vol Attacker ESN Attacker MSID

Victim ESN Victim MSID Application

Attack Duration Flood Volume IMEI

IMSI MSISDN

Fields

(2 of 2)

Note The default setting for records retrieved is 500. To change the setting, see section 33.9.



Working in the Anomaly Events view

This section describes the basic functions and advanced operations that you can perform in the Anomaly Events view.

Operations in the Anomaly Events Details panel

The main purpose of the Events Details panel is to allow you to view anomalies and to “drill-down” into the details of the problem. When the Event Details panel is populated, some of the event fields become clickable, depending on the type of the event that you select from the Anomaly table. Table 22-7 lists the operations that you can invoke from selected Events Details fields.

Table 22-7 Anomaly Events Details panel clickable fields


You can open the Mobile Flow view for a specified anomaly event by clicking on the Mobile Flow button. See chapter 27 for more information about how to use the features in the Mobile Flow view.

Event Details parameter value

Left-click on field

Right-click for contextual menu

Forensic View

Copy to Clipboard

History Filter

Subscriber Report

Whois <IP address>

Device Details

Corr ID

Attacker IP

Attacker IMSI

Attacker IMEI

Attacker MS ISDN

Attacker ESN

Attacker NAI

Attacker MSID

Victim IP

Victim NAI

Victim ESN

Victim MSID



22.3 Performance Events view

The Performance Events view displays real-time data about the following:

• Trend Alerts, which are applicable to specific network elements such as a PDSN or RNC

• Congestion Alerts, which are applicable to the link between two NEs

Performance events are closely coupled with the Network Forensic view that is described in chapter 25.

Performance Events view components

Figure 22-3 shows the components of the Performance Events View.

Figure 22-3 Performance Events view components

Table 22-8 describes the components of the Performance Events view.

Table 22-8 Performance Events components

21183

PerformanceEvent table

Table controlbuttons

EventDetailspanel

Severityindicator

Eventcounter


Performance Event table

A system-generated table of all performance events that are reported to the 9900 WNG Central from the 9900 WNG Detectors

Table 22-2 for a description of each column in the Performance Events table.

Severity indicators

Indicates the severity of the event Table 22-3

(1 of 2)



Configuring a Performance Events filter

You can filter events in the Performance Events view by Event Type and Intensity. Procedure 22-2 describes how to configure the Performance Event filter.

Procedure 22-2 To filter Performance Events

1 Locate the table control panel in the Performance Events table.

2 Configure one or more of the following filter preference fields:

a Select one of the following event types from the Event Type drop-down menu by clicking on the appropriate check boxes:

• All Events• Trend_Alert• Congestion_Alert

b Intensity

The contents of the Performance Events table automatically changes according to the filter criteria.

Working in the Performance Events view

This section describes the basic functions and advanced operations that you can perform in the Performance Events view.

Operations in the Performance Events Details panel

When the Event Details panel is populated, some of the event fields become clickable, depending on the type of the event that you select from the Performance Events table. Table 22-7 lists the operations that you can invoke from selected Performance Events Details fields.

Event counter Displays the number of outstanding performance events

Event details panel

Displays detailed information about the performance event that is selected in the events table.

Operations in the Performance Events Details panel

Table control buttons

Network Forensic button Opening the Network Forensic view

Table filters Procedure 22-2


(2 of 2)



Table 22-9 Performance Events Details panel clickable fields

Opening the Network Forensic view

See chapter 25 for more information about how to use the features in the Network Forensic view.

Historic queries for performance events

You can run historic queries on performance events using the Anomaly History view. For information about how to run historic queries, see section 22.4.

Performance events on Network Graphs

Alert and congestion trends are also displayed in the Network Graph view. For more information, see “Operations in the Network Graph view”.

22.4 Anomaly History view

The Anomaly History view displays a list of past anomaly events and performance events. Anomaly History events are presented in a tabular format as shown in Figure 22-1.

Anomaly History menu components and functions

The History Filter tab is automatically displayed when you click on the Anomaly History navigation menu item for the first time. After the filter query has been processed, you must click the Filter button to display the History Filter window.

Filtering Anomaly History records

The History Filter tab allows you to search for historical data using a variety of parameters. Procedure 22-3 describes how to configure the filter parameters.

Event Details parameter value Left-click on field


Network Forensic View

Forensic View

Copy to Clipboard

Network Forensic View

Corr ID

Network Element ID



Procedure 22-3 To filter Anomaly History records

1 Click on the Anomaly History item in the navigation menu. The History Filter tab appears, as shown in Figure 22-4.

Figure 22-4 History Filter tab

2 Select one of the following radio buttons to specify a value for the time period:

a Select the Specify Date radio button and enter values in the following fields:

• Start Time• End Time

You can enter a value for the date and time in the fields or you can left-click on the drop-down icon to display the calendar widget from which you can configure the date and time.

b Select the Specify Recent radio button and enter values in the following fields:

• Number drop-down menu• Unit drop-down menu



3 Specify the search criteria by selecting the check boxes adjacent to the following items that appear in the Search by panel:

4 Click on the View button. A tab opens in the Anomaly History view that lists the events that match the search criteria.

Anomaly History view componentsFigure 22-1 shows the components of the Anomaly History view and Table 22-1 describes the components of the Anomaly History view.

Working in the Anomaly History viewThe Anomaly History view is a historical repository for anomaly events. The view supports features that are the same as the Anomaly Events view. See “Working in the Anomaly Events view” in section 22.2 for more information.

• Event Type• Owner• Severity• Detector• Status• Intensity

• Source Type• Correlation ID• Attacker ID• Attacker IP• Victim ID• Victim IP


23 Forensic View

23.1 Forensic View overview 23-2

23.2 Forensic View menu components 23-2

23.3 Forensic View reports 23-3

23.4 Working in the Forensic View 23-5

23 Forensic View


23.1 Forensic View overview

You can use the Forensic View page to isolate and display network anomaly or performance events for monitoring and investigative purposes.

Generating Forensic View reports

Forensic View reports are derived from existing reports and must be manually generated. Table 23-1 describes how to generate Forensic View reports, and where to find more information.

Table 23-1 Generating Forensic View reports

When you generate an a forensic report, the Forensic View automatically appears with the Forensic View tab displayed. A corresponding sub-menu item appears under the Forensic View item in the navigation menu, as shown in Figure 23-1.

23.2 Forensic View menu components

You can click on the Forensic View menu item to display a window that contains two tabs:

• Forensic View• Historic View

Forensic View tab

Figure 23-1 shows the forensic view tab that appears when you click on the Forensic View menu.

Generated from See

Anomaly View Working in the Anomaly Events view in chapter 22

Performance Events Working in the Performance Events view in chapter 22

Anomaly History View Working in the Anomaly History view in chapter 22

23 Forensic View


Figure 23-1 Forensic View tab

The Forensic View and the Historic View each have a table that presents the data in the following columns:

• Forensic Criteria—the ID associated with the anomaly that you are investigating. You can click on a value in the column to open the corresponding report.

• Forensic Type—the type of anomaly that you are investigating• Executed At—the time at which you generated the report• Remove—check boxes that you can use to remove reports from the view

Historic View tab

The Historic View tab contains a list of forensic queries that are sorted from the most recent to the oldest. A maximum of 25 query items are shown; the oldest query items are automatically discarded. To remove query items manually, select the corresponding check box in the Remove column and then click the Remove button at the bottom of the GUI.

To re-execute a query, click on the corresponding hyper link. The query is executed and the results displayed as a submenu item in the Forensic View menu.

23.3 Forensic View reports

The Forensic View reports GUI provides detailed information about specified events in the network. Each Forensic View report can display up to 500 event records. If new events that meet the forensic filter criteria arrive and the number of records exceeds 500, the oldest events are removed. The oldest event that is displayed may not be the oldest event in the database. The start date is the oldest of the 500 displayed events. Figure 23-2 shows the components of a forensic view report.

23 Forensic View


Figure 23-2 Forensic View reports

Forensic reports components

Table 23-2 describes the Forensic View reports components.

Table 23-2 Forensic View reports components

21178

ForensicView reports

table


ForensicView

submenufor forensic

report

ForensicSummary

panel

Event Detailspanel


Forensic View submenu items

Lists the forensic reports that you generate. You can delete a report by right-clicking on a forensic event in the sub-menu and choosing Delete.

Forensic View reports table

Displays the data about each event Columns in the Forensic View table in this section

Table column headers (sort function)

You can use the headers to sort the rows in ascending or descending order.

Forensic Summary panel

Displays the time of the first and last event, the number of event instances, and the number of unique event types. Includes the Mobile Flow button, with which you can open the Mobile Flow report for the selected event.


Event Details panel

Displays detailed information about the event that is selected in the events table.

Section 23.4


Supports the following functions:• Close• Undock• Export to PDF• Export to CSV

Common features and functions in chapter 16

23 Forensic View


Columns in the Forensic View table

Table 23-3 describes the columns that appear in the Forensic View table.

Table 23-3 Forensic View columns

23.4 Working in the Forensic View

This section describes the basic functions and advanced operations that you can perform in the forensic view.

Operations in the Forensic Events Details panel

The main purpose of the Events Details panel is to allow you to view anomalies and to “drill-down” into the details of the problem. When the Event Details panel is populated, some of the event fields become clickable, depending on the type of the event that you select from the Forensic report table.

Table 23-4 lists the operations that you can invoke from selected Forensic report Events Details fields.

Column Description

Sev Severity of the anomaly event. For more information, see Severity indicators for the Real-time Events View in chapter 22.

Event Type Type of network anomaly event

Int Intensity of the attack. Each event has an intensity level. Reported values are 0 to 5, with 5 being the most intense. For a cleared event, the value reported is 0.

Creation Date and time that the event was detected

Detector/NE Name of the 9900 WNG Detector on which the event was detected

Attacker/Param/NE Depending on event type, the content of the column can display:• NE name (in case of congestion alerts)• NAI (in case of port scans, high usage subscriber etc.,)• IP Address (if the origin of the event is an Internet source)• Multiple Sources (if the event is a distributed battery attack in which

the packets originate from multiple sources)

Cnt Number of incidents from this attacker

Status The current status of the event

Corr ID The ID associated with the anomalous event

23 Forensic View


Table 23-4 Clickable fields for Forensic reports

Querying data in the Forensic Events Details panel

You can run a detailed forensic analysis on a specified parameter value by left-clicking on the corresponding field in the Forensic Events Details panel; see Table 23-4. Depending on the field that you choose, you can query the database for the following information:

• All event transitions in the same incident (that is, events with same correlation ID)

• Other events that were generated by the same Attacker IP address• Other events that were generated by the same Attacker ID

• mobile network access identifier (NAI) (user@realm)• mobile electronic serial number (ESN)• mobile subscriber identifier (MSID)

• Events that attacked the same victim IP address• Events attacking the same victim ID

• mobile NAI (user@realm)• mobile ESN• mobile MSID


You can open the Mobile Flow by clicking on the Mobile Flow button in the Forensic Summary panel. See chapter 27 for more information about how to use the features in the Mobile Flow view.


Left-click on field



Forensic View

Copy to Clipboard

History Filter

Subscriber Report

Whois <IP address>

Device Details

Corr ID

Attacker IP

Attacker IMSI

Attacker IMEI

Attacker MS ISDN

Attacker ESN

Attacker NAI

Attacker MSID

Victim IP

Victim NAI

Victim ESN

Victim MSID


24 Topology view

24.1 Topology view overview 24-2

24.2 Element Tables view 24-2

24.3 Network Graph view 24-6

24.4 Working in the Network Graphs view 24-8

24.5 Provisioning operations using the Network Element tables 24-11

24 Topology view


24.1 Topology view overview

The Topology view displays data about the NEs that are observed by the 9900 WNG Detector while monitoring the network traffic. The 9900 WNG can auto-discover some NEs; others need to be configured using the CLI.

The following NEs are auto-discovered:

The following NEs are configured using a CLI command:

• CDMA RNC (rncpcfmap CLI command, see Configuring CDMA RNC-to-PCF IP address mapping in section 12.2)

• UMTS RNC (rncSaiMap CLI command, see Configuring UMTS RNC-to-SAI mapping in section 12.2)

The Topology view provides two views, Element Tables and Network Graph.

24.2 Element Tables view

During initialization, the 9900 WNG retains information about all NEs in the network and displays the information in the Topology Element Tables view. Information about NEs are updated in real-time. When the 9900 WNG Detector detects a new NE, the NE appears on the screen. NEs are identified by the name, provider, and region, as provisioned by the user.

The Provider field for SGSN, GGSN, PDSN, and HA network elements in the network element tables are automatically populated based on a list of known IP addresses used by service providers. Unknown provider fields are populated within 6 hours. The provider field can be manually changed directly in the network element table to override any automatic settings. Not all service provider IP addresses are known; in such cases the Provider field for the SGSN, GGSN, PDSN, and HA network elements are not populated. The network element provider field is used when generating the Roaming report.

The Topology Element Tables view contains a tab for each type of NE, as shown in 24-1. NEs are removed from the view if no traffic is received for more than one day.

• HA• PDSN• GGSN

• SGSN• Detectors• Realms

24 Topology view


Figure 24-1 Element Tables view components

Table 24-1 describes the NEs that appear on the Element Table tabs.

Table 24-1 Element Table Home Agents tab

Table 24-2 Element Table PDSN tab

Label Description

Home Agent Name

Logical name of each Home Agent. You can set the Home Agent Name by double-clicking in the cell of the table and entering in the Name. Once set, this setting appears in the Topology screen for subsequent accesses across all users. Setting this field is optional.

Home Agent IP Address

IP address of the HA

Provider This setting is derived from a whois query on the IP address. This field is automatically populated one day after initial installation. If the 9900 WNG Central does not have network connectivity to do the whois query, this field is not set. To override the result from the whois query, you can change the provider name manually in two ways, if required:• use the show topology command from the CLI • double-click in the Provider cell to edit the text.

Region You can change the region name by double-clicking in a Region cell and typing a new name for the region. See Figure 24-1, which shows the region cell in row 4 as a text field.

Reporting Enabled

This check box specifies whether an NE is included or excluded in a report or a calculation that results in a report. To exclude a specific NE, deselect the check box. By default, NEs are included in reports.

Label Description

PDSN Name The logical name that can be given to each PDSN. You can set the PDSN Name by double clicking in the table cell and entering a name. After you configure the name field, the name appears in the Topology screens that are accessed by all users. This field is optional.

(1 of 2)

24 Topology view


Table 24-3 Element Table Detector tab

Table 24-4 Element Table Realm Mapping tab

Table 24-5 Element Table GGSN tab

PDSN IP Address IP address of the PDSN

Provider See Table 24-1 for information about the Provider.

Region See Table 24-1 for information about the Region.

Reporting Enabled

See Table 24-1 for information about the Reporting Enabled check box.

Label Description

Detector ID The name associated with each detector that has communications with Central. This name is assigned to the detector during initial provisioning of the detector using the detector add CLI command.

IP Address The IP address of the Detector management interface is used to communicate with the 9900 WNG Central.

Detector Region This field can not be changed.

Reporting Enabled


Label Description

Realm ID An internally assigned number for this realm.

Realm Value The realm part of a subscriber NAI. The realms of roamers may also appear in this list.

Label Description

Name A logical name that can be given to each GGSN. This label can be set in the GUI by double clicking in the cell of the table and entering in the name. After the name is configured, the name appears in the Topology screens for subsequent accesses across all users. Setting this field is optional.

IP Address The IP address of the Detector management interface that is used to communicate with the 9900 WNG Central.



Reporting Enabled


Label Description

(2 of 2)

24 Topology view


Table 24-6 Element Table SGSN tab

Table 24-7 Element Table CDMA RNC tab

Table 24-8 Element Table UMTS RNC tab

Working in the Element Tables

This section describes the basic functions that you can perform in the Network Graph view.

Label Description

Name The name field is a logical name that can be given to each SGSN. This label can be set in the GUI by double clicking in the cell of the table and entering in the name. Once set, this name appears in the Topology screens for subsequent accesses across all users. Setting this field is optional.

IP Address The IP address of the SGSN



Reporting Enabled


Label Description

RNC/MSC Name The CDMA RNC/MSC name is configured through the CLI using the rncPcfMap command which is used to map PCF IP Addresses to their associated CDMA RNC. Only the CDMA RNC ID (not the MSC) appears in this table.

PCF IP Address The PCF IP address of the CDMA RNC. This field cannot be changed in the GUI.



Reporting Enabled


Label Description

RNC Name The UMTS RNC name is configured through the CLI using the rncSaiMap command which is used to map SAI IP Addresses to their associated UMTS RNC.

SAI/CGI/RNC ID The identifiers for the UMTS RNC. This field cannot be changed in the GUI.



Reporting Enabled


24 Topology view


Sort by column

Each column in an element table is sortable in ascending or descending order.

Right-click operations

The events tables support the right-click operations described in Table 24-9.

Table 24-9 Clickable fields for element tables

24.3 Network Graph view

The network graph feature displays the network elements—HA, PDSN, GGSN, SGSN, RNC, BTS—in the network.

Opening the Network Graphs view

From the 9900 WNG GUI tree structure, click on the Network Graph. Depending on the type of deployment, a CDMA tab, UMTS tab, or both tabs are displayed. By default, only elements that are named (grouped) are displayed the graph.

Operation Description Applies to

Copy Selected Row(s) Copies the selected table row or rows to the clipboard

All tabs

Copy Single Cell Copies the selected cell to the clipboard. You can paste the value that you save into other fields.

Select All Rows Highlights all rows so that you can perform an operation such as export to CSV

Provision→Name Used for bulk provisioning operations. See section 24.5 for more details.

Home AgentPDSNGGSNSGSNCDMA RNCUMTS RNC

Provision→Provider Name

Provision→Region

Provision→Reporting

Export→Table as CSV Exports the entire table or the selected rows to a CSV file

All tabs

Export→Selection as CSV

Whois <IP address> Performs a whois query on the selected IP address cell

All IP address table cells except the Detector

24 Topology view


Figure 24-2 Sample network graph

Network Graph components and controls

Table 24-10 describes the components and controls of the Network Graph.

Table 24-10 Network Graph components

21179

NEs and connections


Tabs

Legend

Graph controls


Tabs Tab view buttonsto switch between CDMA and UMTS views

NEs and connections

Icons and line connectors. You can mouse-over an NE to:• display a pop-up window that contains information about the NE, such as NE

name, type, address, region, and provider• highlight the NEs to which the selected NE is connected

Legend Color code for and number of each type of NE displayed in the graph. The number of cells is contextual; that is, the number of cells associated with an RNC appears as 0 in the Legend until you display the cells associated with the RNC.

(1 of 2)

24 Topology view


24.4 Working in the Network Graphs view

You can perform the following operations in the network graph view. This section describes the basic functions and advanced operations that you can perform in the Network Graph view.

• switch between supported mobile technologies• search a node element in the network graph• reload data to the network Graph.• expand base stations• collapse base stations from a specific RNC• use network graph controls• view grouped elements in the network graph• view grouped and ungrouped elements in the network graph• view network forensic from network graph• display congestion and trend alerts• display mobile flow and subscriber path graphs

Display functions

The following sections describe how to use the display functions of the network graph.

Configuring Network Graph preferences

You can configure the number of base stations that are displayed using the Preferences menu. See Procedure 16-7 for information about how to configure the display preferences for the Network Graph.

Graph controls

Refresh buttonreload data on the network graph.Newly discovered and grouped elements are not automatically displayed on the graph. To display the latest snapshot, you must reload data on the network graph. The graph is updated automatically only when the system receives or clears a congestion or trend alert.

Distance sliderto increase or decrease the length of the links between NEs. The font size of the NE labels are unchanged.

Zoom sliderto zoom in or out of the graph

Search fieldto search for a node element in the network graph. Enter the network element name that you need to locate on the map. As you type characters, all the network elements starting with those characters are highlighted in a yellow background color, as shown in Figure 24-2. To clear the text in the field, click on the X symbol in the search field.

Legend buttonto toggle the display of the legend on the screen. In Figure 24-2, legends are displayed. Click this button to hide the legends.


(2 of 2)

24 Topology view


Mouse-over for NEs

To display information about an individual NE, hover your mouse over a NE. A tool tip appears that indicates the type of NE.

Displaying or collapsing cells associated with an RNC

By default, a cell is displayed on a network graph when there is a congestion alert and cell nodes are expanded. If you attempt to expand or collapse cells while the system is refreshing the graph view because of an alert, you might have to try for a second time before you can successfully expand or collapse the cells.

Double-click on the RNC to display the associated cells. See Figure 24-3 for an example of the cell view.

Figure 24-3 Example of an expanded cells view

Note The number of cells associated with an RNC appears as 0 in the Legend until you display the cells associated with the RNC.

24 Topology view


Collapsing cells

To collapse cells (that is, to remove the cells from the display), double-click the RNC icon.

Operations in the Network Graph view

You can view trend alerts and congestion alerts from the Network Graph view. A trend alert is applicable to a network element while a congestion alert applies to a link. The trend and congestion alerts also appear in the Performance Events view, as described in “Performance events on Network Graphs”.

• Trend AlertA NE with a trend alert is represented on the network graph with a red background. The background color of a network element turns red for any trend configured in the system. If the event clears, the background color is reset to the default color for the NE type.

• Congestion AlertA link between the nodes turns red when there is a congestion alert. If there is an active congestion alert and if one of the nodes involved is a cell, the cell is displayed on the network graph.

Generating Network Forensic reports from a Network Graph

You can invoke the Network Forensic View screen from a network graph. To invoke the Network Forensic View screen, right-click on an NE or link. Table 24-11 lists the command for each type of NE.

Table 24-11 Interactive controls

NE Right-click Opens See chapter

CDMA

Cell BSForensic Network Forensic Reports configuration form (for NE report)

25

HA HAForensic

PDSN PDSNForensic

RNC CDMA_RNCForensic

UMTS

Cell BSForensic Network Forensic Reports configuration form (for NE)

25

GGSN GGSNForensic

RNC UMTS_RNCForensic

SGSN SGSNforensic

Connections

Connector Hop Forensic Network Forensic Reports configuration form (for Hop report)

25

24 Topology view


24.5 Provisioning operations using the Network Element tables

A user with Admin privileges can change the setting for the following fields:

• Network Element Name• Provider• Region

When you name a network element, it becomes a part of the group. All groups must have the same provider and region. If you change the setting for the Provider or Region for an NE, the setting is applied to all network elements that belong to that group.

Naming convention

The following characters are allowed for NE, provider, or region fields:

":" , ";" , "‘" , "`" , "=" , "\"" , "?" , "(", ")", "", "", "~", "%", "*", "+", "|", "?", ">", "<", ",", "!", "@", "\\" , "$" , "^" , "[" , "]"

If you use an invalid character, the system generates an error message.

Bulk provisioning NE groups from the Element Tables

You can bulk provision a group of NEs from the Element Tables.

You can select up to 100 rows for bulk provisioning. If you select more than 100 rows, the system generates an error message.

Procedure 24-1 To provision NEs in bulk using the Network Element table

1 Click on the tab in the Network Element view that corresponds to the NEs that you need to provision.

2 Highlight the rows that you need to provision.

3 Right-click on the highlighted rows and choose Provision and one of the following options:

• Set tab Nameto provision a name for the selected NEs. The change applies to all members of the group.

• Set Provider Nameto provision a provider name for the selected NEs. The change applies to all members of the group.

• Set Regionto provision a common region name for the selected NEs. The change applies to all members of the group.

• Set Reportingto enable or disable reporting on the selected NEs

Note The value under the RNC-MSC Name column indicates the group name. Elements that have the same setting in the RNC-MSC Name column belong to the same group. Group names must be different between EV-DO and UMTS network elements.

24 Topology view


A window appears that corresponds to the option you chose in which you can specify a value for the parameter option.

4 Enter a value in the text field and click on the Save button. The system prompts you to confirm that you are applying the change to the entire group.

5 Choose Yes to apply the setting to all of the NEs that belong to the group (that is, the NEs with the same name).

Searching for NEs using the Network Element table

Perform Procedure 24-2 to search for the NEs that belong to the same group.

Procedure 24-2 To search for NEs using the Network Element table

1 Right-click on a tab and choose Search tabname.

Where tabname represents any tab in the Element Tables view except Detector.

A Search window appears.

2 Choose a search criterion by selecting the radio button beside one of the following parameters:

• IP Address• Name• Provider • Region

3 Enter a value in the text box that corresponds to the parameter you chose.

4 Click on the Search button. The system highlights the first row in the table that corresponds to the search criterion.

5 Click on the Search Next button to search for additional instances of NEs that match the search criterion.


25 Network Forensics view

25.1 Network Forensic view overview 25-2

25.2 Network Forensic view menu components 25-2

25.3 Network Forensic reports components 25-4

25.4 Working in the Network Forensic view 25-7



25.1 Network Forensic view overview

The Network Forensic view displays detailed data about the NEs that are monitored by the 9900 WNG Detector. The Network Forensic view is closely coupled with the Topology-Network Graphs view that is described in Chapter 24.

There are two types of network forensic reports:

• Hop Reports• Network Element reports

Hop reports

Hop reports provide information about the hops between two NEs. To generate hop reports, go to the Network Forensic Report input parameter page; for related information, see “Generating a Network Forensic report”.

Links with no traffic are aged out. You cannot create a hop forensic report for aged links. NEs are not dynamically updated on graphs, so you should refresh a network graph before you run a hop forensic report.

Network Element reports

Network Element reports display a snapshot of the activities for a specified NE and time period. The type of information in the report depends on the type of NE.

25.2 Network Forensic view menu components

You can click on the Network Forensic View menu item to display two tabs:

• Network Forensic Report tab—used to configure the parameters for the report• History—used to store a list of the 25 most recent network forensic queries

Figure 25-1 shows Network Forensic Report input parameter page that appears when you click on the Network Forensic View menu.



Figure 25-1 Network Forensic View menu and input parameter page

Generating a Network Forensic report

Network forensic reports are configured in two ways:

• dynamically, using the Topology-Network Graph, as described in “Generating Network Forensic reports from a Network Graph” in section 24.4. The type of report (NE or hop) and the NE (Network Element name, or Hop Start and Hop End) are automatically filled. The time range for the start and end date is the current time.

• manually, using the query form in the Network Forensic Report tab. See Procedure 25-1for more information.

Procedure 25-1 To generate a network forensic report

1 Click on the Network Forensic menu item in the navigation menu. The Network Forensic Report tab appears in the GUI.

2 Select one of the following preferences:

a Hop Report. Go to step 3.

b Network Element Report. Go to step 4.

3 Configure the Hop report parameters:

• Query Duration Selection Start Time and End Time. Enter a date and time in the text field, or left-click on the drop-down icon to display the calendar widget. See Calendar and time widget for more information.

• Hop Start and Hop End



Go to step 5.

4 Configure the NE parameters:

• Query Duration Selection Start Time and End Time. Enter a date and time in the text field, or left-click on the drop-down icon to display the calendar widget. See Calendar and time widget for more information.

• Network Element. Enter a valid

5 Select whether you want to generate a concise or detailed report. The options are:

• Selectedthe output consists of the information in the Statistics tab, as described in Network Forensic concise report components.

• Unselectedthe output consists of the information in multiple tabs, including the Statistics tab, Top Servers, Top Applications, Top Mobiles, Top Sources, as described in Network Forensic detailed report components.

6 Click on the Generate button to create the report.

History tab

The History tab contains a list of past network forensic queries that are sorted from most recent to oldest. A maximum of 25 query items are shown; the oldest query items are automatically discarded. To remove query items manually, select the corresponding check box in the Remove column and then click the Remove button at the bottom of the GUI.

The History tab presents data in a table with the following columns (from left to right):

• # (that is, Report Number)• Hop Start and Hop End columns• Executed At• Interval Start and Interval End columns• Actual Event Time• Remove

To re-execute a query, click on the corresponding hyper link. The query is executed and the results displayed as a submenu item in the Network Forensic menu.

25.3 Network Forensic reports components

The network forensic reports can be generated in a concise or detailed format.

Note Detailed reports take longer to process than concise reports. The time period for the report affects the number of records that the 9900 WNG must process.



Network Forensic concise report components

The concise format consists of the Statistics view. Figure 25-2 shows the Forensic view in the concise format.

Figure 25-2 Network forensic report in concise format

Statistics report

The Statistics report displays a snapshot of the activities for the NE for the time period specified in the input parameters page. The report also provides information about the volume of traffic that the network is handling. The type of information in the Statistics report varies depending on the type of network element.

From the Statistics report, you can modify the duration covered in the report or specify a concise report or detailed report.

Network Forensic detailed report components

In addition to the Statistics tab, detailed reports include the tabs listed in Table 25-1.



Table 25-1 Detailed Network Forensic reports tabs

Figure 25-3 shows the Network Forensic view in the detailed format.

Figure 25-3 Network Forensic report in detailed format

Chart view and table view in the detailed format

By default, the detailed reports tabs display data as charts. You can view information in each tab as a table or as a chart by clicking on the Show Table/Show Chart option. The tabular format supports clickable fields, as described in “Operations in the Network Forensic view”.

Tab Description

Top Servers Plots four pie charts:• by volume • by airtime • by signaling• by flows

Top Application

Top Mobiles

Top Sources Plots two pie charts:• by uplink volume• by downlink volume



25.4 Working in the Network Forensic view

This section describes the basic functions and advanced operations that you can perform in the Forensic view.

Export functions

The Network Forensic view supports report export functions. You can export the contents of the concise and detailed reports, as described in “Common features and functions” in section 16.4.

Sort functions for table data

Table data can be sorted in ascending or descending order by clicking on the table column header.

Operations in the Network Forensic view

Detailed Network Forensic reports that you display in tabular format support the clickable fields that are listed in Table 25-2.

Table 25-2 Clickable fields for Network Forensic detailed reports


Right-click options

Copy to Clipboard Whois <IP address>

Subscriber Report

Top Servers

Server IP (1)

Application

Proto

Port

Sum

Top Applications

Application

Prto

Port

Sum

Top Mobiles

Mobiles (2)

Top Sources

Mobiles (uplink volume) (2)

Servers (downlink volume) (1)



Notes(1) See also Using the whois query in chapter 16 for more information. (2) See also Generating subscriber reports in chapter 29 for more information.


26 System View

26.1 System View overview 26-2

26.2 System View menu icons 26-2

26.3 System Events view 26-2

26.4 System History view 26-5

26.5 Working in the System View 26-6

26 System View


26.1 System View overview

The System View is the main interface to monitor the status of the 9900 WNG system. The System View displays alerts that correspond to current and past events that represent potential operational problems. Alerts are integral to problem detection and troubleshooting activities. See chapter 38 for detailed descriptions about specific types of system events.

The System View has two menu items, each of which opens a GUI window:

• System Events• System History

26.2 System View menu icons

Table 26-1 describes the status indicators that may appear in the navigation menu next to the System Events and System History menu items.

Table 26-1 System View navigation menu status indicators

26.3 System Events view

This section describes the System Events view and the corresponding preferences that you can configure to manipulate the view. Figure 26-1 shows the System Events view.

Indicator Description

Arrow on a red background

Indicates an outstanding event condition that has caused a system event. This may include an Info severity system event condition such as Process Started or Packets Dropped which requires a manual clear to remove.

Arrow on a green background

Indicates that there are no outstanding system event conditions

Arrow on a purple background

Indicates that you have viewed all system events that are currently outstanding. If the GUI is on the System Event page, this symbol is always an arrow.

Exclamation point Indicates that there has been a change to the system events: a previously viewed event is cleared or a new system event is detected. An exclamation point (!) on a green background indicates that the last outstanding system event condition has cleared. When you view the System Event page, the exclamation point reverts back into an arrow.

26 System View


Figure 26-1 System Events view

System Events components

Table 26-2 describes the components of the System Events view.

Table 26-2 9900 WNG System Events components

21180

Tablecontrolbuttons

SystemEventstable

Eventcounter

Eventdetailspanel

Component Description Use to See

System Events table

Lists the current system events Display the active system events

Columns in the System Events table in this section


Displays two buttons:• Ack• Clear

Acknowledge or remove events in the table

Event counter Lists the number of events in the table Monitor the number of outstanding events

Event Details Displays detailed information about individual events in the table Includes the following:• Severity of the event• Reporting element• Status of the event• Correlation ID• Sub Object• A description of the event

View details about the event. You can right-click on the Correlation ID to copy the value to the clip board or to filter the data using the System Events Display Preferences window.

Procedure 26-1

26 System View


Columns in the System Events table

Table 26-3 describes the columns that appear in the System Events table.

Table 26-3 Columns in the System Events table

System Events display preferences

Perform Procedure 26-1to set the preferences for the System Events display.

Field Specifies

Severity Severity of the event. Varies depending on the type of event:• Critical: red• Major: orange• Minor: yellow• Clear: green• Warning: Cyan• Info: Dark Blue

Info severity events are generated only during an active GUI session. You can manually clear Info events. When you close the GUI, Info severity events are cleared.

Event type Type of system event. See chapter 38 for a description of each of the following system events:• License Violation• Link Down• Process Down• Process Start• CPU Usage• Disk Usage• Memory Usage• No packet• Packet Drop• Hardware Failure• Swap Usage• Queue Usage• Line rate threshold

Object ID The device where the system event was detected. The values indicate if the condition is associated with 9900 WNG Central or a specific 9900 WNG Detector.

Subobject ID Further qualifies the Event Type. The values vary depending on the type of system event. For more information, see the description page for the specific system event later in this chapter. Not all system events report a value for the Subobject ID field.

Condition Condition of the event

Value Varies according to the type of event. For more information, see the description page for the specific system event later in this chapter.

Create Time Date and time that the event was detected

Owner GUI user or administrator who acknowledged or cleared the event

Co_ID Correlation ID

26 System View


Procedure 26-1 To filter system events

1 Right-click on the value in the Correlation ID field and choose Filter from the contextual menu. The System Events Display Preferences window appears.

2 Configure the parameters in the table. The available search parameters are:

• Time Periodspecify a date and time range or the most recent N number of days, hours, minutes, and seconds

• The following parameters:• Event typesee Table 26-3 for a list of event types• Owner• Severitysee Table 26-3 for a list of severity indicators• Object IDCentral, specific Detector• ModuleMIP, tracker, detector, or GUI• Statusauto_cleared, active, acknowledged, manual_cleared, or

reset_cleared• Correlation ID

3 Click on the View button to view the filtered results. A tab appears in the System History view. The tab is identified as follows: Query: date and time stamp. The results are presented in a tabular format that is the same as the System Events table shown in Figure 26-1.

26.4 System History view

The System History view displays a list of past system events. System History events are presented in a tabular format that is the same as the System Events table shown in Figure 26-1.

The History Filter tab window is automatically displayed when you click on the System History navigation menu item for the first time, as shown in Figure 26-2.

26 System View


Figure 26-2 History Filter tab in System History view

The History Filter tab window has the same parameters as the System Events Display Preferences window, that is described in Procedure 26-1. After the filter query has been processed, you must click the Filter button to display the System Events Display Preferences window.

The event data can be exported to a CSV format report by clicking on the Report to CSV button. You can save the report to a directory.

26.5 Working in the System View

This section describes the basic functions and advanced operations that you can perform in the System View.

Operations

The System View is intended mainly a monitoring interface. However, to investigate a particular system event further, you can right-click on the Correlation ID field that appears in the Events Details panel of the System Events and System History views and copy the value to the clipboard. You can paste the value into another form to generate other reports.


27 Mobile Flow view

27.1 Mobile Flow records overview 27-2

27.2 Mobile Flow record components 27-3

27.3 Working in the Mobile Flow view 27-7

27.4 Considerations regarding Mobile Flow measurements 27-8

27 Mobile Flow view


27.1 Mobile Flow records overview

Mobile Flow records are flow usage records that combine the typical TCP/IP-based network flow information with wireless-specific information. Wireless specific information includes resource usage, air time, signaling overhead, and traffic related to individual subscribers and devices.

Mobile Flow menu and query form componentsFigure 27-1 shows the Mobile Flow query form that you can use to generate mobile flow records for IP addresses over a specified period of time.

Figure 27-1 Mobile Flow query form page

After you generate a mobile flow, a record for the query is produced and a corresponding submenu item appears in the navigation menu under Mobile Flow.

Generating Mobile Flow reports

Mobile Flow reports are generated from a form in the Mobile Flow tab. You can populate the Mobile Flow form as follows:

• Dynamically, using the Mobile Flow button that appears in the following views:• Anomaly Events, as described in “Opening the Mobile Flow view” in chapter 22• Anomaly History, as described in “Working in the Anomaly History view” in

chapter 22• Forensic Events, as described in “Opening the Mobile Flow view” in chapter 23

• Manually in the input parameters tab, as described in Procedure 27-1.

Procedure 27-1 To generate a Mobile Flow report

1 Click on the Mobile Flow menu item in the navigation menu. The Mobile Flow input parameters tab appears in the GUI.

2 Configure the input parameters, as described in Table 27-1.

27 Mobile Flow view


Table 27-1 Mobile flow input parameters

3 Click on the Mobile Flow Summary button to generate the report. The Mobile Flow records for the specified dates are displayed, as shown in Figure 27-2.

27.2 Mobile Flow record components

When mobile flow records are retrieved for a subscriber, the Mobile Flow Event Details, Performance, and Path tabs are displayed. Figure 27-1shows the components of a mobile flow record.

Parameter Option Description

Query Duration Selection

Start Time Text field and calendar widget. Enter a date and time in the text field, or left-click on the drop-down icon to display the calendar widget.End Time

Flow Peer #1 IP_1 IP address check box and text field. Select the check box and enter an IP address in the text field to filter by IP address.

ID_1 Mobile ID check box and text field. Select the check box and enter a mobile ID in the text field to filter by mobile ID.

Flow Peer # 2 IP_2 IP address check box and text field. Select the check box and enter an IP address in the text field to filter by IP address.

ID_2 Mobile ID check box and text field. Select the check box and enter a mobile ID in the text field to filter by mobile ID.

Select Flow Indicator

Peer #1 Orig Radio button. Select to specify only flows originated from Peer #1.

Peer #1 Resp Radio button. Select to specify only flows that are responded to by Peer #1

Peer #1 Either Radio button. Select to specify either flow direction

27 Mobile Flow view


Figure 27-2 Mobile flow record components

Table 27-2 describes the components of the Mobile Flow record.

Table 27-2 Mobile flow record components

Mobile Flowevent table

Mobile Flowfilter panel

Mobile Flowsummary panel

Mobile Flowsummary

button


Flow directionindicator

Mobile Flow inputparameters tab

Mobile Flowrecord tab

Event detailspanel tab

Mobile Flowevent details

panel

21134


Mobile Flow Event table

Contains headings and columns that display the parameters of the mobile flow. Each row represents an individual event in the network. The columns display the following information:• Direction of the flow • Start time • Originator IP address • Originator port number • Responder IP address • Responder port number • Protocol • Application type • Originator Packets • Responder Packets

(1 of 2)

27 Mobile Flow view


Event Details panel

The following subsections describe the tabs of the Event Details panel.

Mobile Flow Event Details tab

Table 27-3 list the fields that can appear in the Mobile Flow Events Details tab.

Flow direction indicators

Indicate the direction of the flow. The icons that appear in the event table and in the Mobile Flow Summary panel represent the following (displayed from left to right):• M to I (unidirectional)• M to I (bidirectional)• M to M (bidirectional)• I to M (unidirectional)• I to M (bidirectional)• I to M (mobile-originated)• M to M (unidirectional)

Clickable fields Perform other operations. Supports right-click commands on the Orig IP and Resp IP fields. See Section 27.3 for more information.

Mobile Flow Filter Criteria panel

• Start and end time of the attack• Originators IP address and/or ID• Responders IP address and/or ID• Flow of the attack (for example, Originator to Responder or Responder to

Originator or bidirectional)

Mobile Flow Summary button

Retrieve new data if you change the filter parameters in the Mobile Flow Filter Criteria panel

Mobile Flow Summary panel

• Recordsthe total number of records and a breakdown of the number by flow direction

• Distinctthe total number of individual peers and protocols involved in the mobile flow

• Totalthe total number of bytes, packets, airtime and connections

Event details panel Contains three tabs:• Mobile Flow Event Details • Performance• Path

Analyze details, performance indicators, and the associated network path. See Event Details panel in this section for more information.

Table Control buttons

Common control buttons:• Close• UnDock• Export to CSV

See Common features and functions in chapter 16.


(2 of 2)

27 Mobile Flow view


Table 27-3 Mobile Flow Events Details tab

Performance tab

Table 27-4 lists the fields that can appear in the Performance tab.

Table 27-4 Performance tab

Field Description

Duration Indicates the duration of the flow. The format is hh:mm:ss.ms.

Orig IMSI IMSI of the originator

Resp IMSI IMSI of the responder

Airtime Indicates the up and down airtime of the flow. The format is hh:mm:ss.ms/hh:mm:ss.ms.

O2R_Bytes The number of bytes transmitted from the originator to the receiver. If the flow is I2M, the originator is an Internet source and the receiver is a mobile device.

Orig MSISDN MSISDN of the originator

Resp MSISDN MSISDN of the responder

#Conn setup Number of connections

R2O Bytes The number of bytes transmitted from the receiver to originator

Orig IMEI IMEI of the originator

Resp IMEI IMEI of the responder

Open Indicates the method of opening a connection. For most TCP connections it is 'tcpSyn'. Typically TCP sockets are established when an originator sends a TCP packet with the SYN flag set, thus initiating a sequence number.

Detector The name of the 9900 WNG Detector that captures the data

Orig GGSN GGSN of the originator

Resp GGSN GGSN of the responder

Close Indicates that a flow was terminated. A value of finClose, which is a bit in the TCP header, indicates that the sender has no more data to send and is closing a TCP session. A value of flowTimeout indicates that the system waited for a specified period of time with no data flow; the flow was terminated.

Field Description

Throughput (kbps) Indicates the downlink TCP throughput for the flow. The throughput is calculated based on the amount of downlink bytes transferred over the busy interval. For more information about throughput measurements, see RTT measurements (in the Performance tab).

Saturated Throughput (kbps)

Indicates the downlink TCP saturated throughput for the flow. The value is based only on the flows that saturate TCP. For more information about the saturated throughput measurement, see Throughput measurement (in the Performance tab).

Down TCP Bytes Downlink data sent to mobile for this flow

(1 of 2)

27 Mobile Flow view


Path tab

The Path tab shows the path taken by the selected mobile flow.

The Path tab displays a graphical representation of the Cell ID, RNC, PDSN/SGSN, or the HA/GGSN through which packets for the flow traverse. The Path tab shares the same right-click and mouse-over features as the Network Graph. See Table 24-10 for information about mouse-over functions, and “Generating Network Forensic reports from a Network Graph” for information about interactions with Network Forensic reports.

27.3 Working in the Mobile Flow view

This section describes the basic functions and advanced operations that you can perform in the Mobile Flow View.

Operations in the Mobile Flow Event Details panel

The Mobile Flow Event Details tab supports right-click operations that allow you to retrieve information about the mobile device that is involved in the mobile flow. Right-click on Orig ESN field and chose Device Detail. A pop-up appears that lists the manufacturer, model, and band of the device identified by the ESN.

Duration Total duration of this flow (hours:minutes:seconds:milliseconds)

RAN Loss Rate The TCP packet loss rate for the data sent to mobile

Downlink RAN Loss Number of TCP packets lost in the downlink

Downlink Total Pkts Total number of packets sent to the mobile

Srvr Syn RTT (ms) Round Trip Time seen for TCP Syn messages between the detector and the remote server

RAN Syn RTT (ms) Round Trip Time taken for TCP Syn messages between the detector and the mobile. For information about how RAN RTT is calculated, see RTT measurements (in the Performance tab).

Avg Data RTT (ms) Average Round Trip Time

Min Data RTT (ms) Minimum Round Trip Time

Max Data RTT (ms) Maximum Round Trip Time

RTT Samples Number of samples (packets) considered while computing the above RTT parameters

Syn Acks Number of TCP Syn Acks

Syn Sent Number of TCP Syn sent message

Timeout Number of TCP Syn Timeouts

Note There may be a slight delay in displaying the path.

Field Description

(2 of 2)

27 Mobile Flow view


Opening Network Forensic reports from the Path tab

The Path tab shares the same features as the Network Graph in the Topology view. The right-click operations that open the Network Forensic reports from the Network Graph, which are described in Table 24-11, are supported from the NEs and paths that appear in the Path tab of the Mobile Flow Event Details panel.

27.4 Considerations regarding Mobile Flow measurements

RTT measurements (in the Performance tab)

RTTs are measured based on the shortest TCP Ack messages seen in the network. Standard TCP implementations implement delayed ACKs to save resources.

Figure 27-3 shows the TCP ACK messages exchanged between the mobile and the server.

Figure 27-3 TCP ACK messages exchanged between the mobile and the server

The message, t1, is not acknowledged by the mobile due to Delayed ACK implementations. Since the t3 message is the acknowledgement for message t2, the RTT is measured as the interval between t3 and t2. The diagram also depicts message t5 acknowledged in response to t4 after a brief delay of 'td' duration. Therfore, measuring RTT as (t5 - t4) is not accurate.

If accurate RTT cannot be calculated, the 9900 WNG does not report them.

Throughput measurement (in the Performance tab)

Throughput is calculated based on the volume of traffic that was transferred over the busy interval.

27 Mobile Flow view


Figure 27-4 shows that the traffic from the server to the mobile is sent and the mobile in turn sending responses (such as TCP Ack) over the interval t1 to t6. This interval is termed as busy time, since the data transfer is active during this interval.

Figure 27-4 Traffic from the server to the mobile

In contrast, the interval between t6 and t7 is not considered busy, since there is no data transfer. The interval between t8 and t9 is busy as well. The throughput is calculated as the ratio of data transferred over the busy interval and the busy interval. Some applications such ssh, telnet, and so forth, have a lot of idle time and hence calculating the throughput (as data transferred over the duration of the session) yields values that are much smaller than the 'true' throughput of the link.

While computing the throughput, if the 9900 WNG detects inaccuracies (such as when the ACK from mobile is much later than the 'busy' traffic, potentially indicating delayed ACKs), the throughput is not reported.

27 Mobile Flow view



28 CLI view

28.1 CLI view 28-2

28 CLI view


28.1 CLI view

The CLI item in the navigation menu allows you to open the command line interface to the 9900 WNG Central server in the GUI workspace.

The first time that you log in to the CLI interface in each session a dialog box appears that asks you to confirm that you have the correct RSA authentication key. Click on the yes button to continue. The welcome screen for the CLI view appears and the CLI cursor appears at the central prompt:

Last login: Mon Jun 7 13:17:59 2010 from machine.com

Welcome 9900 WNG user!

Last login:

pts/15 caottx01234.ca.a Mon Jun 7 13:42:14 -0400 201

central>

You can use the CLI to issue 9900 WNG OA&M commands to the 9900 WNG Central and Detector. See chapter 14 for a complete list of all CLI commands for the 9900 WNG.


29 Subscriber view

29.1 Subscriber overview 29-2

29.2 Subscriber menu components 29-2

29.3 Characteristics of subscriber reports 29-4

29.4 Generating subscriber reports 29-4

29.5 Components of subscriber reports 29-7

29.6 Statistics tab 29-8

29.7 Top Applications tab 29-8

29.8 Top Servers tab 29-10

29.9 Anomaly Events tab 29-11

29.10 Flow/Session tab 29-11

29.11 Path tab components 29-14

29.12 Billing tab 29-15

29 Subscriber view


29.1 Subscriber overview

You can generate reports from the Subscriber view by manually executing queries based on data that you derive from existing reports. Subscriber reports provide a broad range of information about the following:

• subscriber activities, including the applications used by a subscriber and the anomalous events associated with a subscriber as either attacker or victim

• network elements and paths traversed by the traffic generated by a subscriber• network resources, such as traffic volume, airtime, signaling that a subscriber

consumes• servers, such as Google, or mail servers that the subscriber used• traffic flows for specific sessions• billing mismatches that may occur for a subscriber

29.2 Subscriber menu components

You can click on the Subscriber menu item in the navigation menu to display the following tabs:

• Subscriber Reports • Active Reports• Historic Reports

Figure 29-1 shows the Subscriber Reports query form that appears when you click on the Subscriber menu item.

Figure 29-1 Subscriber reports query form

29 Subscriber view


Subscriber view components

When you click on Subscriber in the navigation menu, the Subscriber Reports tab appears, as shown in Figure 29-2.

Table 29-1 describes the components of the Subscriber tab.

Table 29-1 9900 WNG Subscriber view components

Active Reports and Historic Reports tabs

The Active and Historic Reports tabs contain a list of subscriber queries that are sorted from the most recent to the oldest.

Each tab has a table that presents the data in the following columns:

• Report Criteria• Report Type• Executed At• Start Date• End Date• Remove

A maximum of 100 query items are shown; the oldest query items are automatically discarded. To remove query items manually, select the corresponding check box in the Remove column and then click the Remove button at the bottom of the GUI.

To re-execute a query, click on the corresponding hyper link. The query is executed and the results displayed as a submenu item under Subscriber in the Navigation menu.

Component Description Use to See

Subscriber Reports tab Query form to specify the parameters for the subscriber report

Generate a report for a specific time period and subscriber

Section 29.4

Active Reports tab Displays the reports that are in progress. You can click on the hyperlink in the Report Criteria column to display the report. You can remove one or more of the reports from the list.

Monitor and manage a list of current reports

Active Reports and Historic Reports tabs

Historic Reports tab Displays the completed reports. You can click on the hyperlink in the Report Criteria column to display the report. You can remove one or more of the reports from the list.

Monitor and manage a list of historic reports

Subscriber menu sub item Menu item that is created when you generate a report about a specific subscriber

Navigate to a specific subscriber report

29 Subscriber view


29.3 Characteristics of subscriber reports

Subscriber Report output is based on a time window. If Flow/Session activity is outside the requested time window, implementation is as follows:

• Flows: flows that start in window, statistics include any interim period that happened in +/- 1 hour window

• Sessions: sessions that start/end in +/- 4 hour window, gets statistics for interim session records that occur

• Anomalies: shows anomalies that were active any time in the window

Reported values:

• The value that is reported for Effective Rate for Flows is calculated as bytes/flow duration, so the accuracy of the calculation as a rate depends on nature of flow traffic.

• The value that is reported for Effective Rate for Sessions is calculated as bytes/actual airtime and duration, which makes it more accurate measure than flow effective rate.

• The Cumulative Resource usage plot in the Flow/Session tab assumes linear usage over the life of flow.

The following limitations apply:

• If a flow or session has started, but does not have an interim or end record, statistics are not reported for that flow/session. A session can display zero volume, but flows show traffic.

• For accurate numbers, specify a time period that includes the session end to capture all information for one or more subscriber sessions.

29.4 Generating subscriber reports

You can generate subscriber reports for one or more subscribers in a specific time period. Depending on the event type and the subscriber activity, a subscriber is classified as an attacker or a victim.

Acquiring subscriber IDs

Subscriber reports are queries based on a specified mobile or device ID. You can acquire the IDs in two ways:

• copy a mobile or device ID from a report and paste it into the appropriate field in the Subscriber Reports tab, as described in Procedure 29-1

• open the Subscriber Reports tab directly by clicking on a field in one of the following:

• Events Details panel of a report• Top Mobiles or Top Sources tables in the Network Forensics view

29 Subscriber view


Procedure 29-1 To configure and generate a subscriber report


a To generate a subscriber report from data that you cut and paste from another report table or Events Details panel, go to step 2.

b To open the Subscriber Reports query form directly from a field in an Events Details panel, go to step 8.

2 Click on Subscriber in the navigation menu. The Subscriber Reports tab appears, which contains a query form to configure the time period and subscriber criteria for the report.

3 Specify the time period for the report, as described in Table 29-2.

Table 29-2 Subscriber report input parameters - Time Period

4 Configure the Subscriber Criteria in the query form by performing one of the following:

a Go to step 5 to configure the By Mobile ID (NAI/IMSI) option.

b Go to step 6 to configure the By Device ID (ESN/IMEI) option.

c Go to step 7 to configure the By Multiple Mobile IDs (NAI/IMSI) option.

5 Configure the By Mobile ID (NAI/IMSI) option.

i Click on the By Mobile ID (NAI or IMSI) radio button.

ii For the first field, enter an ID.

iii For the second field, perform one of the following:

• Choose a provider from the drop-down menu or enter a provider.• Enter an known ID in the field.• Paste an ID in the field that you have copied from another form.

Go to step 9.

Note The duration of the time period can affect the 9900 WNG system performance. The longer the duration, the longer the 9900 WNG needs to return results. Queries consume computational resources such as CPU, swap space, database connections, and temporary table space on the 9900 WNG Central server. Only one query per GUI is allowed at a time for the Network Forensic, Subscriber report, or Mobile Flow. If you attempt to run a list of Subscriber and Network Forensic queries, the queries are queued one at a time for execution.

Parameter Option Description

Query Duration Selection

Start Time Enter a date and time in the text field or left-click on the drop-down icon to display a calendar. You can specify a time period of up to 30 days. End Time

29 Subscriber view


6 Configure the By Device ID By Device ID (ESN/IMEI) option.

i Click on the By Device ID By Device ID (ESN/IMEI) radio button.

ii Perform one of the following:

• Enter an known ID in the field.• Paste an ID in the field that you have copied from another form.

Go to step 9.

7 Configure the By Multiple Mobile IDs (NAI/IMSI) option.

i Click on the By Multiple Mobile IDs (NAI/IMSI) radio button.

ii Click on the combo box. The Type in a multiple line string window appears.

iii Enter an ID on each line. For example, multiple NAIs must appear as follows:

[email protected]

[email protected]

[email protected]

iv Click on the OK button.

v Choose one of the following radio buttons:

• Individual, to create one report for each Mobile ID• Group, to create one report for the group of Mobile IDs

Go to step 9.

8 Open the Subscriber Reports page directly from one of the following forms. The data for the ID that you select is automatically entered in the query form.

a Real-time Events anomaly event view. Right-click the NAI, IMSI, ESN or IEMI field in the Event Details panel and choose Subscriber Report. See Table 22-7 for more information.

b Network Forensics view. Right-click on the Mobiles field in the Top Mobiles or Top Sources tables and choose Subscriber Report. See Table 25-2 for more information.

9 Click on the Generate button. A progress bar appears. You can access completed reports during the generation of a report.

After the data is collected, the Subscriber Reports window appears with the Statistics tab displayed, as shown in Figure 29-2.

29 Subscriber view


Figure 29-2 Subscriber Report showing the statistics tab

29.5 Components of subscriber reports

Table 29-3 describes the components of the Subscriber reports view.

Table 29-3 Subscriber reports view common components

21181

Subscribermenu withsubscriber

reportsubmenu

Subscriberreports

workspace

Plots

Report control buttons

Subscriberreport filters

Subscriber report tab buttons


Subscriber Reports filters

Displays the values for the time and subscriber parameters that you configure in the Subscriber Reports tab

Procedure 29-1

Subscriber menu with Subscriber Report submenu

Lists the subscriber reports that you generate in the navigation menu

Report control buttons Flow Details buttongenerates a detailed flow report. Applies only to the Flow/Session tab.

Section 29.10

Exportexports all data in the subscriber report to a CSV formatted file. Applies to all of the tabs except Path.

Common features and functions in chapter 16

Closecloses all tabs in the subscriber report. Confirmation required. Applies to all tabs

(1 of 2)

29 Subscriber view


29.6 Statistics tab

Table 29-4 describes the specific plots in the Subscriber Statistics tab. Figure 29-4 shows an example of the Statistics tab.

Table 29-4 Subscriber Reports window - Statistics tab

29.7 Top Applications tab

The Top Applications tab displays four pie charts that represent data for the five most used applications by the mobile, as shown in Figure 29-3.

Subscriber reports workspace

The area of the GUI where the subscriber data is plotted

Sections 29.6 to 29.12 for information about the type of data that is displayed in the workspace

Plots Detailed data about the subscriber. The format depends on the type of data, and can include tables, pie charts, bar graphs, or line graphs


(2 of 2)


Subscriber Totals Summary that lists:• uplink, downlink, and total statistics for:

• bytes• airtime• signaling

• flows and volumes for:• internet to mobile• scans

• total and completed number of sessions• average duration of a sessionA subscriber may have

more than one session. If there are multiple sessions, the average duration specifies the average time that the sessions lasted.

Protocol Breakdown by Volume Pie chart that displays the protocol breakdown, such as, TCP, UDP, ICMP, by volume

Mobile Originated Flow Distribution Bar graph that displays the percentage of flows by packets per flow that originated from the subscriber

Internet Originated Flow Distribution Line graph that displays the percentage of flows by packets per flow that the subscriber received from the Internet

29 Subscriber view


Figure 29-3 Subscriber Reports window - Top Applications tab

The data in the pie charts are from the destination port numbers in flows that were originated by the mobile in the time period that was specified in the subscriber report. The tab also includes any applications that were configured using the applicationMap CLI command.

Internet originated flows are not used to determine the top applications, and therefore, the pie charts may not include some streaming traffic.

Table 29-5 describes the components of the Top Applications view.

Table 29-5 Subscriber Reports window - Top Applications tab


Applications by Volume Pie chart that displays the top applications used in the network by percentage

Applications by Airtime Pie chart that displays the percentage of airtime consumed by the top applications

Applications by Signaling Pie chart that displays the percentage of signaling consumed by the top applications

Applications by Flow Pie chart that displays the percentage of flows associated with the top applications

29 Subscriber view


You can export the contents of the Top Applications reports, as described in “Common features and functions” in section 16.4.

When you export the subscriber report to a CSV file, the file contains the top 50 applications. The top applications are exported in four separate .csv files; one file for each of the following volume, airtime, signaling, and flow count.

29.8 Top Servers tab

The Top Servers tab displays four pie charts that represent data for the five most accessed servers in flows that were initiated by the mobile, in the time period that was specified for the subscriber report. Figure 29-4 shows the Top Servers tab.

Figure 29-4 Subscriber Reports window - Top Servers tab

Internet originated flows are not used to determine the top servers and therefore, the pie charts may not include some streaming traffic.

Table 29-6 describes the components of the Top Servers tab.

29 Subscriber view


Table 29-6 Subscriber Reports window - Top Servers tab

You can export the contents of the Top Servers reports, as described in “Common features and functions” in section 16.4.

When you export the subscriber report to a CSV file, the file contains the top 50 servers. The top servers are exported in four separate .csv files; one file for each of the following: volume, airtime, signaling, and flow count.

29.9 Anomaly Events tab

The Anomaly Events tab lists the anomaly events that were active for the specified subscriber during the specified the time period. The subscriber can be an attacker or victim. There is one row for each incident. See “Anomaly Events view” in chapter 22 for information about the Anomaly Events table.

You can export the contents of the Top Servers reports, as described in “Common features and functions” in section 16.4.

29.10 Flow/Session tab

The Flow/session displays three time-based plots that measure the flow of the specified session. Figure 29-5 shows the components of the Flow/Session view.


Servers by Volume Pie chart that displays the top servers by IP address and the percentage of the total traffic processed by the server

Servers by Airtime Pie chart that displays the top servers by IP address and the percentage of the total airtime processed by the server

Servers by Signaling Pie chart that displays the top servers by IP address and the percentage of the total signaling processed by the server

Servers by Flow Pie chart that displays the top servers by IP address and the percentage of the mobile flows processed by the server

29 Subscriber view


Figure 29-5 Subscriber Reports window - Flow/Session tab

Table 29-7 describes the components of the Flow/Session tab.

Table 29-7 Subscriber Reports window - Flow/Session tab

21182

Plots


Plot controls

Y axisdrop-down

menu

X axis time

Plot control– legend


Plots Three graphs:• Mobile Flow• Session• Cumulative Resources

Plots in the Flow/Session tab in this section


• Flow Details Flow Details button in this section

• Export• Close

Table 29-3

Plot control legends Mobile Flow legendindicates whether the flow originated from the mobile or from the Internet and whether the flow was unidirectional or bidirectional

Cumulative Resource legendindicates the direction of the data as uplink or downlink

(1 of 2)

29 Subscriber view


You can export the contents of the Flow/Session report, as described in “Common features and functions” in section 16.4.

Plots in the Flow/Session tab

The Flow/Session tab of the Subscriber report contains the following plots, which share the same time x-axis:

• Mobile Flow chart (upper chart)• Session chart (middle chart)• Cumulative Resources chart (lower chart)

Mobile Flow chart

Each flow is represented by a horizontal line spanning the duration of the flow. Short flows or flows with one packet often appear as a dot (.) on the plot. The Y-axis represents a parameter selected from the Change Y axis drop-down on the right side of the plot.

By default, the number of flows that can be displayed is 200. You can change the limit by using the Preferences menu on the GUI, as described in Procedure 16-6.

Table 29-8 lists the Y-axis parameters that you can display in the Mobile Flow plot.

Table 29-8 Mobile Flow plot Y-axis options

Change Y axis drop-down menu

Specifies the parameter for the Y axis. You can change the Y axis in the plot.

Plots in the Flow/Session tab in this section for information about the parameters that you can plot

X axis (time) Specifies the time range for the report. All plots share the same X axis. A flow or session can start before or after the beginning of the specified time period.

Procedure 29-1


(2 of 2)

Parameters

Uplink bytes Downlink bytes per packet Maximum TCP RTT (ms)

Downlink bytes Downlink TCP Packet Loss Count

TCP RTT Samples

Total bytes Downlink TCP Packet Loss Rate (%)

Server TCP Syn RTT (ms)

Saturated Throughput (kbps) Average TCP RTT (ms) RAN TCP Syn RTT (ms)

Uplink bytes per packet Minimum TCP RTT (ms) TCP Syn Retries

29 Subscriber view


Session chart

Each session (PPP session for CDMA or PDP context for UMTS) is represented by a horizontal line spanning the duration of the session. The y-axis represents a parameter selected from the Change Y axis drop-down menu on the right side of the plot.

Table 29-9 lists the available Y-axis parameters that you can display in the Session plot.

Table 29-9 Session plot Y-axis options

Cumulative Resources chart

The bottom plot represents the cumulative volume, airtime, or signaling (selected from the Change Y axis drop-down menu on the right side of the plot) caused by the subscriber's flows in the time window.

The Y-axis parameters that you can display in the Cumulative Resources plot are:

• Cumulative Volume(bytes)• Cumulative Airtime(seconds)• Cumulative Signaling(connections)

Flow Details button

You can click on the Flow Details button to display the flow in a table format in a separate tab. The data is presented in the same way as mobile flow data. See chapter 27 for information about how to use and interpret flow data.

29.11 Path tab components

The Path tab displays the network map and isolates the NEs associated with the subscriber activity. The data is presented in the same way as network graph. See “Network Graph view” in chapter 24 for information about how to use and interpret the network graph.

You can export the contents of the Flow/Session report, as described in “Common features and functions” in section 16.4.

Parameters

Uplink bytes Saturated Throughput(kbps)

Downlink bytes Downlink Throughput(kbps)

Total bytes Downlink TCP packet loss count

Effective Uplink Rate(kbps) Downlink TCP loss

Average TCP RTT

29 Subscriber view


Path panel interactions with Graphics view and Forensic reportsThe right-click operations that open the Forensic reports parameters input page, which are described “Generating Network Forensic reports from a Network Graph” in chapter 24 are supported for the NEs and paths that appear in the network path tab.

29.12 Billing tab

The Billing tab displays the billing mismatch summary data and information for each session mismatch. Figure 29-6 shows the components of the Billing tab.

Figure 29-6 Subscriber Reports window - Billing tab

Table 29-10 describes the components of the Subscriber billing tab.

Table 29-10 Subscriber Reports window - Billing tab

You can export the contents of the Billing report, as described in “Common features and functions” in section 16.4.

See “Billing Discrepancy report” in section 31.7 for more information.

Column or field

Start Time Recv Bytes Acct Airtime (secs)

End Time Acct Recv Bytes Orig Pkts

Excess Bytes Conns Acct Orig Pkts

Orig Bytes Acct Conns Recv Pkts

Acct Orig Bytes Airtime (secs) Acct Recv Pkts

29 Subscriber view



Browser-based reporting and management

30 Browser-based reporting overview 30-1

31 Configuring browser-based reports 31-1

32 Subscriber Group Manager 32-1



30 Browser-based reporting overview

30.1 Browser-based reporting overview 30-2

30.2 Generating a browser-based report 30-2

30.3 Input parameters page components 30-3

30.4 Report presentation page 30-6

30.5 Report types 30-7

30.6 Exporting reports 30-12



30.1 Browser-based reporting overview

Browser-based reports are intended to provide operators and network analysts with information about short and long-term trends in network events and activities. The reports collate and present the data that is collected by the 9900 WNG Detectors. The reports are web-based and accessed from a link on the 9900 WNG Central Home page using a browser.

The web reports page is divided into two tabs:

• Standard Reports tab—contains a sublist of the most commonly used reports. You use the categorized hyperlinks to open the reports parameter input page.

• Repository—contains a list of all of the reports that can be generated using the web interface.

In each case, the reports are organized according to the following categories:

See Table 31-1 for a lists the types of reports that you can generate and where you can find more information.

Legacy reports

If your system has reports generated by Release 1.2 or earlier, the link Get Legacy Reports (from Release 1.2 or earlier) appears on the 9900 WNG Central webpage. For information about how to use Release 1.2 reports, see the Release 1.2 User Guide.

30.2 Generating a browser-based report

Procedure 30-1 describes the high-level steps to generate a report.

Procedure 30-1 To generate a browser-based report

1 Navigate to the 9900 WNG Central webpage, as described in Procedure 17-1.

2 Click on the Get Reports link. The Reports page appears with the Standard Reports tab displayed.

3 Click on the link for the report that you need to generate.

4 Configure the input parameters for the report. The general characteristics and behaviors of the parameter fields are described in Section 30.3. The input parameters for each report are listed in chapter 31.

• Network resource usage reports• Network statistic reports• Network elements reports• Hop reports

• Security reports• Subscriber reports• Applications reports• Devices reports



5 Click on the Run Report button. The report is created and displayed in a report summary window.

6 To change the input parameters, click on the Report Options button to return to the input parameters form.

30.3 Input parameters page components

The report input parameters page allows you to specify the parameters for the report that you need to generate. The fields vary, depending on the type of report. To access the input parameters for a report, click on any of the report links on the Standard Reports page. Figure 30-1 shows an example of the input parameters page.

Figure 30-1 Example of an input parameters screen

The following subsections describe the behavior of the commonly used fields.



Report controls

The following control buttons appear in the input parameter page, as listed in Table 30-1.

Table 30-1 Report controls

Filters

You can specify input parameters for filters for some reports. Typically, the default values for the filters is #All#, which specifies that all data of the specified type is admitted in the report. You can change the default to allow only a subset of the data to be admitted in the report. Filter input parameters are displayed in list boxes. You can specify more than one filter criteria by holding down the CTRL button and clicking on multiple choices in the list box. To specify that all data be admitted, use the wildcard, which is a percentage sign (%).

Time parameter fields

This section describes the fields that are common to all input parameter pages.

Time Period, Start Day/Time, and End Day/Time

The first field of every input parameters page is Time Period. The field has a drop-down menu that enables you to select a time period that is relative to the current execution time, for example, Today, Yesterday, or Last Week (Sun to Sat) inclusively.

This feature is particularly useful when you are scheduling a report. For example, to schedule a report to run early tomorrow morning, select Yesterday. When the report is executed, the report pulls data for yesterday relative to the report execution time.

Default settings for the Time period field

The default setting for the Time Period parameter is called Specified Below (the first selection). The Specified Below parameter indicates that the time period is specified in the following time-related fields which appear directly below the Time Period Parameter:

• Start Day (or Start Day and Time) • End Day (or End Day and Time)

Button Description

Reset Returns the input parameter form to the default values

Run Report Executes the request based on the parameters that you configure. The report is generated and is displayed in a presentation page. Figure 30-2 shows an example of a chart report and Figure 30-3 shows an example of a table report.

Cancel Cancels the request and returns to the Standard Reports page. You can also click on the Standard Reports tab to cancel and return to that page.



You use the Users running a report interactively (as opposed to scheduling the report), most likely specified the start day/time and end day/time using the preceding fields.

Reports that pull data from a single day includes only one time-related field, Choose a date (located below the Time Period field). The Overall subscriber cumulative distribution report is an example of this type of report.

Start Day/End Day versus Start Time/End Time fields

Reports that do not support sub-day time resolutions (that is Minute and Hour) display the Start Day and End Day fields. Reports that supports sub-day time resolutions display the Start Day Time and End Day and Time fields.

Calendar widgets

To display a calendar widget, click on the calendar icon on the input parameter. If the field is a Date and Time field, a Time field is also displayed below the monthly calendar. You can click on the hour and minute fields to increase the value, or shift-click on the hour and minute fields to decrease the value. You can also click on the hour and minute fields, and then drag right to increase the value; or click and then drag left to decrease the value.

For the end day (or date/time), the specified value is always used inclusively for the time range. For example, to display data for the first two days of 2009, set the start date to January 1, 2009 and the end date to Jan 2, 2009 (not Jan 3, 2009). If the report supports sub-day resolutions (“minute” or “hour”), set the start date and time to Jan 1, 2009 00:00, and the end date to Jan 2, 23:59. Data for until the end of minute is included (that is, from 23:59:00.000 to 23:59.59.999).

Time zones

When you specify a time range and when you are reading a report, keep in mind that in browser-based reports, the time zone is always the local time zone of the Central machine.

Lag period to current time

Some reports pull data from database tables that are updated in real-time; others pull data from database tables that are updated at a regular hourly or daily intervals. For the latter, there is a lag period before you can see the data. For example, if a report depends on a daily summarization, you cannot see the data for the current day until after a daily summarization is completed after the end of the current day. If you query for today’s data, you may get a report with no data. The description page for each report describes the lag period for each report.



Impact of daily summarization on early morning queries

The summarization process takes time to complete. If the data is not yet in the database table, generating a report retrieves no data. If you run a query for yesterday in early morning (immediately after midnight), the summarization process may not be complete, and you may generate a report with no data.

If you generate a report in the early morning, the default end date/time on the input parameter page is the day before yesterday. In contrast, if you generate a report later in the day, the default end date/time on the input parameter page is yesterday. You can override the system default and select the end date/time.

30.4 Report presentation page

Reports are generated and displayed in a presentation page in two general formats: as graphical chart-based reports, as shown in Figures 30-2 to 30-5, or as table-based report, as shown in Figure 30-6.

Tool tips

Graphical charts are embedded with tool tips. If you move your cursor over a certain data point in a time-series plot or a data pie in a pie chart, you can display the data values of that data point. Tool tips offer a convenient way to display exact data values for certain data points.

Navigation icons on the presentation page

Table 30-2 describes the two navigation icons (from left to right) on the top left of each reports presentation page; see for example, Figure 30-2. For the remaining five icons that support export functions, see Table 30-3.

Table 30-2 Navigation icons

Note In general, for reports that require daily summarization, Alcatel-Lucent recommends that you query for yesterday’s data after 7:00 AM.

Name Description Use to

Report options

Returns you to the input parameters page for the report. The parameter settings that you configured are preserved.

Adjust the original parameter settings that you used to generate the report. To return all fields to the system default values, click on the Reset button, as described in Table 30-1.

Back Return you to the Standard Reports page where all standard reports are listed. The parameter settings that you configured are not preserved.

Close the input parameters page and return to the Standard Reports page.



30.5 Report types

The 9900 WNG web reports interface can generate report is several formats, depending on the type of data that you need to analyze or export. The report types are:

• time-series charts• stacked area charts• cumulative distribution function charts• pie charts• tables

Time-series charts

Time-series charts are a type of line graph in which the x axis is always time, and the y axis is a variable that you can choose. Some time-series charts, such as those that treat NEs, allow you to view information about multiple NE for the purpose of comparison and trend analysis. Comparative charts use colored plots and lines and a color-coded legend to distinguish and identify the NEs. Figure 30-2 shows an example of a typical time-series chart.



Figure 30-2 Example of a time-series chart

Stacked area charts

A stacked area chart is used to view the overall distribution of network resources at-a-glance. Figure 30-3 shows an example of a typical stacked area chart.



Figure 30-3 Example of a stacked area chart

Cumulative distribution function charts

A CDF chart plots data points on an x-y axis. A data point at (x,y) indicates that means that there are y% of subscribers that have a value that is equal to or smaller than x. The x-axis is in log scale. Figure 30-4 shows an example of a typical CDF chart.



Figure 30-4 Example of a CDF chart

Pie charts

A pie chart is a graphical display of data that shows at-a-glance the relative proportion among the measured parameters. Each part of the chart is color-coded and explained in the legend. Key data for each part of the pie chart is identified by callout. You can also use the mouse-over function to view detailed information about each part. Figure 30-5 shows an example of a typical pie chart.



Figure 30-5 Example of a pie chart

Table reports

Reports in tabular format allow you to compare items (such as a type of entity or event) that share the same KPIs. The rows in the table can be configured to rank the entries. Figure 30-6 shows an example of a typical table report.



Figure 30-6 Example of a table report

30.6 Exporting reports

The available export functions depend on the type of report that you generate: graphical chart-based or table-based.

Export icons on the presentation page

Table 30-3 describes the five export icons that are adjacent to the two navigation icons on the top left of each reports presentation page.

Table 30-3 Export icons

Name Description

Export to PDF Exports a PDF image of the presentation page. You can export chart- or table-based reports to a PDF file.

Export to Excel Exports data from a table-based report to a Microsoft Excel file. See Exporting graphical reports to an Excel or a CSV file in this section if you need to export a chart-based report.

Export to RTF Exports chart- or table-based reports to an RTF file. See Exporting graphical reports to an Excel or a CSV file in this section if you need to export the data in a chart-based report.

Export to CSV Exports data from a table-based report to a CSV file. See Exporting graphical reports to an Excel or a CSV file in this section if you need to export a chart-based report.

(1 of 2)



Exporting graphical reports to an Excel or a CSV file

Chart-based reports—that is, time-series plot or pie charts—are displayed as graphics and are exported as graphics. You cannot export graphics to RTF or CSV files. To export the raw data used to create the graphic, select the Show only raw data (no chart) option in the report input parameters when you create the report.

If you have already run a report, but need to view or process the raw data behind a graphical charts, you must rerun the report in the Show only raw data mode. On the report presentation page, click on the Report Options button on the upper left of the presentation page to return the input parameters page. All of the previously chosen parameter values are retained. Select the Show only raw data (no chart) check box, and click Run Report to re-run the report. The report is presented as a table of raw data. On the presentation page, you can click on Export to Excel to get the raw data

Similarly, the Export to CSV option generates CSV files that contains only the text data that surrounds the graphical chart, that is, the title and text in the header section. To display the raw data behind the graphical chart must first re-run the report in the “Show only raw data” mode using procedures as discussed earlier in this topic.

View as Flash Displays the presentation page in a browser in Flash format. You can export chart- or table-based reports

Name Description

(2 of 2)




31 Configuring browser-based reports

31.1 Browser-based reports parameters overview 31-2

31.2 Network resource usage reports 31-2

31.3 Network statistics reports 31-5

31.4 Network elements reports 31-10

31.5 Hop reports 31-25

31.6 Security reports 31-28

31.7 Subscriber reports 31-29

31.8 Applications reports 31-36

31.9 Devices reports 31-41

31.10 Troubleshooting 31-47



31.1 Browser-based reports parameters overview

This chapter describes the browser-based reports and the parameters, filters, and options that you can configure to customize the output. Table 31-1 lists the reports by category and where to find more information.

Table 31-1 Browser-based report types

31.2 Network resource usage reports

Network resource usage reports provide information about the resources that are consumed in the network. The following sections describe of the reports that you can generate, the parameters that you can plot, and the filters that you can configure for network usage reports.

Description of network resource usage reportsYou can generate the following network resource usage reports:

• Incident breakdown by event type (pie chart) report• Incident breakdown by event type (time plot) report• Resource breakdown by event type report• Resources breakdown by top application report

Incident breakdown by event type (time plot) report

This report is a time-series chart that shows the distinct count of incidents, broken down by event type. The counts are distinct counts. Distinct counts of different time periods cannot be summed to get the distinct counts of the combined periods.

Report type See section

Network resource usage reports 31.2

Network statistics reports 31.3

Network elements reports 31.4

Hop reports 31.5

Security reports 31.6

Subscriber reports 31.7

Applications reports 31.8

Devices reports 31.9



Table 31-2 Incident breakdown by event type (time plot) report

Incident breakdown by event type (pie chart) report

This report displays a pie chart that shows the distinct counts of different incidents, broken down by event type.

Table 31-3 Incident breakdown by event type (pie chart) report

Resource breakdown by event type report

This report shows three pie charts that compare the consumption of resources—Traffic Volume, Airtime, and Number of Connection Setups— by different event types.

Table 31-4 Resource breakdown by event type report



None

Input parameters and filters

You can apply a filter on an event type to select a subset of incidents for the report. See the list of event types in Parameters overview for network resource usage reports in this section. Time resolution can be displayed in hours, days, or months.

Report type This report can be displayed in the following formats:• a time-series plotused for accurately comparing the relative counts of different event types• stacked-area plotused to view the overall distribution at-a-glance

See Figure 30-2 for an example of a time-series chart and Figure 30-3 for an example of a stacked area chart.

Raw data option Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30.



None

Input parameters The field parameters are set and cannot be changed. See the list of event types in Parameters overview for network resource usage reports in this section.

Report type See Figure 30-5 for an example of a pie chart report.


Remarks The counts are distinct counts; distinct counts of different time periods cannot be summed to get the distinct counts of the combined periods.



None

(1 of 2)



Resources breakdown by top application report

This report shows three pie charts that compare the resources consumptions—Traffic Volume, Airtime, and Number of Connection Setups—by different top applications.

Table 31-5 Resources breakdown by top application report

Parameters overview for network resource usage reportsThe following subsections describe the values that are monitored in the Event type and Resource type fields.

Input parameters The event type parameters are set and cannot be changed. See the list of event types in Parameters overview for network resource usage reports in this section.



Remarks When the Show the OTHER category field is checked, pie charts compare the relative resource consumption of anomaly events to the total resource consumption in the network, which can result in anomaly-event pies too small to compare. To display only the breakdown of anomaly-event consumption, uncheck the box; in this scenario, the total value of each pie chart is all the resource consumption due only to anomaly events.Because of space limitation, some pie charts do not have call-out labels. Mouse-over a section of the chart to display a tooltip with information about the data in the chart.


(2 of 2)



7 to 31 hours. After 7:00 AM, the report can report data collected as late as last midnight; before 7:00 AM, the report can report data collected as late as two midnights before.

Input parameters The input parameters are set and cannot be changed:• Total traffic volume (Mbytes)• Total airtime (hours)• Total number of connection setups

Filters and options The following filters are available:• filter by realmto limit the data in the report to one or more realms • Top Nto set the number of top application that are plotted. You can choose up to 20 top

application to plot.



Remarks For any given value of N (as in Top N), the report displays pie charts with more than N pies. This occurs because the set of Top N applications for the different types of resource consumption differ, and this report displays a consistent set of top applications that is a union of the sets of Top N applications for all three types of resource consumption.In each of the three big pie charts on the report, the total value is the total resource consumption for the top applications (that is, excluding those for the other applications). To display how the resource consumptions of this top set compare to the set of the other applications, use the three small pie charts (Top Apps versus Others) on the lower right corner.Because of space limitation, some pie charts do not have call-out labels. Mouse-over a section of the chart to display a tooltip with information about the data in the chart.



Event types for network resource usage reports

The 9900 WNG can monitor the following types of events.

• SIGATTACK_SINGLE_SRC• BATTERYATTACK_SINGLE_SRC• P2P_MOBILE• ALWAYS_ACTIVE_SUB• HIGH_USAGE_SUB• HIGH_SIGNALING_SUB• PORTSCAN_HORIZ• PORTSCAN_VERT• UNWANTED_SRC• FLOOD_MOBILE_SINGLE_SRC• BATTERYATTACK_DISTRIBUTED• FLOOD_MOBILE_DISTRIBUTED• ROUTER_DISCOVERY_ABUSE• MIP_SIGNALING_ABUSE

Resource types for network resource usage reports

The 9900 WNG can monitor the following types of resources:

• Traffic Volume (Mbytes)• Airtime (Hours)• Number of Conn Setups

31.3 Network statistics reports

This section describes the different types of reports that display network statistics. The following sections describe of the reports that you can generate, the parameters that you can plot, and the filters that you can configure for network statistics reports.

Description of network statistics reportsYou can generate the following network resource usage reports:

• Overall network time plot (traffic) report• Overall network time plot (sessions and events) report• Detector time plot (traffic) report• Detector time plot (sessions and events) report• Roaming traffic report

Overall network time plot (traffic) report

This report is a time-series plot that shows the overall network traffic data — volume, data rate, packets, or flows).



Table 31-6 Overall network time plot (traffic) report

Overall network time plot (sessions and events) report

This report is a time-series plot that shows information about the overall network with respect to one of the following categories:

• number of sessions• events• TCP reset packets• ICMP unreachable packets

Table 31-7 Overall network time plot (sessions and events) report

Detector time plot (traffic) report

This report is a time-series plot that shows the traffic data—volume, data rate, packets, or flows—as measured by one or more 9900 WNG Detectors. You can also plot the sum of the data that is measured across all 9900 WNG Detectors.

Table 31-8 Detector time plot (traffic) report



None

Input parameters The Time Resolution parameter enables fractional-day time resolutions by day, hour, and minute. For a list of traffic parameters that you can plot, see Traffic parameters in this section.

Report type See Figure 30-2 for an example of a time-series chart.




None

Input parameters The Time Resolution parameter enables fractional-day time resolutions by day, hour, and minute. For a list of fields that you can plot, see Sessions and events parameters in this section.





None

(1 of 2)



Detector time plot (sessions and events) report

This report is a time-series plot that shows one of the following categories as measured by one or more 9900 WNG Detectors:

• number of sessions• events• TCP reset packets• ICMP unreachable packets

Table 31-9 Detector time plot (sessions and events) report

Roaming traffic report

This report presents For either format, the numbers are broken down by providers. For multi-day reports, you can show the data as a daily average or a multi-day total.

Table 31-10 Roaming traffic report

Input parameters The Time Resolution parameter enables fractional-day time resolutions by day, hour, and minute.You can choose multiple detectors to compare according to the traffic parameters. For a list of traffic parameters that you can plot, see Traffic parameters in this section.




(2 of 2)



None

Input parameters The Time Resolution parameter enables fractional-day time resolutions by day, hour, and minute. You can choose multiple detectors to compare according to the session and event parameters. For a list of parameters that you can plot, see Sessions and events parameters in this section.





7 to 31 hours. After 7:00 AM, the report can report data collected as late as last midnight; before 7:00 AM, the report can report data collected as late as two midnights before

(1 of 2)



Parameters overview for network statistics reports

The parameters that can be plotted and/or tabulated are listed below.

Traffic parameters

Data in any permutations of the attributes All traffic, Total (Uplink+Downlink), and Volume (Mbytes):

• All traffic or unidirection only• All traffic• Unidirection only

Input parameters, filters, and options

The following options and filters are available: • Time Period filterto display data about multiple cells during specified time period or range of

dates. The options are Today, Yesterday, Last Week (Sunday to Saturday), Last Month, or a specified date range.

• Provider nameto generate the report with data for one or more specified providers• Order by (mandatory field)to sort the table data according to one of the following

Number of concurrent sessionsVolume Organization namePacketsFlows

• Network families filterto filter on 3GPP, 3GPP2, or all networks

This report can be generated in the following formats: • Roaming-inshows the traffic data (volume, packet count, flow count, number of concurrent

sessions) of other providers subscribers on your network.• Roaming-outshows the traffic data of your subscribers being served by other providers in their

networks.

You can configure the report to present the data as:• a daily average• a multi-day total

Report type See Figure 30-6 for an example of a table report.

Raw data option Not applicable

Remarks You must always exclude the name of your service provider, otherwise the traffic data of your non-roaming subscribers are included in the report. (Check the field, My provider name(s) to be excluded.)Visibility of data depends on the location of the 9900 WNG Detectors that probe the network. For example, if the Detectors are probing from the south of a GGSN/HA, the roaming-in reports may show no data.


(2 of 2)



• Direction• Total (Uplink + Downlink)• Uplink• Downlink• M2I (Mobile to Internet)• I2M (Internet to Mobile)• M2M Uplink (Uplink Mobile to Mobile)• M2M Downlink (Downlink Mobile to Mobile)

• Traffic measure type: • Volume (Mbytes)• Data Rate (Mb/s)• Packets• Flows

Sessions and events parameters

The following types of sessions and events can be plotted and/or tabulated:

• Number of concurrent sessions• Number of SIGATTACK_SINGLE_SRC• Number of RNC_OVERLOAD• Number of BATTERYATTACK_SINGLE_SRC• Number of PORTSCAN_VERT• Number of PORTSCAN_HORIZ• Number of ALWAYS_ACTIVE_SUB• Number of HIGH_USAGE_SUB• Number of P2P_MOBILE• Number of UNWANTED_SRC• Number of MOBILE_FLOW• Number of HIGH_SIGNALING_SUB• Number of BATTERYATTACK_DISTRIBUTED• Number of FLOOD_MOBILE_SINGLE_SRC• Number of FLOOD_MOBILE_DISTRIBUTED• Number of ROUTER_DISCOVERY_ABUSE• Number of MIP_SIGNALING_ABUSE• TCP Reset Packets I2M• TCP Reset Packets M2I• TCP Reset Packets M2M Uplink• TCP Reset Packets M2m Downlink• ICMP Unreachable Packets I2M• ICMP Unreachable Packets M2I• ICMP Unreachable Packets M2M Uplink• ICMP Unreachable Packets M2M Downlink



31.4 Network elements reports

Network element reports retrieve all data associated with one or more network elements. The following sections describe of the reports that you can generate, the parameters that you can plot, and the filters and options that you can configure for network elements reports.

Description of network element reportsYou can generate the following network elements reports:

• Tier 1 cells• Cell comparison table (CDMA) report• Cell comparison table (UMTS) report• Cell time plot (traffic) report• Cell time plot (sessions and performances) report• Cell multi-element time-trend table (CDMA) report• Cell multi-element time-trend table (UMTS) report• Cell cumulative dist. (CDMA; traffic) report• Cell cumulative dist. (CDMA; session & perf) report• Cell cumulative dist. (UMTS; traffic) report• Cell cumulative dist. (UMTS; session & perf) report

• Tier 2 RNCs• RNC comparison table report• RNC time plot (traffic) report• RNC time plot (sessions and performances) report• RNC multi-element time-trend table report

• Tier 3 SGSNs (UMTS systems), PDSNs (CDMA systems), or both• SGSN/PDSN comparison table report• SGSN or PDSN time plot (traffic) report• SGSN or PDSN time plot (sessions and performances) report• SGSN/PDSN multi-element time-trend table report

• Tier 4 GGSNs (UMTS systems) and HAs (CDMA systems)• GGSN/HA comparison table report• GGSN or HA time plot (traffic) report• GGSN or HA time plot (sessions and performances) report• GGSN/HA multi-element time-trend table report

Cell comparison table (CDMA) report

This report is a table that shows the total activity for a specified CDMA cell or group of cells, including key indicators that measure traffic, sessions, and performance, such as total traffic, throughput, number of concurrent session, and number of handoffs. See “Parameters overview for network element reports” in this section for a list of the parameters that are plotted in this report.



Table 31-11 Cell comparison table (CDMA) report

Cell comparison table (UMTS) report

This report is a table that shows the total activity for a specified UMTS cell or group of cells, including key indicators that measure traffic, sessions, and performance, such as total traffic, throughput, number of concurrent session, and number of handoffs. See “Parameters overview for network element reports” in this section for a list of the parameters that are plotted in this report.

Table 31-12 Cell comparison table (UMTS) report

Cell time plot (traffic) report

This report is a time-series plot that shows the traffic data (volume, data rate, packets, or flows) as seen on one or more cell sites. See “Parameters overview for network element reports” in this section for a list of the parameters that are plotted in this report.



None


The following filters are available:• Hours of the day filterto display data about the cell during specified hours of the day, such as

peak hours• Hierarchical filterto display only the cells that are connected to one or more specified RNCs.• ID filtersto specify the SID, NID, CID for CDMA cells in decimal format. The ID fields support the

wildcard search function, in which a percentage symbol (%) represents the wildcard.





None


The following filters are available:• Time of day filterto display data about the cell during specified periods of the day, such as peak

hours• Hierarchical filterto display only the cells that are connected to one or more specified RNCs.• ID filtersto specify the MCC, MNC, LAC, and Cell-ID for UMTS cells in decimal format. The ID

fields support the wildcard search function, in which a percentage symbol (%) represents the wildcard.





Table 31-13 Cell time plot (traffic) report

Cell time plot (sessions and performances) report

This report is a time-series plot that shows one of the following categories as seen on one or more cell sites:

• number of sessions• number of connection setups• airtime, number handoffs• number TCP reset• number ICMP unreachable• downlink RTT• downlink loss rate• downlink subscriber throughput.

Table 31-14 Cell time plot (sessions and performances) report



7 to 31 hours. After 7:00 AM, the report displays data collected as late as last midnight; before 7:00 AM, the report displays data collected as late as two midnights before.


The following filters are available:• Time Periodto specify an inclusive time period. The options are Last Week (Sunday to

Saturday), Last Month, or a specified date range.• Traffic filtersSee Parameters overview for network element reports in this section for

information about traffic measures and traffic measure types that you can plot• Top N cellsSee Specifying network elements in network element reports in this section for

information about how to specify and sort the cells on which to report• Time resolutionSee Specifying time resolutions in network element reports in this section for

information about the characteristics of different time resolutions








Saturday), Last Month, or a specified date range.• Session and performance filtersSee Sessions and performance parameters for network element

reports in this section for a list of the parameters that you can plot• Top N cellsSee Specifying network elements in network element reports in this section for

information about how to specify and sort the cells on which to report• Time resolutionSee Specifying time resolutions in network element reports in this section for






Cell multi-element time-trend table (CDMA) report

This report is a time trend table that displays data about one or more CDMA cells in one table.

Table 31-15 Cell multi-element time-trend table (CDMA) report

Cell multi-element time-trend table (UMTS) report

This report is a time trend table that displays data about one or more UMTS cells in one table.

Table 31-16 Cell multi-element time-trend table (UMTS) report



None


The following filters are available:• Time Period filterto display data about multiple cells during specified time period or range of


• Hour of day filterto display data about multiple cells during specified periods of the day, such as peak hours

• Hierarchical filterto display only the cells that are connected to one or more specified RNCs.• ID filtersto specify the SID, NID, CID for CDMA cells in decimal format. See Specifying cells by

ID in this section for more information.• Time resolutionto modify the reporting interval by minute, hour, or day for the specified range

of dates





None


The following filters are available:• Time of day filtersto display data about multiple cells during specified time period or range of



• Hierarchical filterto display only the cells that are connected to one or more specified RNCs.• ID filtersto specify the MCC, MNC, LAC, and Cell-ID for UMTS cells in decimal format. See

Specifying cells by ID for more information• Time resolutionto modify the reporting interval by minute, hour, or day for the specified range

of dates





Cell cumulative dist. (CDMA; traffic) report

This report is a cumulative distribution function plot in which the x axis is a specified traffic KPI and the y axis is the percentage of cells that have the field value equal to or smaller than x.

Table 31-17 Cell cumulative dist. (CDMA; traffic) report

Cell cumulative dist. (CDMA; session & perf) report

This report is a cumulative distribution function plot in which the x axis is a specified session and performance KPI and the y axis is the percentage of cells that have the field value equal to or smaller than x.

Table 31-18 Cell cumulative dist. (CDMA; session & perf) report



None


The following filters are available:• Time Period filterto display data for a specified day • Traffic filtersSee Parameters overview for network element reports for information about

traffic measures and traffic measure types that you can plot• Hierarchical filterto display only the cells that are connected to one or more specified RNCs• ID filtersto specify the SID, NID, CID for CDMA cells in decimal format. See Specifying cells by

ID for more information.• Top N cellsSee Specifying network elements in network element reports for information about

how to specify and sort the cells on which to report

Report type See Figure 30-4 for an example of a CDF report.






The following filters are available:• Time Period filterto display data for a specified day • Session and performance filtersSee Sessions and performance parameters for network element

reports for a list of the parameters that you can plot• Top N cellsSee Specifying network elements in network element reports for information about

how to specify and sort the cells on which to report• Time resolutionSee Specifying time resolutions in network element reports for information

about the characteristics of different time resolutions





Cell cumulative dist. (UMTS; traffic) report

This report is a cumulative distribution function plot in which the x axis is a specified traffic KPI and the y axis is the percentage of cells that have the field value equal to or smaller than x.

Table 31-19 Cell cumulative dist. (UMTS; traffic) report

Cell cumulative dist. (UMTS; session & perf) report

This report is a cumulative distribution function plot in which the x axis is a specified session and performance KPI and the y axis is the percentage of cells that have the field value equal to or smaller than x.

Table 31-20 Cell cumulative dist. (UMTS; session & perf) report





The following filters are available:• Time Period filterto display data for a specified day • Traffic filtersSee Parameters overview for network element reports in this section for

information about traffic measures and traffic measure types that you can plot• Hierarchical filterto display only the cells that are connected to one or more specified RNCs• ID filtersto specify the MCC, MNC, LAC, and Cell-ID for UMTS cells in decimal format. See

Specifying cells by ID in this section for more information.• Top N cellsSee Specifying network elements in network element reports in this section for

information about how to specify and sort the cells on which to report







The following filters are available:• Time Period filterto display data for a specified day • Session and performance filtersSee Sessions and performance parameters for network element

reports in this section for a list of the parameters that you can plot• Hierarchical filterto display only the cells that are connected to one or more specified RNCs• ID filtersto specify the MCC, MNC, LAC, and Cell-ID for UMTS cells in decimal format. See

Specifying cells by ID in this section for more information.• Top N cellsSee Specifying network elements in network element reports in this section for

information about how to specify the top cells on which to report





RNC comparison table report

This report is a table that shows the total activity for a specified RNC or group of RNCs, including key indicators that measure traffic, sessions, and performance, such as total traffic, throughput, number of concurrent session, and number of handoffs.

Table 31-21 RNC comparison table report

RNC time plot (traffic) report

This report is a time-series plot that shows the traffic data (volume, data rate, packets, or flows) on one or more RNCs.

Table 31-22 RNC time plot (traffic) report



None


The following filters are available:• Time Period filterto display data for a specified day • Hour of day filterto display data about the RNC during specified periods of the day, such as peak

hours• Hierarchical filterto display only the RNCs that are connected to one or more SGSN or PDSN NEs.• RNC comparison filterto specify specific RNCs for comparison• Top NsSee Specifying network elements in network element reports in this section for

information about how to specify and sort the top RNCs on which to report






Input parameters See Parameters overview for network element reports in this section for a list of available parameters.




information about traffic measures and traffic measure types that you can plot• RNC comparison filterto specify specific RNCs for comparison• Top NSee Specifying network elements in network element reports in this section for

information about how to specify and sort the RNCs on which to report• Time resolutionSee Specifying time resolutions in network element reports in this section for




Remarks For information about how to specify network element reports, see section 31.4.



RNC time plot (sessions and performances) report

This report is a time-series plot that shows one of the following statistics on one or more RNCs:

Table 31-23 RNC time plot (sessions and performances) report

RNC multi-element time-trend table report

This report is a time trend table that displays data about one or more RNCs in one table.

Table 31-24 RNC multi-element time-trend table report

• number of sessions• number of connection setups• airtime, number handoffs• number TCP reset

• number ICMP unreachable• downlink RTT• downlink loss rate• downlink subscriber throughput







reports in this section for a list of the parameters that you can plot• RNC comparison filterto specify specific RNCs for comparison• Top NSee Specifying network elements in network element reports in this section for

information about how to specify and sort the RNCs on which to report• Time resolutionSee Specifying time resolutions in network element reports in this section for






None

(1 of 2)



SGSN/PDSN comparison table report

This report is a table that shows the total activity for a specified SGSN or PDSN or group of SGSNs or PDSNs, including key indicators that measure traffic, sessions, and performance, such as total traffic, throughput, number of concurrent session, and number of handoffs.

Table 31-25 SGSN/PDSN comparison table report

SGSN or PDSN time plot (traffic) report

This report is a time-series plot that shows the traffic data—volume, data rate, packets, or flow data—as seen on one or more SGSNs (UMTS systems) or PDSNs (CDMA systems).


The following filters are available:• Time Period filterto display data about the RNC during specified time period or range of dates.

The options are Today, Yesterday, Last Week (Sunday to Saturday), Last Month, or a specified date range.


• Hierarchical filterto display only the RNCs that are connected to one or more specified SGSNs or PDSNs

• RNC comparison filtersto specify one or more RNCs for comparison• Time resolutionto modify the reporting interval by minute, hour, or day for the specified range

of dates




(2 of 2)



None


The following filters are available:• Time Period filterto display data for a specified day • Hour of day filterto display data about the SGSNs or PDSNs during specified periods of the day,

such as peak hours• SGSN and PDSN comparison filterto specify specific SGSNs and PDSs for comparison• Top NsSee Specifying network elements in network element reports in this section for

information about how to specify and sort the top SGSNs and PDSNs on which to report





Table 31-26 SGSN or PDSN time plot (traffic) report

SGSN or PDSN time plot (sessions and performances) report

This report is a time-series plot that shows one of the categories of information as seen on one or more SGSNs (UMTS systems) or PDSNs (CDMA systems):

• number of sessions• number of connection setups• airtime, number handoffs• number TCP reset• number ICMP unreachable• downlink RTT• downlink loss rate• downlink subscriber throughput.

Table 31-27 SGSN or PDSN time plot (sessions and performances) report







information about traffic measures and traffic measure types that you can plot• SGSN and PDSN comparison filterto specify specific SGSNs and PDSs for comparison• Top NsSee Specifying network elements in network element reports in this section for

information about how to specify and sort the top SGSNs and PDSNs on which to report• Time resolutionSee Specifying time resolutions in network element reports in this section for










reports for a list of the parameters that you can plot• SGSN and PDSN comparison filterto specify specific SGSNs and PDSs for comparison• Top NsSee Specifying network elements in network element reports in this section for

information about how to specify and sort the top SGSNs and PDSNs on which to report• Time resolutionSee Specifying time resolutions in network element reports in this section for



(1 of 2)



SGSN/PDSN multi-element time-trend table report

This report is a time trend table that displays data about one or more SGSN or PDSNs in one table.

Table 31-28 SGSN/PDSN multi-element time-trend table report

GGSN/HA comparison table report

This report is a table that shows the total activity for a specified GGSN or HA or group of GGSNs or HAs, including key indicators that measure traffic, sessions, and performance, such as total traffic, throughput, number of concurrent session, and number of handoffs.

Table 31-29 GGSN/HA comparison table report



(2 of 2)



None


The following filters are available:• Time Period filterto display data about the NE during specified time period or range of dates.



• SGSN/PDSN filterto specify a SGSN or PDSN, or to compare multiple SGSNs or PDSNs• Time resolutionto modify the reporting interval by minute, hour, or day for the specified range

of dates





None


The following filters are available:• Time Period filterto display data for a specified day • Hour of day filterto display data about the GGSNs or HAs during specified periods of the day,

such as peak hours• GGSN and HA comparison filterto specify specific GGSNs and HAs for comparison• Top NsSee Specifying network elements in network element reports in this section for

information about how to specify and sort the top GGSNs and HAs on which to report


(1 of 2)



GGSN or HA time plot (traffic) report

This report is a time-series plot that shows the traffic data—volume, data rate, packets, or flows—as seen on one or more GGSNs (UMTS systems) or HA (CDMA systems).

Table 31-30 GGSN or HA time plot (traffic) report

GGSN or HA time plot (sessions and performances) report

This report is a time-series plot that shows one of these information as seen on one or more SGSNs (UMTS systems) or PDSNs (CDMA systems):

Table 31-31 GGSN or HA time plot (sessions and performances) report



(2 of 2)







information about traffic measures and traffic measure types that you can plot• GGSN and HA comparison filterto specify specific GGSNs and HAs for comparison• Top NsSee Specifying network elements in network element reportsin this section for

information about how to specify and sort the top GGSNs and HAs on which to report• Time resolutionSee Specifying time resolutions in network element reports in this section for




• number of sessions• number of connection setups• airtime• number handoffs• number TCP reset

• number ICMP unreachable• downlink RTT• downlink loss rate• downlink subscriber throughput




(1 of 2)



GGSN/HA multi-element time-trend table report

This report is a time trend table that displays data about one or more GGSN or HAs in one table.

Table 31-32 GGSN/HA multi-element time-trend table report

Parameters overview for network element reports

For each tier of NEs there are two types of time-series and cumulative distribution charts: one for traffic, and one for sessions and performance.




reports for a list of the parameters that you can plot• GGSN and HA comparison filterto specify specific GGSNs and HAs for comparison• Top NsSee Specifying network elements in network element reports for information about how

to specify and sort the top GGSNs and HAs on which to report• Time resolutionSee Specifying time resolutions in network element reports for information

about the characteristics of different time resolutions




(2 of 2)



None


The following filters are available:• Time Period filterto display data about the NE during specified time period or range of dates.



• GGSN/HA comparison filterto specify a GGSN or HA, or to compare multiple GGSNs or HAs• Time resolutionto modify the reporting interval by minute, hour, or day for the specified range

of dates





Traffic parameters for network element reports

Shows a data field with any permutation of the attributes All traffic, Total (Uplink+Downlink), and Volume (Mbytes)

• All traffic or unidirection only• All traffic• Unidirection only

• Direction• Total (Uplink + Downlink)• Uplink• Downlink• M2I (Mobile to Internet)• I2M (Internet to Mobile)• M2M Uplink (Uplink Mobile to Mobile)• M2M Downlink (Downlink Mobile to Mobile)

Traffic measure types parameters for network element reports

The following are measure types:

• Volume (Mbytes); Bytes for RNCs• Data Rate (Mb/s)• Packets• Flows

Sessions and performance parameters for network element reports

Displays one of the following types of data:

• Number of Concurrent Sessions• Min Number of Concurrent Sessions• Max Number of Concurrent Sessions

• Number of Connection Setups Total (Up+Down)• Min Number of Connection Setups Uplink• Min Number of Connection Setups Downlink

• Airtime• Number of Handoffs In• Number of Handoffs Out• TCP Reset Packets I2M• TCP Reset Packets M2I• TCP Reset Packets M2M Uplink• TCP Reset Packets M2M Downlink• ICMP Unreachable Packets I2M• ICMP Unreachable Packets M2I• ICMP Unreachable Packets M2M Uplink• ICMP Unreachable Packets M2M Downlink



• Downlink RTT (Mean)• Downlink RTT (Min)• Downlink RTT (Max)

• Downlink TCP Loss Rate• Downlink TCP Packets• Downlink TCP Loss

• Saturated Downlink Subscriber Throughput• Average Downlink Subscriber Throughput

Common configuration options for network reports

The following sections describe common configuration options for the network element reports

Specifying network elements in network element reports

You can specify the network elements on which to report using one of the following methods:

• Explicitly named network elements—You can also choose specific network elements to be reported on. For cell reports (Tier 1 network element), use the text field to enter the cell IDs; for reports of the other three tiers of network elements, choose NE name from the drop-down menu. In both cases, you can specify more than one NE. For cell (Tier 1) reports, use commas to separate the cell IDs; for the other three tiers, press Ctrl + click to select more than one entry from the drop-down menu.

• Top N—pick the top N (where N is the number of NEs) network elements as sorted by one of the following metrics:

• The sorting field for the Top N. The field represents the index parameter for the table, and can be chosen from the available traffic and session and performance parameters listed in “Parameters overview for network element reports” in this section.

• ascending or descending order for the top N

Specifying cells by ID

You can specify the SID, NID, CID for CDMA cells and the MCC, MNC, LAC, and Cell-ID for UMTS cells. To activate the fields, you must select the Select cells by name pattern check box. All ID values are expressed in decimal format. The ID fields support the wildcard search function, in which a percentage symbol (%) represents all IDs of the specified type.

Specifying time resolutions in network element reports

You can select one of the following time resolutions:

• Minute (for Tier 2-4 reports) or Two-minute (for cell reports)• Hour• Day



Reports with a sub-day time resolution have no lag period to current time, whereas reports that rely on a daily summarization procedure have a lag period to current time.

Characteristics of time resolutions

Table 31-33 lists the characteristics for time resolution options.

Table 31-33 Characteristics of time resolutions

31.5 Hop reports

Network hop reports are time-series charts that report on one of three types of hops, as described in Table 31-34.

Table 31-34 Types of network hops by tier

The following sections describe of the reports that you can generate, the parameters that you can plot, and the filters that you can configure for hop reports.

Note Sub-day time resolution reports may take longer to execute. For sub-day reports, a limit is imposed on the number of days that the report covers. See Table 31-33 for more information.

Option Time Resolution Execution time Lag period to current time

Limit on number of days to be reported

Sub-day time resolution

Minute (for Tier2-4 network elements)

Slower None 7 days

2 Minutes (for cells only)

Slower None 7 days

Hour Slower None 40 days

Daily time resolution

Day Faster 7 to 31 hours None

Tiers of network elements linked by the hop

Hop

From network element To network element

Tier-2 to Tier-1 RNC Cell

Tier-3 to Tier-2 SGSN (UMTS systems)PDSN (CDMA systems)

RNC

Tier-4 to Tier-3 GGSN (UMTS systems)HA (CDMA systems)

SGSN (UMTS systems)PDSN (CDMA systems)



Description of hop reportsYou can generate the following hop reports:

• RNC-to-cell hop time plot report• RNC-to-cell hop time plot report• RNC-to-cell hop time plot report

RNC-to-cell hop time plot report

This report displays a time-series plot that shows data as seen on one or more hops from an RNC to a cell site.

Table 31-35 RNC-to-cell hop time plot report

SGSN/PDSN-to-RNC hop time plot report

This report displays a time-series plot that shows data as seen on one or more hops from an SGSN (on UMTS systems) or a PDSN (on a CDMA system) to an RNC.

Table 31-36 SGSN/PDSN-to-RNC hop time plot report

GGSN-to-SGSN or HA-to-PDSN hop time plot reports

This report displays a time-series plot that shows data as seen on one or more hops from the GGSN to the SGSN or from the HA to the PDSN.



For daily time resolutions, the lag period to current time is 7 to 31 hours. After 7:00 AM, the report displays data collected as late as last midnight; before 7:00 AM, the report displays data collected as late as two midnights before.

Input parameters See Parameters overview for hop reports in this section for more information.





For daily time resolutions, the lag period to current time is 7 to 31 hours. After 7:00 AM, the report displays data collected as late as last midnight; before 7:00 AM, the report can displays data collected as late as two midnights before






Table 31-37 GGSN-to-SGSN or HA-to-PDSN hop time plot reports

Parameters overview for hop reports

The following parameters can be plotted and/or tabulated for hops reports from the mandatory Field drop-down menu:

• Number of Concurrent Sessions• Min Number of Concurrent Sessions• Max Number of Concurrent Sessions

• Total (Up+Down) Volume• Uplink Volume• Downlink Volume

• Total (Up+Down) Data Rate• Uplink Data Rate• Downlink Data Rate

• Loss Rate

Specifying hops

You can specify hops using one of the following methods.

• Top N—to pick the top N hops as sorted by the field that is being plotted• Explicitly specifying hops—to select specific hops on which to report

For RNC-to-base-station hop reports, enter the RNC names and base-station IDs on free-text fields. The syntax of the string for each hop is as follows:

RNC_name-BSID

For example, test_rnc_lai1-310410a041090b

where test_rnc_lai1 is the RNC name and 310410a041090b is the base station ID.

For reports of the other two types of hops, select from the drop-down menu of possible hops. In both cases, you can specify more than one network element. For RNC-to-base-station reports, use comma-separated the strings using the syntax described above. For reports of the other two types of hops, you can use Ctrl + click to select more than one entry from the drop-down menu.



For daily time resolutions, the lag period to current time is 7 to 31 hours. After 7:00 AM, the report displays data collected as late as last midnight; before 7:00 AM, the report can displays data collected as late as two midnights before






Time Resolution

Hop reports can be plotted with fractional-day time resolutions by minute, hour and day:

• by minute for a duration of up to 7 days (2 minutes intervals for hops that involve cells)

• by hour for a duration of up to 40 days • by day. There is no limit on duration.

31.6 Security reports

This sections describes security-related reports. The following sections describe of the reports that you can generate, the parameters that you can plot, and the filters that you can configure for security reports.

Description of security reportsYou can generate the following security reports:

• Top attackers at or above a specified intensity level report• Top scanners report

Top attackers at or above a specified intensity level report

This report displays a table that lists the top attackers according to the following criteria:

Table 31-38 Top attackers at or above a specified intensity level report

• Rank• Intensity • Attacker Type • Event Type

• # of Incidents • Attacker • Max Duration (Hrs)



None


The following filters are available:• Attacker typeto filter by internet source, mobile source or both• Event typesSee Event types for network resource usage reports in section 31.2 for a list of event

types.• Intensity levelto set the level at or above which to report an attacker. Attackers of the same

intensity level are sorted by duration and then by attacker identity.



(1 of 2)



Top scanners report

This report displays a table that lists the top scanners according to the following criteria:

Table 31-39 Top scanners report

31.7 Subscriber reports

This section describes Subscriber reports. The following sections describe of the reports that you can generate, the parameters that you can plot, and the filters that you can configure for subscriber reports.

Remarks Max Duration shows the maximum possible attack duration from an attacker from the moment the attacker launched the attack to the last moment that the same attacker had an ongoing attack, including idle time in between the attacks. This duration is bound by the report time range, so attacks before or after the report time range are not included.


(2 of 2)

• Rank• Mobile Scanner NAI• Application • Number of Scans

• Scan Volume (Mbytes) • Number of Conn Setups• Scan Airtime (Hours)





You can specify one of the following scanner types for the top N scanners:• mobile scanners• Internet scanners

The number of top scanners (N) is limited to 1000 for a single day report, and 50 for a multi-day report.You can sort by one of the following: • number of scans• scan volume• number of connection setups• scan airtime





Description of subscriber reportsYou can generate the following subscriber reports:

• Overall subscriber cumulative distribution report• Subscriber time plot report• Single subscriber time trend table report• Top mobile (single day; multiple params) report• Top Mobiles reports• Top servers report• Realm/APN comparison table report• Billing Discrepancy report

Overall subscriber cumulative distribution report

This report displays the overall distribution of a specified field in a CDF plot. A data point at (x,y) means that there are y% of subscribers having the field value equal to or smaller than x. The x-axis is in log scale.

Table 31-40 Overall subscriber cumulative distribution report

Note(1) If a subscriber has accessed more than one technology during the day, the web report interface displays the combined

cumulative subscriber usage data and does not separate the data according to the mobile technology. See section 29.10 for more information about how to view the technology used by a subscriber on a per-flow basis using the GUI-based subscriber reports.

Subscriber time plot report

This report displays the time-series plot of one or more subscribers.





The following filters are available:• Subscriber group filterto display data about the subscribers that are included in a specified

group. See Chapter 32 for information about subscriber groups.• Network families filterto filter on 3GPP or 3GPP2 networks• Network technology by sessionto filter on 2.5G, 3G, and 4G access or a combination.(1)

• Device manufacturer or modelto filter on one or more devices• Mobile ID or IMSI filterto specify a mobile ID or IMSI. This field supports the use of the

percentage sign (%) as a wildcard.



Remarks This report always displays data for a single day.The number of included subscribers is displayed on the header of the report. The total number of subscribers can be less than the population size for one of the following reasons:• Some subscribers did not meet a filter criterion and were excluded from the plot• For performance-related data fieldsthroughput, RTT, loss ratethere may not be enough

measurable samples for some subscribers to make a reliable inference on the data value.



Table 31-41 Subscriber time plot report

Single subscriber time trend table report

This report generates a table that six different fields for a single specified subscriber. Each row in the table displays the data for a specified day.

Table 31-42 Single subscriber time trend table report

Top mobile (single day; multiple params) report

This report displays a table listing four different fields of the top subscribers. You can select four fields and specify the field that are used as index to find the top subscribers. For the list of fields that can be tabulated, see section 31.7.





You must configure the Field parameter with one of the values listed in Fields that can be plotted or tabulated for subscriber reports in this section.You can select the subscribers to be plotted from either the drop-down menu or you can specify them in the text box field. The drop-down menu lists the top subscribers by their recent traffic volume. If you know the subscribers IDs, you can also type them in the text box. You can enter more than one subscriber IDs by using commas to separate the IDs. Do not enter the @ suffixthe system ignores this part of the address.







Six input fields are designated as Field1 to Field 6. For each field, choose one of the parameters that are listed in Fields that can be plotted or tabulated for subscriber reports in this section. You must select one subscriber:• by choosing the ID from the Mobile ID drop-down menu • By entering a mobile ID in the text field

If you enter a mobile ID in the text field, the selection from the drop-down menu is ignored. In the drop-down menu, the top 10 subscribers (by their recent traffic volumes) are listed first; then, the next 990 top subscribers are listed in the order of their IDs.





Table 31-43 Top mobile (single day; multiple params) report

Top Mobiles reports

Unlike the Top mobile (single day; multiple params) report, which shows one day of data, the Top Mobiles report can tabulate multiple days of data.

The report always contains the following fields:

• Rank • (Mobile ID / IMSI) @ (Realm / APN) • Total Traffic Volume (Mbytes) • Total Number of Conn Setups • Total Airtime (Hours) • Total Number of Flows • Total Number of Packets

Table 31-44 Top Mobiles report





See Fields that can be plotted or tabulated for subscriber reports in this section.The following filters are available:• Subscriber group filterto display data about the subscribers that are included in a specified

group. See Chapter 32 for information about subscriber groups.• Network families filterto filter on 3GPP or 3GPP2 networks• Network technology by sessionto filter on 2.5G, 3G, and 4G access or a combination thereof.• Mobile realmto filter on one or more mobile service providers• Mobile ID or IMSI filterto specify a mobile ID or IMSI. This field supports the use of the


Four fields can be used to sort the data: the Order by field and the additional output fields. For each field, choose one of the parameters that are listed in Fields that can be plotted or tabulated for subscriber reports in this section.



Remarks The report covers a period of one day. The related report, Top Mobiles reports, can cover a multi-day period, but with fewer choices of fields that can be tabulated.If the system cannot derive the manufacturer and/or model name, the column Device Manufacturer/Model is left blank.




(1 of 2)



Top servers report

This report displays seven tabulated field values for the top servers. The set of fields cannot be changed; the report always contains the following fields:

Table 31-45 Top servers by traffic volume report


You can select one of the following fields as the sorting index: • Traffic volume• Number of conn setups• Airtime• Number of flows• Number of packets

The sorting field is indicated in the report by an asterisk (*) on the column header.



Remarks This report runs faster than the Top mobile (single day; multiple params) report.


(2 of 2)

• Rank • Server • Application • Average Number of Distinct Active

Sessions (per day) • Total Traffic Volume (Mbytes)

• Total Number of Conn Setups • Total Airtime (Hours) • Total Number of Flows • Total Number of Packets





You can choose to tabulate only Internet servers, only mobile servers, or both. For Internet servers, the report displays their IP addresses; for mobile servers, the report displays the NAI of the mobile subscribers. You can select one of the following fields as the sorting index: • Number of Distinct Active Sessions• Traffic Volume• Number of Conn Setups• Airtime• Number of Flows• Number of Packets




Remarks The Application field is derived from the protocol and port number that the server was serving. A server can serve multiple applications; in such a scenario, if there is a predominant application, the report shows the applications configured name or its protocol/port pair; if no application is predominant, the report displays #multiple#.



Realm/APN comparison table report

This report compiles all of the data associated with UMTS APNs or CDMA realms in one table.

Table 31-46 Realm/APN comparison table report

Billing Discrepancy report

This report shows the discrepancies between the traffic data and accounting records detected by the 9900 WNG system.

The data is displayed in a table with the following columns:

Table 31-47 Billing Discrepancy report





Choose the realms that you need to compare from the Choose realms list.The following filter is available:• Network families filterto filter on 3GPP or 3GPP2 networks• Network technology by sessionto filter on 2.5G, 3G, and 4G access or a combination thereof.• Mobile realmto filter on one or more mobile service providers• Mobile ID or IMSI filterto specify a mobile ID or IMSI. This field supports the use of the


You can sort the data using the Realm name parameter or one of the parameters listed in Fields that can be plotted or tabulated for subscriber reports in this section.



Remarks The time period for the comparative table is limited to one day.

• Mobile NAI• Excess Bytes (MB) • Uplink Seen (MB) • Uplink Acct (MB)

• Downlink Seen (MB) • Downlink Acct (MB) • Seen Pkts • Acct Pkts





You can configure the number of table rows to display.



(1 of 2)



Parameters overview for subscriber reports

The following sections describe the available parameters.

Fields that can be plotted or tabulated for subscriber reports

You can use the following fields to filter the output of subscriber reports.

• Total (Orig. + Recv.) Volume• Orig. Volume• Recv. Volume

• Total (Orig. + Recv.) # Conn Setups• Orig. # Conn Setups• Recv. # Conn Setups

• Total (Orig. + Recv.) Flows• Orig. Flows• Recv. Flows

• Total (Orig. + Recv.) Pkts• Orig. Pkts• Recv. Pkts

• Airtime• Duration• Uni. Orig. Volume• Uni. Recv. Volume• Uni. Orig. Flows• Uni. Recv. Flows• Uni. Orig. Packets• Uni. Recv. Packets• Average RAN RTT

• Minimum RAN RTT• Maximum RAN RTT

• Downlink TCP Packet Loss Rate• Average RAN Handshake RTT

• Minimum RAN Handshake RTT• Maximum RAN Handshake RTT

• Average Inet Handshake RTT• Minimum Inet Handshake RTT• Maximum Inet Handshake RTT

• Avg. Saturated TCP Thruput• Min. Sat. Down TCP Thruput• Max. Sat. Down TCP Thruput

Remarks The table is sorted in descending order according to the Excess Bytes field.


(2 of 2)



• Avg. Downlink TCP Thruput• Min. Downlink TCP Thruput• Max. Downlink TCP Thruput

31.8 Applications reports

This section describes the reports that you can generate for the different types of applications. The following sections describe of the reports that you can generate, the parameters that you can plot, and the filters that you can configure for applications reports.

Description of applications reportsYou can generate the following application reports:

• Hour-of-day trend comparing applications report• Hour-of-day trend comparing days report• Hour-of-day trend comparing days of week report• Time plot comparing applications report• Top applications reports

Application Comparison Table report

This report compares different applications using six configurable fields.

Table 31-48 Application Comparison Table report



Approximately 6 hours


Six input fields are designated as Field1 to Field6. For each field, choose one of the parameters that are listed in Fields that can be plotted and/or tabulated for application reports in this section. The following filters are available:• Time Period filterto display data about the applications during specified time period or range

of dates. The options are Today, Yesterday, Last Week (Sunday to Saturday), Last Month, or a specified date range.

• Network type filterto display data about a specified type of mobile network, such as 1xRTT, CDMA, EVDO, GPRS, and UMTS

• Realm filterto display data for specified realms• RNC filtersto specify one or more RNCs• Device manufacturers and models• ApplicationsSee Application choosers in this section for more information.



Remarks Application categories are indicated by pair of square brackets [ ].



Hour-of-day trend comparing applications report

This report displays a time-series chart that plots and compares the hour-of-day trend of different applications. Hour-of-day trends are always measured from midnight to midnight.

Table 31-49 Hour-of-day trend comparing applications report

Hour-of-day trend comparing days report

This report displays a time-series chart that plots and compares the hour-of-day trend for up to 5 different days.

Table 31-50 Hour-of-day trend comparing days report





For a list of fields that can be plotted, see Fields that can be plotted and/or tabulated for application reports in this section. The following filters are available:• Time Period filterto display data about the applications during specified time period or range



• Realm filterto display data for specified realms• RNC filtersto specify one or more RNCs• Device manufacturer• ApplicationsSee Application choosers in this section for more information



Remarks For a list of fields that can be plotted and information about how to choose applications for comparison, see section 31.8.





You can choose to compare up to five specified days.For a list of fields that can be plotted, see Fields that can be plotted and/or tabulated for application reports in this section. The following filters are available:• Network type filterto display data about a specified type of mobile network, such as 1xRTT,

CDMA, EVDO, GPRS, and UMTS• Realm filterto display data for specified realms• RNC filtersto specify one or more RNCs• Device manufacturer• ApplicationsSee Application filters in this section for more information

(1 of 2)



Hour-of-day trend comparing days of week report

This report displays a time-series chart that plots the hour-of-day trend for the days of the week. If you select a time range that contains more than one day for a given day of week (for example, Monday), the data plotted is the average value of these days.

Table 31-51 Hour-of-day trend comparing days of week report

Time plot comparing applications report

This report displays a time-series chart that compares different applications.



Remarks You can compare 1 to 5 days of data by setting the Compare how many days? field. On the input parameter page, however, there are always five Input parameters for Days 1-5 respectively; the input parameters for the extra days are ignored.Hour-of-day trends are always from midnight to midnight.This report does not have the Time Period field, because unlike other reports that have only one start time and end time, this report can have up to five start times and five end times.


(2 of 2)






of dates. The options are Last Week (Sunday to Saturday), Last Month, or a specified date range.• Network type filterto display data about a specified type of mobile network, such as 1xRTT,

CDMA, EVDO, GPRS, and UMTS• Realm filterto display data for specified realms• RNC filtersto specify one or more RNCs• Device manufacturer• ApplicationsSee Application filters in this section for more information



Remarks Hour-of-day trends are always from midnight to midnight.



Table 31-52 Time plot comparing applications report

Top applications reports

This report displays a table that lists the top applications. The fields listed on this report are set and cannot be changed:

Table 31-53 Top applications reports




Input parameters See Fields that can be plotted and/or tabulated for application reports in this section.




• Time resolution filterto plot data by hour or day• Network type filterto display data about a specified type of mobile network, such as 1xRTT,

CDMA, EVDO, GPRS, and UMTS• Realm filterto display data for specified realms• RNC filtersto specify one or more RNCs• Device manufacturer and models• ApplicationsSee Application choosers in this section for more information



• Rank• Application / [App-Category] • Average Number of Distinct Active

Sessions (per day)• Total Traffic Volume (Mbytes)• Total Number of Conn Setups

• Total Airtime (Hours)• Total Number of Flows • Total Number of Packets • Realm(s)





You can select one of the following fields as the sorting index: • Number of Distinct Active Sessions• Traffic Volume• Number of Conn Setups• Airtime• Number of Flows• Number of Packets


(1 of 2)



Parameters overview for applications reports


Fields that can be plotted and/or tabulated for application reports

Following are the fields that you can use to plot and/or tabulate applications reports:

• Flow Count• Total (Up+Down) Volume

• Uplink Volume• Downlink Volume


• Total (Up+Down) # Conn Setups (Sum)• Uplink (Up+Down) # Conn Setups (Sum)• Downlink (Up+Down) # Conn Setups (Sum)

• Total (Up+Down) # Conn Setups (Rate)• Uplink (Up+Down) # Conn Setups (Rate)• Downlink (Up+Down) # Conn Setups (Rate)

• Total (Up+Down) Packets• Uplink (Up+Down) Packets• Downlink (Up+Down) Packets

• Airtime• Path Loss Rate• Downlink Thruput• Average RAN Handshake RTT• Average RAN RTT

Configuring application parameters

There are two general types of configuration options for application parameters:

• Application choosers• Application filters



Remarks Limits to the number of applicationsIf the specified day range contains more than one day, the maximum number applications N is 50. If the specified day range is exactly one day, the maximum number applications N is 1,000.


(2 of 2)



Application choosers

For most reports in this section, three fields serve as application choosers. By making choices on these input parameters, you specify the applications to be compared by specifying the following application properties:

• Application categories—Application categories are configured using the 9900 WNG GUI client. If an application category is chosen, on the final chart of table, the label of the category is enclosed in a pair of square bracket, so that you can distinguish it from other labels for individual applications.

• Configured application—Configuration of application (giving a combination of protocol, port number, and/or server address a symbolic name such as “streaming”, “VPN”, and so forth) is done using the 9900 WNG GUI client.

• Unconfigured applications

The set of applications defined by three fields are combined to create a final set of applications to be compared. Although none of the three input parameters is mandatory, you should specify at least one non-empty answer for one of these three fields. If you do not select any application from these fields, you can generate a report with no data.

Application filters

For the Hour-of-day trend comparing days and Hour-of-day trend comparing days of week reports, applications are specified using application filters instead of application choosers.

The main difference between application filters and choosers is that, for reports using applications filters, in the final plot or table, you do not see individual applications or application categories. Rather, you see the overall traffic data after these filters are applied.

Similar to application choosers, application filters also are comprised of the following fields:

• Application categories• Configured applications• Unconfigured applications

Parameters for application choosers start with the word Choose ..., and parameters for application filters start with the word Filtered ….

For each application chooser, there is an option, #None# (do not choose any), whereas for each application filter, there is a option, #All# (filter in all).

31.9 Devices reports

This section describes reports that you can generate for devices. The following sections describe of the reports that you can generate, the parameters that you can plot, and the filters that you can configure for devices reports.



Description of device reportsYou can generate the following device reports:

• Hour-of-day trend comparing manufacturers report• Hour-of-day trend comparing models report• Time plot comparing manufacturers report• Time plot comparing models report• Table comparing manufacturers report• Table comparing models report• Performance KPI by manufacturer/model report

Hour-of-day trend comparing manufacturers report

This report displays a time-series chart that plots and compares the hour-of-day trend of devices from different manufacturers.

Table 31-54 Hour-of-day trend comparing manufacturers report

Hour-of-day trend comparing models report

This report displays a time-series chart that plots and compares the hour-of-day trend for different device models.





For the list of fields that can be plotted, see Fields that can be plotted and/or tabulated in device reports in this section.The following filters are available:• Time period filtersto display data about the cell during specified time period or range of dates.



• Realm filterto display data for specified realms• RNC filtersto specify one or more RNCs• Application categories• Configured applications• Unconfigured applications• Device manufacturers to compare



Remarks Hour-of-day trend is always from midnight to midnight. If the specified time range contains more than one day, the data within the same hour (for example, 0:00-1:00) for the different days is averaged and the resulting value is displayed in this report.



Table 31-55 Hour-of-day trend comparing models report

Time plot comparing manufacturers report

This report displays a time-series chart that plots and compares traffic data of devices from different manufacturers.

Table 31-56 Time plot comparing manufacturers report





For the list of fields that can be plotted, see Fields that can be plotted and/or tabulated in device reports in this section.The following filters are available:• Network type filterto display data about a specified type of mobile network, such as 1xRTT,

CDMA, EVDO, GPRS, and UMTS• Realm filterto display data for specified realms• RNC filtersto specify one or more RNCs• Application categories• Configured applications• Unconfigured applications• Device models to compare



Remarks Hour-of-day trend is always from midnight to midnight. If the specified time range contains more than one day, the data within the same hour (for example, 0:00-1:00) for these different days is averaged and the resulting value is displayed in this report.






CDMA, EVDO, GPRS, and UMTS• Realm filterto display data for specified realms• RNC filtersto specify one or more RNCs• Application categories• Configured applications• Unconfigured applications• Device manufacturers to compare





Time plot comparing models report

This report displays a time-series chart that plots and charts traffic data from different devices.

Table 31-57 Time plot comparing models report

Table comparing manufacturers report

This report displays a table that lists six different fields that compare traffic data from devices of different manufacturers.

Table 31-58 Table comparing manufacturers report






CDMA, EVDO, GPRS, and UMTS• Realm filterto display data for specified realms• RNC filtersto specify one or more RNCs• Application categories• Configured applications• Unconfigured applications• Device models to compare



Remarks For more information about bout Manufacturers versus Models and a list of fields that can be plotted, see Manufacturers versus Models in this section.





Six input fields are designated as Field1 to Field 6. For each field, choose one of the parameters that are listed in Fields that can be plotted and/or tabulated in device reports in this section. The following filters are available:• Network type filterto display data about a specified type of mobile network, such as 1xRTT,

CDMA, EVDO, GPRS, and UMTS• Realm filterto display data for specified realms• RNC filtersto specify one or more RNCs• Application categories• Configured applications• Unconfigured applications• Device manufacturers to compare

(1 of 2)



Table comparing models report

This report displays a table that compares traffic data for different device models.

Table 31-59 Table comparing models report

Performance KPI by manufacturer/model report

This report compares the following data for different manufacturers or models:

Table 31-60 Performance KPI by manufacturer/model report




(2 of 2)





Six input fields are designated as Field1 to Field 6. For each field, choose one of the parameters that are listed in Fields that can be plotted and/or tabulated in device reports in this section. The following filters are available:


• Realm filterto display data for specified realms• RNC filtersto specify one or more RNCs• Application categories• Configured applications• Unconfigured applications• Device models to compare



Remarks For more information about Manufacturers versus Models and a list of fields that can be plotted, see Manufacturers versus Models in this section.

• Saturated Throughput (Kbps)• Packet Loss % • Average RTT (ms) • Device Count

• Volume (MB) • Signaling ('000) • Airtime (Hrs)




(1 of 2)



Parameters overview for device reports


Fields that can be plotted and/or tabulated in device reports

The following fields can be plotted in the device reports. You can choose one of the following parameters:

• Flow Count• Total (Up+Down) Volume

• Uplink Volume• Downlink Volume


• Total (Up+Down) # Conn Setups (Sum)• Uplink (Up+Down) # Conn Setups (Sum)• Downlink (Up+Down) # Conn Setups (Sum)

• Total (Up+Down) # Conn Setups (Rate)• Uplink (Up+Down) # Conn Setups (Rate)• Downlink (Up+Down) # Conn Setups (Rate)

• Total (Up+Down) Packets• Uplink (Up+Down) Packets• Downlink (Up+Down) Packets

• Airtime• Path Loss Rate• Downlink Thru’put• Average RAN Handshake RTT• Average RAN RTT


You must choose to compare the data as follows:• by manufacturer or model • by subscriber group. See chapter 32 for information about subscriber groups.

You can sort the tabular data according to one of seven numeric fields and in ascending or descending order.




(2 of 2)



Manufacturers versus Models

Most reports in this section come in pairs of variants: comparing manufacturers and comparing models. Two different manufacturers can assign the same model name to two different phone models, therefore in these reports, the term Model refers to the manufacturer name concatenated with model name.

31.10 Troubleshooting

Table 31-61 provides tips for troubleshooting report errors.

Table 31-61 Troubleshooting

Note In this release, the 9900 WNG system cannot decode CDMA device ESNs and MEIDs to their model names; the model name field for all CDMA devices displays an empty string. For CDMA networks, the two variants of the same report are effectively identical.

Problem Solution

No data is shown on the report Verify that the parameter values are correct or try different parameter values. If you applied filters to the report, modify the filters to gather more data.

An exception is displayed when you generate a report

Send the exception message as well as the report name and chosen parameter values to your 9900 WNG technical support representative.

The report is taking a long time to run (more than 15 minutes)

Run the report with a smaller date range.

The report appears with broken links instead of charts

Re-run the report using a smaller number of data points. For example, specify a smaller date range or change the time resolution from minute to hour. You can also try to run the report with Show only raw data option selected.




32 Subscriber Group Manager

32.1 Subscriber Group Manager overview 32-2

32.2 Subscriber Group Manager page components 32-2

32.3 Creating a subscriber group 32-3

32.4 Searching for a subscriber 32-4

32.5 Changing the subscriber group view 32-4

32.6 Importing subscriber data 32-5



32.1 Subscriber Group Manager overview

The Subscriber Group Manager page provides operators and network analysts with the capability to create subscriber groups by which to manage a large number of subscribers. The Subscriber Groups page is web-based and is accessed from the Group Manager link on the 9900 WNG Central Home page.

Interactions with web-based subscriber reportsThe groups that you configure in the Subscriber Group Manager can be used as filter criteria in the following web-based reports:

• Overall subscriber cumulative distribution report• Top Mobiles reports• Performance KPI by manufacturer/model report

32.2 Subscriber Group Manager page components

Figure 32-1 shows the Subscriber Group Manager page.

Figure 32-1 Subscriber Groups Manager page

21184

SubscriberGroup control

panel

GroupTypes

selector

Searchpanel

SubscriberGroup tab

GroupEditor tab

Create newgroup button

Delete groupbutton

Import databutton

Subscriberdata table

Sort ascending/descending

button

Group Editortable controls

Status icons



Table 32-1 lists the components in the Subscriber Groups Manager page.

Table 32-1 Subscriber Groups Manager page components

32.3 Creating a subscriber group

Procedure 32-1 describes how to create a subscriber group.

Procedure 32-1 To create a subscriber group


2 Click on the Group Manager link. The subscriber group page appears with the Subscriber Groups tab displayed.

3 Click on the Create new Group button. The Create Group pop-up window appears.

4 Enter a group name and click OK. The subscriber group that you created appears as a folder in the Subscriber Group panel.

5 Add subscribers to the group by doing one of the following:

a Search for a subscriber, as described in Procedure 32-2. Select the subscriber from the results list and drag and drop the data to the member list in the Edit Group panel

b Add a list of imported subscribers, as described in Procedure 32-4.


Group Type selector panel Pick list from which you can select the type of groups to manage. The supports the following Group type: Subscriber

Subscriber Groups tab Lists the subscriber groups

Group Editor tab Workspace to create a group, or to add or remove subscribers to/from a group

Subscriber Group control panel Contains three buttons:• Create new groupSee section 32.3 for information about how to use the

create new group function.• Delete groupto delete a selected group.• Import datato import a list of subscribers. See section 32.6 for

information about how to use the import function.

Subscriber data table Data for the members of the subscriber group are arranged in a table with the following columns:• Identifiers such as:

• IMSI/NAI• IMEI/MEID/ESN• MSISDN/MSID

• Severity

Group Editor table controls See Procedure 32-3



32.4 Searching for a subscriber

Procedure 32-2 describes how to search for a subscriber.

Procedure 32-2 To search for a subscriber



3 Configure the following search parameters:

i Choose one of the following:

• IMSI/NAI• IMEI/MEID/ESN• MSISDN/MSID

ii Enter a value in the Search String field

iii Choose a value from the Filter by Realm/APN drop-down menu.

4 Click on the Search button. The search results appear in a tab in the Subscriber Group panel.

32.5 Changing the subscriber group view

Procedure 32-3 describes how to use the features in the Group Editor panel to change the view of a subscriber group.

Procedure 32-3 To change the subscriber group view



3 Double-click on the subscriber group in the Subscriber Group tab that you need to manage. The data for the group appears in a tab in the Group Editor panel.

4 Right-click on the column header to perform one of the following, as required:

a Sort the columns in ascending or descending order.

b Choose the columns that you need to display.



c Group the data in a column.

d Freeze the data in a column.

32.6 Importing subscriber data

Procedure 32-4 describes how to import subscriber data into the Subscriber Group Manager.

Procedure 32-4 To import subscriber data



3 Click on the Import data button. The file upload pop-up window appears.

4 Click on the Browse button to navigate to a pre-prepared list of subscribers

5 Click on the Submit button to retrieve the data.




Network anomaly reporting and management

33 Threat detection and network anomaly events 33-1



33 Threat detection and network anomaly events

33.1 Threat detection and network anomalies overview 33-2

33.2 Threat detection in a CDMA network 33-2

33.3 Threat detection in a UMTS network 33-3

33.4 High-level workflow to investigate an anomaly event 33-5

33.5 Network anomaly events 33-6

33.6 Wireless attack events 33-7

33.7 Port scans and unwanted source events 33-14

33.8 Abusive subscriber events 33-17

33.9 Specifying the threshold values for anomaly events 33-21



33.1 Threat detection and network anomalies overview

See chapter 22 for information about real-time events and the

33.2 Threat detection in a CDMA network

The 9900 WNG system monitors mobile data traffic sessions in CDMA networks, analyzes the session behavior, and raise alarms based on previously defined threats.

Figure 33-1 shows a high-level overview of where threats occur in a CDMA network.

Figure 33-1 Threats in a CDMA network

In a CDMA network, the 9900 WNG Detector snoops mirrored traffic on the following interfaces:

• The interface between the PDSN and the AAA (bidirectional traffic) • The interface between the PDSN and the HA

Figure 33-2 9900 WNG Detector in a CDMA network



The 9900 WNG detector snoops the accounting records sent by the PDSNs to the AAA server, which allows the detector to relate IP traffic to wireless network elements such as HAs, PDSNs, RNCs, and Mobile device/subscription.

The 9900 WNG Detector obtains the packets from the mirrored ports and extracts the necessary information from the packet headers such as source/destination IP addresses and port, protocol, packet size, and arrival time.

Inputs and outputs

The inputs to the 9900 WNG Detector include the following:

• All incoming and outgoing subscriber data traffic• Simple IP traffic• Mobile IP (MIP) — IP-IP tunneled

• Signaling traffic to relate IP traffic to subscriber/device/network elements• MIP signaling traffic• AAA/RADIUS

The output of the 9900 WNG Central device includes the following:

• Anomaly events • Mobile Flow records: flow records enhanced with wireless-specific information • Network statistics: top mobile/server, traffic/resource usage classification • Network elements status updates, for example, HA, PDSN, and CDMA RNC• Reports

Maximum number of CDMA monitored sessions

Each 9900 WNG Detector can observe up to 1Gb of bidirectional traffic and up to 500 000 active sessions.

33.3 Threat detection in a UMTS network

The 9900 WNG system provides the capability for observing mobile data traffic sessions in UMTS networks, analyze the session behavior and raise alarms based on the threats defined previously.

Figure 33-3 shows a high-level overview of where threats occur in a UMTS network.



Figure 33-3 Threats in a UMTS network

In a UMTS network, the 9900 WNG Detector observes mirrored traffic on the following interfaces:

• The interface between the SGSN and the AAA (bidirectional traffic) • The interface between the SGSN and the GGSN

Figure 33-4 9900 WNG Detector in a UMTS network

The 9900 WNG detector snoops the accounting records sent by the SGSNs to the AAA server, which allows the detector to relate IP traffic to wireless network elements such as GGSNs, SGSNs, RNCs, and Mobile device/subscription.

The 9900 WNG Detector obtains the packets from the mirrored ports and extracts the necessary information from the packet headers such as source/destination IP addresses and port, protocol, packet size, and arrival time.



Inputs and outputs

The inputs to the 9900 WNG Detector include the following:

• All incoming and outgoing subscriber data traffic - Simple IP traffic• Signaling traffic to relate IP traffic to subscriber/device/network elements - GTP

traffic

The output of the 9900 WNG Central device includes the following:

• Anomaly events • Mobile Flow records: flow records enhanced with wireless-specific information • Network statistics: top mobile/server, traffic/resource usage classification • Network elements status updates, for example, GGSN, SGSN, and RNC• Reports

Maximum number of UMTS monitored sessions

Each 9900 WNG Detector can observe up to 1Gb of bidirectional traffic and up to 500,000 active sessions.

33.4 High-level workflow to investigate an anomaly event

Perform Procedure 33-1 to investigate an anomaly event.

Procedure 33-1 To investigate an anomaly event


2 Choose the Anomaly Events from the Navigation menu.

3 From the Recent Anomaly Events tab, select an anomaly event from the list of events by clicking on its row. The Event Details panel displays details for the event. The fields that appear depend on the type of event.

4 Double-click on the Corr ID or Attacker IP field in the Event Details panel to display the Forensic View page.

5 Select an event by clicking on a row, then click on the Mobile Flow button in the Forensic view to display the mobile flow records for the event.



6 Analyze the mobile flow data and the resource usage.

7 Take corrective action to mitigate:

• Filter the malicious source• Add filter rules to Firewall/IPS• Add filter rules to the Router ACL

• Contact or disable accounts for abusive subscribers for the following event type:

• Overload RNC

33.5 Network anomaly events

9900 WNG Detector events are functional events that are monitored by the 9900 WNG system, not the events that are related to the operation of the WNG 9900 system itself. See chapter 38 for information about operational system events.

Network anomaly events are events that are detected by algorithms in the 9900 WNG Detector that indicate an attack on a specific wireless device, a security event such as a port scan, or a potential fraud or violation of a service agreement. Table 33-1 lists the anomaly events.

Table 33-1 Network anomaly events

9900 WNG event name Event name

Wireless attack events



BATTERY_ATTACK_DISTRIBUTED Battery attack from a group of sources

RNCOverload RNC Overload



ICMP_ROUTER_DISCOVERY_ABUSE ICMP router discovery abuse

Port scans and unwanted source events




Abusive subscriber events







33.6 Wireless attack events

The 9900 WNG system monitors the following wireless attack events.

Signaling attacks from a single source

A malicious source triggers excessive amount of radio connection setup and release. For example, the source sends one unsolicited packet per mobile to a large number of mobiles triggering one connection setup per mobile. Attacking packets can be any form, for example, a TCP, UDP, or ICMP packet.

Severity

Major

Impact to the network

A signaling attack from a single source has the following impact to the network:

• Causes an overload signal processing unit at RNC• Congests paging channels at BTS• Wastes air time

Event reporting

When an RNC signaling attack is detected, the following information related to the event is reported:

• Internet source: IP address• Mobile source: IP source, Network access Identifier (NAI), Mobile Station

Identifier (MSID), Electronic Serial Number (ESN), International Mobile Equipment identifier (IMEI), International Mobile Subscriber Identity (IMSI), Mobile Station integrated Services Digital Network Number (MSISDN)

• Intensity

Event thresholds

The event is reported when the number of connection setups exceeds the specified threshold.

To display current settings, enter the following command:

detector:detector99# show detectionThresholds sigAttack

4 signalAttackThresholds

• Signaling attacks from a single source

• Battery attacks from a single source• Distributed battery attacks• RNC overloads

• Single source mobile floods• Distributed mobile floods• ICMP router discovery abuses



600

800

900

1000

To modify the threshold settings, see section 33.9.

Related events

A single source attack may trigger the following related anomaly events:

• RNCOverload• PORTSCAN_HORIZ• UNWANTED_SRC

Battery attacks from a single source

A malicious source forces a mobile device to hold radio resources unnecessarily long by periodically sending a small packet to a mobile device to reset the inactivity timer.

Severity

Minor


A battery attack has the following impact to the mobile device and the network:

• Drains the battery of the mobile device• Wastes air resources that otherwise would be used by other mobiles• Can cause a call to be blocked due to channel exhaustion when multiple mobile

devices are attacked at the same time

Event information

The following information is reported for a battery attack event:

• Internet source: IP address• Mobile source: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN• Victim mobile: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN• Intensity

Event thresholds

To display current thresholds, enter the following command:

detector:detector99# show detectionThresholds batteryAttack

4 batteryAttackThresholds



0.01

0.05

0.1

0.5


Related events

A battery attack may trigger the following related anomaly events:

• PORTSCAN_VERT • P2P_MOBILE

Distributed battery attacks

A group of sources force a mobile to hold radio resources unnecessarily long, for example, the aggregated traffic from multiple sources drain the mobile battery.

Severity

Minor


A battery_attack_distributed event has the following impact to the network:

• Drain mobile battery• Waste air resources which otherwise would be used by other mobiles• Could cause call blocks due to channel exhaustion when attacking many mobiles

at the same time

Thresholds

To display current thresholds, enter the following command:

detector:detector99# show detectionThresholds batteryAttack

5 batteryAttackThresholds

0.5

0.6

0.7

0.8

0.99




Event information

A battery-attack event reports the following information:

• Victim mobile: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN• Intensity

Related events

A battery-attack event may trigger the following related anomaly events:

• P2P_MOBILE

RNC overloads

The number of connection setups an RNC handles approaches or exceeds its design capacity.

Severity

Critical


An RNC overload can cause denial of service to a new connection request, resulting in call drops.

Thresholds

The threshold for an RNC overload event is the number of connection setups/sec the RNC comfortably handles. To display current settings, enter the following command:

detector:detector99# show detectionThresholds rncOverload

5 rncLoadThresholds

6000

12000

18000

24000

36000


Event information

An overload event reports the following information:

• Intensity• Victim RNC IDeshold <



Related events

An RNC Overload event may also trigger a single source signaling attack event (SIGATTACK_SINGLE_SRC).

Single source mobile floods

A source sends unsolicited traffic to a mobile exceeding/close to mobile’s link capacity.

Severity

Minor


A flood_mobile_single_src event has the following impact to the network:

• Traffic denial of server to mobile, possibly also network• Waste network resource

Event information

A flood_mobile_single_src event reports the following information:

• Attacker:• IP address • Mobile source: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN

• Victim mobile: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN• Intensity• Total unsolicited bytes contributed by the source

Thresholds

This event is generated when a source sends unsolicited traffic to mobile exceeding/close to mobile’s link capacity. To display the current thresholds, enter the following command:

detector:detector# show detectionThresholds floodMobileSingleSrc

5 floodMobileSingleSrcThresholds

5000000

10000000

20000000

40000000

80000000




Related events

A flood_mobile_single_src event may trigger the following related events:

• UNWANTED_SRC

Distributed mobile floods

Unsolicited traffic from multiple sources to mobile exceeding or close to the link capacity.

Severity

Minor


A floodMobileDistributed event has the following impact to the network:

• Traffic denial of server to mobile, possibly also network• Waste network resource

Event information

A floodMobileDistributed event reports the following information:

• Victim mobile: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN• Intensity• Total unsolicited bytes contributed by the sources

Thresholds

This event is generated when unsolicited traffic from multiple sources to a mobile is equal to or exceeds the mobile’s link capacity in a specified time period. To display the current thresholds, enter the following command:

detector:detector# show detectionThresholds floodMobileDistributed

5 floodMobileDistributedThresholds

10000000

20000000

40000000

80000000

160000000


Related events

A floodMobileDistributed event may trigger an UNWANTED_SRC event.



ICMP router discovery abuses

Illegitimate ICMP router discovery messages going to mobiles.

Severity

Major


A routerDiscoveryAbuse event has the following impact to the network:

• Victim mobile gets disconnected from the network

Event information

A routerDiscoveryAbuse event reports the following information:

• Source of ICMP message• Intensity

Thresholds

This event is generated when the number of illegitimate ICMP router discovery messages equals or exceeds a defined threshold within a specified period. To display the current thresholds, enter the following command:

detector:detector# show detectionThresholds routerDiscoveryAbuse

5 routerDiscoveryAbuseThresholds

2

5

10

20

50

To modify the threshold settings, see 33.9.

Related events

A routerDiscoveryAbuse event may trigger the following related events:

• None



33.7 Port scans and unwanted source events

The 9900 WNG system monitors the following port scan and unwanted source events.

• Horizontal port scan events• Vertical port scan events• Unwanted source

Horizontal port scan events

A malicious source sends probe packets of same destination port to a large number of victims to explore potential vulnerability, such as in an Internet worm propagation or Botnet compromise.

Severity

Major


A horizontal port scan exposes mobile devices to a security risk. In addition, it wastes bandwidth, air time, and signaling resources.

Event information

A horizontal port scan event reports the following information:

• Internet source: IP attacker• Mobile source: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN• Intensity• Scanned port• Number of distinct hosts scanned

Event threshold

This event is generated when the number of distinct hosts probed exceeds a specified threshold. To display the current thresholds, enter the following command.

detector:detector99# show detectionThresholds portScanHoriz

5 portscanHorizontalThresholds

240

360

480

640

720




Related events

A horizontal port scan event may trigger the following related anomaly events:

• SIGATTACK_SINGLE_SRC • RNCOverload• UNWANTED_SRC

Vertical port scan events

In a vertical port scan event, a malicious source sends probe packets of different destination port of the same host to explore potential vulnerability, for example, Botnet compromise.

Severity

Major


A vertical port scan exposes mobile devices to a security risk. In addition, it wastes bandwidth, air time, and signaling resources.

Threshold for vertical ports scan

The threshold for a vertical port scan is the number of distinct ports probed at the same victim. To display current settings, enter the following command:

detector:detector99# show detectionThresholds portScanVert

5 portscanVerticalThresholds

120

240

360

480

640


Event information

A vertical port scan event reports the following information about the malicious source:

• Internet source: IP• Mobile source: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN• Intensity



• Victim mobile: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN• Number of distinct ports scanned

Related events

A vertical port scan event may trigger the following related events:

• BATTERYATTACK_SINGLE_SRC• UNWANTED_SRC

Unwanted source

A source contributes a large amount of unsolicited traffic.

Severity

Major


An unwanted source has the following impact to the network:

• wastes network resources • poses potential security threats

Threshold

Measures the amount of unsolicited traffic (bytes) from the source during a 2 hour interval. To display current thresholds, enter the following command:

detector:detector99# show detectionThresholds unwantedSrc

4 unwantedThresholds

10000000

20000000

30000000

40000000


Event information

An unwanted source event reports the following information:

• Internet source: IP• Mobile source: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN• Intensity• Number of distinct destinations of unsolicited traffic• Total unsolicited bytes contributed by the source



Related events

All anomaly events could contribute to unwanted traffic.

33.8 Abusive subscriber events

The 9900 WNG system monitors the following abusive subscriber events.

• High-usage subscriber events• High signaling subscriber event• Always-active subscriber• Peer-to-peer mobile traffic events

High-usage subscriber events

A subscriber consumes excessive amounts of bandwidth.

Severity

Minor


The impact of a high-usage subscriber is as follows:

• Abuses network resources• Congests the network

Thresholds

The threshold measured is the total traffic volume (bytes) during a two hour period. To display the current settings, enter the following command:

detector:detector99# show detectionThresholds highUsage

5 highUsageThresholds

20000000

40000000

60000000

80000000

100000000




Event information

A high-usage event reports the following information:

• Offending subscriber identity: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN• Intensity• Upload volume (in bytes)• Download volume (in bytes)

Related events

A high-usage event may trigger the following related anomaly events:

• P2P_MOBILE• ALWAYS_ACTIVE_SUB

High signaling subscriber event

A mobile subscriber triggers excessive connection setups.

Severity

Minor


A highSignalingSubscriber event has the following impact to the network:

• Overload RNC• Occupy radio channels

Thresholds

The threshold measured is the number of connection setups during a specified watching window (2 hours). To display the current settings, enter the following command:

detector:detector99# show detectionThresholds highSignalingSubscriber

5 highUsageThresholds

240

360

480

600

720




Event information

A highSignalingSubcriber event reports the following information:

• Offending subscriber identity: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN• Intensity• Number of connection setups triggered

Related events

A highSignalingSubcriber event may trigger the following related anomaly events:

• P2P_MOBILE

Always-active subscriber

A mobile subscriber consumes excessive amounts of air time.

Severity

Minor


An always-active device holds on a radio channel that would otherwise be used by other mobile device.

Thresholds

This event is generated when a subscriber is active for a period that exceeds the specified thresholds. To display the current threshold settings, enter the following command:

detector:detector99# show detectionThresholds alwaysActive

5 highAirtimeThresholds

0.5

0.6

0.7

0.8

0.9


Event information

An always-active event reports the following information:

• Offending subscriber identity: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN• Intensity



• Fraction of active time - The fraction of active time for a mobile is the fraction of time that the mobile holds the radio channel with respect to a pre-defined watching window. The fraction of active time is calculated as:active_time_in_watching_window/watching_window_length.

• Current session start time

Related events

An always-active subscriber event may trigger the following related anomaly events:

• HIGH_USAGE_SUB• P2P_MOBILE

Peer-to-peer mobile traffic events

A mobile subscriber uses P2P file sharing application, such as, EDonkey, BitTorrent, or Kazaa.

Severity

Minor


Peer-to-peer traffic consumes significant amounts of network capacity and increases bandwidth cost per subscriber, and can therefore lead to significant lost revenue for the service provider.

Event information

The system reports the following information about P2P event:

• The following information about the offending subscriber:• IP address• NAI• MSID• ESN• IMEI• IMSI• MSISDN

• Intensity• Number of originating peers• Number of responding peers• Type of applications• Uplink volume• Downlink volume



Thresholds

This event is generated when the volume of a subscriber’s traffic volume (in bytes) exceeds the specified threshold. To display the current thresholds, enter the following command:

detector:detector# show detectionThresholds p2pMobile

5 p2pMobileThresholds

100

200

400

600

1000


Related events

A P2P event may trigger the following related events:

• High usage subscriber event (HIGH_USAGE_SUB)• Always-active subscriber (ALWAYS_ACTIVE_SUB)• Single source battery attack (BATTERYATTACK_SINGLE_SRC)

33.9 Specifying the threshold values for anomaly events

Perform Procedure 33-2 to specify the threshold values for an anomaly event.

Procedure 33-2 To specify the threshold values for an anomaly event


2 Log in to the 9900 WNG Detector, as described in Procedure 14-3.

3 Type the following command:

detector:central99# detectionThresholds event thresh1 [thresh2] [thresh3] [thresh4] [thresh5] ↵

where:event is the type of anomaly eventthresh is the threshold value

Table 33-2 lists the anomaly events (event) and the threshold values (thresh) for each event. You can specify up to five threshold values.



Table 33-2 Threshold and threshold values for each anomaly event

Setting for event Threshold measured Threshold (thresh) value range

alwaysActive The fraction of active time within the watching window.

0.0 to 1.0

batteryAttackSingleSrc Measures the air resource efficiency, that is, how efficient the air resource is used for data transfer. This value represents a fraction of time within the watching window.

0.0 to 1.0

batteryAttackDistributed The fraction of active time within the watching window.

0.6 to 0.99

floodMobileDistributed Measures the amount of unsolicited traffic (bytes) from the source going to the mobile during a watching window.

10M to 160M

highSignalingSubscriber Measures the number of connection setups during a specified watching window.

240 to 720

highUsage Measures the total traffic volume (byte) used in a watching window.

0 to 100 000 000

sigAttackSingleSrc The number of connection setups triggered by source in watching window.

0 to 1000

p2pMobile Total traffic volume (byte) used in watching window.

0 to 1000

portScanHoriz Number of distinct hosts probed during a two hour period

0 to 1000

portScanVert Number of distinct hosts probed in watching window.

0 to 1000

rncOverload Number of connection setups/sec the RNC comfortably handles.

0 to 10 000 000

routerDiscoveryAbuse Number of illegitimate ICMP router discovery messages equal to or exceeding a defined threshold within a specified period.

2 to 50

floodMobileSingleSrc Measures the amount of unsolicited traffic (bytes) from the source during the watching window.

5M to 80M

unwantedSrc Amount of unsolicited traffic (bytes) from the source during 2 hour interval.

0 to 500 000 000

Alcatel-Lucent 9900WIRELESS NETWORK GUARDIAN | RELEASE 2.1S Y S T E M A D M I N I S T R A T I O N A N D S E C U R I T Y G U I D E


S Y S T E M A D M I N I S T R A T I O N A N D S E C U R I T Y G U I D E





Disclaimers






Security and user account administration

34 Security overview 34-1

35 Managing licenses 35-1

36 User account management 36-1



34 Security overview

34.1 Security overview 34-2



34.1 Security overview

Figure 34-1 shows the external interfaces of the 9900 WNG system and the protocols that are implemented to help secure these external interfaces.


Table 34-1 describes the features and protocols that you can use to secure the 9900 WNG system from unauthorized access.

Table 34-1 9900 WNG security features and protocols

Protocol or feature Purpose

SSL SSL provides authentication and encryption for TCP clients and is used to secure HTTP connections. In addition, SSL provides CLI access. The HTTPS protocol provides a secure web client and server for web-based reporting.

(1 of 2)



SSH protocol SSH is a software solution for unsafe network commands such as rlogin, rsh, rcp, and Telnet.SSH is used to access the 9900 WNG Detector from 9900 WNG Central using shared key pairs.

SNMPv3 SNMPv3 provides encryption and encapsulation for management traffic between the NMS and 9900 WNG Central.

Role-based access control Ensures that each user performs only those tasks that are allowed by their role. See chapter 36 for more information.

Strong password authentication rules

Helps to prevent other users or programs from guessing a password

Security logging Tracks user access data, such as user ID and number of login attempts, is stored in log files. Unauthorized user access is reported.

Protocol or feature Purpose

(2 of 2)




35 Managing licenses

35.1 Viewing the current license status 35-2

35.2 Viewing license violation system events 35-2



35.1 Viewing the current license status

Information about the installed license and the current status relative to the license limits can be observed using the CLI. The show license command displays the license limit, current observed sessions, as well as the maximum number of sessions seen so far. This command also indicates whether there is a license violation. For more information, see section 35.2.

Perform Procedure 35-1 to view licensing information using the CLI.

Procedure 35-1 To view licensing information using the CLI

1 Log into the CLI, as described in Procedure 14-1 or 14-2.

2 Show the license by typing:

show license ↵

The following is an example of the output:

central# show license

License Information:

--------------------

License Version: 1.2

Maximum number of active subscriber sessions allowed: 2000000 License expiration date: Mon Jan 18 22:14:07 EDT 2038

Current License Violation Status:

---------------------------------

No Violation

Current active subscriber sessions: 756

Maximum number of subscriber sessions seen so far: 912 License Quantity: 2000000

central#

35.2 Viewing license violation system events

Table 35-1 describes license system events. The events appear in the System Event View of the GUI and are sent as SNMP traps to northbound NMS.



Table 35-1 License system events

License system event Description

License Violation/Invalid License

This event is generated if the license is not valid or if the hostid is incorrect.

License Violation/Expired License

This event generates a warning alarm if the license expires in 5 days. A critical alarm is generated if the license has expired.

License Violation/Max Sessions Exceeded

This warning event is generated when the number of mobile sessions is greater than or equal to 85% of the maximum session limit as determined in the license file. A critical system event is generated when the maximum session limit is exceeded. The warning system event is cleared when the number of sessions is less than or equal to 80%. The number of observed mobile sessions is calculated by adding all of the sessions that are observed by all 9900 WNG Detectors that are in the network.




36 User account management

36.1 User account management overview 36-2

36.2 Managing user accounts 36-4

36.3 Monitoring user accounts 36-10



36.1 User account management overview

Using the CLI, accounts are created on 9900 WNG Central by a user with the sudo privilege. The accounts that are created for internal interfaces have three types of roles, which are CLI, GUI, and Reports. When you create the CLI role, the GUI and Reports roles are automatically created.

Roles

Each role has privileges, which determines the tasks that can be performed and the information that can be displayed. Table 36-1 describes the roles that can be created.

Table 36-1 Roles

Privileges

Each role has associated privileges. The CLI role has only one associated privilege, but the GUI and Reports roles can have multiple privileges. Table 36-2 describes the privileges for each role.

Table 36-2 Privileges for each role

Role Description

Internal interface

CLI Creates GUI and Reports roles. See chapter 14 for more information about the CLI role.

GUI Used to access the GUI

Reports Used to access the web-based reports

External interface

SNMP Sends SNMP messages to various components in a network

Motive API For customer care technicians to quickly access actual usage data for the subscribers

Privilege

As it appears on the CLI

As it appears on the GUI

Description

CLI role

sudo See Table 14-2

admin

user

reportsOnly To create the Reports role

demoonly To create the DemoOnly role

(1 of 2)



See Table 14-8 for a list of commands that are available for each account type on the 9900 WNG Central and Detector.

The CLI prompt indicates your privilege and whether you are on the 9900 WNG Central or Detector. See Table 14-5 for more information about the different prompts.

Modes

You can switch modes to move up or down a level in CLI. Mode switching ensures that accounts are identified and authenticated at login, and all activity is logged. See section 14.3 for more information.

Passwords

During initial installation, you must change the default password for the root login. Contact your Alcatel-Lucent technical support representative for the default password.

Passwords must be a minimum of 6 characters and a maximum of 41 characters for all roles. The password can also contain one more of the special characters that are listed in Table 36-3.

GUI

NE Network To access the Dashboard and Network Forensics views

ano Anomaly To view Performance Events. If you do not have the Anomaly privilege, you cannot view the Current and History events.

subs Subscriber To view subscriber identity information and to start a subscriber report or mobile flow query using an IMSI or NAI of the subscriber. If you do not have the Subscriber privilege, anomaly events do not display the identify of the subscriber

admin Admin To configure NEs, and acknowledge and clear system events

demo DemoOnly IP addresses are not displayed

Reports

NE Network If you do not have the Network privilege, you cannot start a Network Elements or Hops report

subs Subscriber To create subscriber groups. If you do not have the Subscriber privilege, you cannot start a subscriber report that requires the identity or a subscriber. The identify of the subscriber does not appear.

apps AppsDevices If you do not have the AppsDevices privilege, you cannot start a Applications or Device report

admin Admin To access the Group Manager interface. The Subscriber privilege is required to create subscriber groups.

demo Demo IP addresses are not displayed

Privilege

As it appears on the CLI

As it appears on the GUI

Description

(2 of 2)



Table 36-3 Special characters for passwords

The 9900 WNG supports password aging. Passwords are set to expire in 42 days. When your password expires, you are prompted to change your password at your next CLI log in.

The sudo privilege in the CLI is required to change the password for another account, but you can change your own password in the CLI. See Procedure 36-2 to change the password for another user and Procedure 36-4 to change your password.

36.2 Managing user accounts

You can use CLI commands to manage roles and privileges. Table 36-4 lists where to find information about how to manage roles and privileges.

Table 36-4 Procedures for managing roles

Special characters

~ ! @ # $ % ^

& * ( ) _ - + =

[ ] | \ ; :

< , > . ? /

Task See Procedure

CLI, GUI, or Reports role

To create a user account with CLI, GUI, and Reports roles 36-1

To change the password for another user 36-2

To change your password using the GUI 36-4

To modify the privileges for a role 36-5

To modify the name of an account 36-6

To reset the default timeout for all passwords 36-7

To reset the default timeout for a specific password 36-8

To set the idle timeout for user accounts 36-9

To disconnect one or all users from active GUI sessions 36-10

To delete a user account 36-11

SNMP role

To create an SNMP user account 19-2

To create a n SNMP group 19-2

To delete an SNMP user account 19-5

To delete an SNMP group 19-6

Motive API role

(1 of 2)



Creating a user accountPerform the following procedures to create different types of user accounts.

Procedure 36-1 To create a user account with CLI, GUI, and Reports roles

This procedure does not apply to SNMP or Motive API user accounts. See Procedures 19-2 or 20-1.

By default, the CLI role is created with default privileges for the GUI and Reports roles.


2 Type:

user add id password [cli_role] [firstname] [lastname] ↵

whereid is user login ID (username) that must have a minimum of 3 and a maximum of 31 alphanumeric characterspassword is the password for the account, which must contain a minimum of 6 and a maximum of 41 characters. See Table 36-3 for a list of special characters.cli_role is the CLI role for the user. The options are user, admin, sudo, reportonly, or demo.firstname is the first name of the user and can contain one or more special characterslastname is the last name of the user can contain one or more special characters

For example, the following command adds the new account jasadmin and assigns the password pwdjas02. The user, John Smith, has admin privileges.

user add jasadmin pwdjas02 admin John Smith ↵

3 Perform Procedure 36-5 to modify the default privileges for the GUI and Reports roles.

Changing passwordsPerform Procedure 36-2 to change the password for another user account. You must have the sudo privilege to change the password for another user. Perform Procedure 36-4 to change your password.

To create a Motive API user account 20-1

To delete a Motive API user account 20-2

Task See Procedure

(2 of 2)



Procedure 36-2 To change the password for another user


2 Change the password by typing:

user changepassword id ↵

where id is the name of an existing account

For example, the following command changes the password for jasadmin:

user changepassword jasadmin ↵

3 Enter the new password twice when you are prompted.

Procedure 36-3 To change your password using the CLI

1 Log in to the CLI, as described in Procedure 14-1 or 14-2.

2 Change the password by typing:

user changepassword id ↵

where id is the name of an existing account

For example, the following command changes the password for jasadmin:

user changepassword jasadmin ↵

3 Enter the new password twice when you are prompted.

Procedure 36-4 To change your password using the GUI

If you have the admin privilege for the GUI role, you can change your password from the GUI.


2 Click on the Change Password hyperlink. The Changing password on Central window appears, where Central is the name of the specific 9900 WNG Central.

3 Enter your current password and your new password, then confirm your new password.

4 Click on the Change button. The system confirms that your password has been changed.



Modifying privilegesPerform Procedure 36-5 to modify the privileges for a role.

Procedure 36-5 To modify the privileges for a role


2 Disconnect the user from the GUI session, if required, as described in Procedure 36-10.


a Go to step 4 to modify the privileges for a CLI role.

b Go to step 5 to modify the privileges for a GUI role.

c Go to step 6 to modify the privileges for a Reports role.

4 Modify the privilege for the CLI role by typing:

user modify group CLI id group ↵

whereid is the username of the accountgroup is the privilege, which can be sudo, admin, user, readonly, or demoonly. See Table 36-2 for more information.

5 Modify the privileges for the GUI role by typing:

user modify group GUI id gui_role1 [gui_role2] [gui_role3] [gui_role4] [gui_role5] ↵

whereid is the username of the accountgui_role1 is the privilege, which can be NE, ano, subs, admin, or demo. See Table 36-2 for more information.gui_role2 to gui_role5 are optional and can be NE, ano, subs, admin, or demo. See Table 36-2 for more information.

6 Modify the privileges for the Reports role by typing:

user modify group Reports id rep_role1 [rep_role2] [rep_role3] [rep_role4] ↵

whereid is the username of the accountrep_role1 is the privilege, which can be subs, NE, apps, demo, admin. See Table 36-2 for more information.rep_role2 to rep_role4 are optional and can be subs, NE, apps, demo, admin. See Table 36-2 for more information.

Modifying the name of an accountPerform Procedure 36-6 to modify the name of an account.



Procedure 36-6 To modify the name of an account


2 Assign a new name to an existing account by typing:

user modify name id [new_firstname] [new_lastname] ↵

whereid is the userame of the accountnew_firstname is the new first name of the accountnew_lastname is the new last name of the account

Setting the password timeoutPerform Procedure 36-7 to reset the default number of days before all passwords expire. Perform Procedure 36-8 to reset the default number of days before a specific password expires.

Procedure 36-7 To reset the default timeout for all passwords


2 Specify the default timeout for all passwords by typing:

user setDefaultPasswordAge days ↵

where days is the number of days before passwords expire for existing and new users. The default is 42 days.

Procedure 36-8 To reset the default timeout for a specific password


2 Specify the default timeout for an account by typing:

user modify PasswordAge id days ↵

whereid is the username of the accountdays is the number of days before the password expires for existing and new users. The default is 42 days.



Setting the idle timeoutPerform Procedure 36-9 to set the idle timeout for the GUI and Reports roles that have not had activity in a specified amount of time. The timeout prevents data accumulation when specific signaling messages are not viewed; for example, if a RADIUS accounting problem occurred in the service provider network and the RADIUS accounting responses were not delivered to the 9900 WNG. The idle timeout removes the sessions that are considered ended due to no activity. To display the idle timeout for the GUI and Reports roles, perform Procedure 36-14.

Procedure 36-9 To set the idle timeout for user accounts


2 Specify the idle timeout for all GUI and Reports roles by typing:

idleTimeout GUI | web timeout ↵

where timeout is the idle timeout in minutes. The range is 0 to 4 294 967 295. The default is 0. A value of 0 means no idle timeout.

Disconnecting usersPerform Procedure 36-10 to disconnect a specific user or all users that are connected to the GUI.

Procedure 36-10 To disconnect one or all users from active GUI sessions



a Go to step 3 to disconnect all users.

b Go to step 4 to disconnect one user.

3 Disconnect all users by typing one of the following:

guiDisconnect all clean ↵

guiDisconnect all clean noclean ↵

Note Alcatel-Lucent recommends that the timeout is set to a value that is greater than or equal to one day and the timeout can match any network timeout for subscriber sessions. For example, a subscriber session in some networks terminates after one day regardless of activity. In this case, Alcatel-Lucent recommends setting the timeout to one day.



Use the clean option before an upgrade to disconnect the existing sessions and reload the new configuration. Otherwise, use the noclean option.

4 Disconnect a user by typing one of the following:

guiDisconnect user id clean noclean ↵

guiDisconnect user id noclean ↵


Use the clean option before an upgrade to disconnect the existing sessions and reload the new configuration. Otherwise, use the noclean option.

Deleting user accountsPerform Procedure 36-11 to delete user accounts.

Procedure 36-11 To delete a user account

This procedure does not apply to an SNMP or Motive API user accounts. See Procedures 19-5 or 20-2.


2 Delete a user account by typing:

user delete id ↵




Y ↵

36.3 Monitoring user accounts

You can use CLI commands to monitor user accounts. Table 36-5 lists where to find information about how to monitor users accounts.

Table 36-5 Procedure for monitoring users

Task See Procedure

To display CLI, GUI, and Reports roles that are on the 9900 WNG Central 36-12

To display SNMP user accounts 19-7

(1 of 2)



Displaying user accountsPerform Procedures 36-12 to display all roles. Perform Procedures 36-13 to display roles with a specific pattern.

Procedure 36-12 To display CLI, GUI, and Reports roles that are on the 9900 WNG Central

This procedure does not apply to SNMP or Motive API user accounts. See Procedures 19-7 and 20-3.


2 Display all of the configured user accounts by typing:

show users ↵

Table 36-6 describes the information that appears for each user account.

Table 36-6 show users information

To display Motive API user accounts 20-3

To display user accounts with a pattern 36-13

To display the idle timeout for the GUI and Reports roles 36-14

Task See Procedure

(2 of 2)

Column Description

Name The first and last name of the user.

Login The login name for the user.

CLI Role The access level when the user is using CLI. The CLI roles are sudo, admin, user, readonly, and demoonly. See Tables 36-1 and 36-2 for more information about roles and privileges.

GUI Role The access level when the user is using the GUI. The GUI roles are NE, ano, subs, admin, and demo. See Tables 36-1 and 36-2 for more information about roles and privileges.

Reports Role The access level when the user is using the GUI. The Reports roles are NE, subs, apps, admin, and demo. See Tables 36-1 and 36-2 for more information about roles and privileges.



Procedure 36-13 To display user accounts with a pattern

This procedure does not apply to SNMP and Motive API user accounts.

1 Log in to the CLI with the any privilege, as described in Procedure 14-1 or 14-2.

2 Display the users with a specific characteristic by typing:

grep users pattern ↵

where pattern is a specific characteristic that applies to accounts; for example, all accounts with a specific name

Displaying idle timeoutsPerform Procedure 36-14 to display the idle timeout for the GUI and Reports roles.

Procedure 36-14 To display the idle timeout for the GUI and Reports roles

This procedure does not apply to SNMP and Motive API user accounts.


2 Display the idle timeout for all GUI and Reports roles by typing:

show idleTimeout GUI | web ↵

The timeout for all GUI and Reports roles appears.


System monitoring and administration

37 Monitoring the 9900 WNG Central and Detector 37-1

38 System events 38-1



37 Monitoring the 9900 WNG Central and Detector

37.1 Monitoring the 9900 WNG system 37-2

37.2 Monitoring the 9900 WNG using log files 37-2

37.3 Monitoring GUI reports and queries 37-10

37.4 Measuring system performance 37-12

37.5 Monitoring a remote 9900 WNG Central and Detector using the BMC 37-29



37.1 Monitoring the 9900 WNG system

The 9900 WNG includes tools that the system administrator can use to monitor the health of the 9900 WNG Central and Detector. The tools provide information to determine if there is a need to perform maintenance on the 9900 WNG system. Table 37-1 describes the monitoring tools and where to find more information.

Table 37-1 Monitoring the 9900 WNG system

37.2 Monitoring the 9900 WNG using log files

The 9900 WNG can log the following events:

• configuration management activities• software upgrades and updates• security related events (for example, user login attempts)• autonomous notifications• internal system errors and corrective actions taken• informational messages not associated with alarms or error conditions (for

example, state changes, status)

All log files have a maximum size of 10 MB. When a file has reached the maximum size, the log files rollover to another file, with up to seven such files for each log stored on disk.

Monitoring tool Description See

CLI-based monitoring tools

User accounts View information about accounts Section 36.3

Log reports View logs that monitor system events Section 37.2

View logs that monitor GUI-based activities

View Motive API logs Procedure

Performance measurements

View logs that measure system performance Section 37.4

BMC View reports that monitor remote 9900 WNG Central and Detector hardware

Section 37.5

GUI-based tools

Status LEDs Status indicators for the following:• database• anomaly events• system

9900 WNG status indicators in section 16.3

System events Query based reports about the following:• CPU Utilization• memory utilization• disk utilization• processes• hardware and software failures

Chapter 38



When you view log files on the CLI, log files are displayed in reverse order (that is, the most recent message received is displayed first in the log file).

Procedure 37-1 describes how to view 9900 WNG log files using CLI.

Procedure 37-1 To view 9900 WNG log files using CLI

1 Access the CLI, as described in Procedure 14-1 or 14-2.

2 Type a show command, as described in Table 37-2.

Table 37-2 CLI commands used for viewing log files

Sample log reports

The following sections show a sample for each type of system log that you can generate.

show log audit

The show log audit command contains all commands that different users have executed through the CLI. The following is sample output from the CLI screen:

CLI command Executed on Description

show log audit Central Displays the CLI logging information

show log central Central Displays the 9900 WNG WNG Central logging information

show log central-err

Central Displays error logging information

show log compression

Central Displays information about hourly and daily summaries

show log database

Central Displays information about the database

show log detector

Detector Displays 9900 WNG Detector logging information

show log gui Central Displays the GUI logging information

show log ipmi Central Displays BMC logging information

show log motive Central Displays the Motive API logging information

show log syslog Central and Detector

Displays the system level logging information

show log systemEvents

Central Displays all of the generated system events

show log webAccess

Central Displays the web access logging information



central> show log audit

May 8 09:19:38 central123.company.com slwhite1gui: central123.company.com. "show log audit"

May 8 09:18:40 central123.company.com slwhite1gui: central123.company.com. "show log syslog"

May 8 09:18:29 central123.company.com slwhite1gui: central123.company.com. "login slwhite1gui"

May 8 09:16:40 central123.company.com slwhite1gui: central123.company.com. "show log central"

show log central

The show log central command shows information on Central processes. For example, license loading errors and what is wrong with the license, as well as connections to the Detectors. The following is sample output from the CLI screen:

central> show log central

<13>May 08 08:53:48 WARNING: [DataBaseWriter] batch update failed with size=2, error code:22001

<15>May 08 08:38:52 INFO: [AwareCentral] Load license...SUCCESS



<13>May 06 23:15:51 WARNING: [DataBaseWriter] batch update failed with size=2, error code:22001

show log central-err

The show log central-err CLI command displays error logging information for the 9900 WNG Central. The following is sample output from the CLI screen.

central> show log central-err

Jun 29 14:01:03 aware-central99 anomalyArchival-7654: end:2010-06-29 14:01:01.000000000 -0400

Jun 29 14:01:01 aware-central99 anomalyArchival-7654: start:2010-06-29 14:01:01.000000000 -0400

Jun 29 13:24:01 aware-central99 hourlySummary-7270: Custom HourlySummary on 1277820000 took 0 seconds

Jun 29 13:24:01 aware-central99 HourlyNetworkSummary-7300: Hourly Network Summary took 67 seconds

Jun 29 13:22:54 aware-central99 hourlySummary-7270: HourlySummary 1277820000 took 31 seconds






Jun 29 13:20:12 aware-central99 flowSummary-7012: Custom FlowSummary on mobile_flow_record_20100629113359 took 0 seconds

Jun 29 13:20:12 aware-central99 flowSummary-7012: Compressing mobile_flow_record_20100629113359 took 694 seconds








Jun 29 11:56:36 aware-central99 flowSummary-4819: Custom FlowSummary on mobile_flow_record_20100629100709 took 0 seconds

show log database

The show log database CLI command displays information about the database. The following is sample output from the CLI screen.

central# show log database

Version: '5.1.45-enterprise-commercial-pro' socket: '/var/lib/mysql/mysql.sock' port: 3308 MySQL Enterprise Server - Pro Edition (Commercial)

100628 16:17:28 [Note] /usr/sbin/mysqld: ready for connections.

100628 16:17:28 [Note] Event Scheduler: Loaded 0 events

100628 16:17:28 InnoDB: Started; log sequence number 0 266721272

100628 16:17:28 [Note] Plugin 'FEDERATED' is disabled.

100628 16:17:27 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql

100628 16:17:27 mysqld_safe mysqld from pid file /var/lib/mysql/aware-central21.pid ended

100628 16:17:27 [Note] /usr/sbin/mysqld: Shutdown complete

100628 16:17:27 InnoDB: Shutdown completed; log sequence number 0 266721272



show log detector

The show log detector command shows information on the Detector processes. The following is sample output from the CLI screen:

central> detector detectorB

detector:detectorB> show log detector

May 4 16:22:29 detectorB ser: [SystemEventCollector] detector=detectorB time=1209932548.604402 class=4 module=tracker sev=clear corrid=606339080 count=1 type=8 refobj=detectorB subobj=0 value=0.000 cond=Receivingpackets desc=Receivi

gpackets

May 4 16:22:29 detectorB aware: [awared] Receiving Packets

May 4 13:53:28 detectorB ser: [SystemEventCollector] detector=detectorB time=1209923608.604402 class=4 module=tracker sev=maj corrid=606339080 count=1 type=8 refobj=detectorB subobj=0 value=0.000 cond=NoPackets desc=NoPacketsinla

t60seconds

May 4 13:53:28 detectorB aware: [awared] No packets in last 60 seconds

May 4 13:52:31 detectorB ser: [SystemEventCollector] detector=detectorB time=1209923551.604402 class=4 module=tracker sev=clear corrid=606343948 count=1 type=12 refobj=detectorB subobj=19 value=59.996 cond=<60% desc=EventQueueUsag

Normal

May 4 13:52:29 detectorB ser: [SystemEventCollector] detector=detectorB time=1209923549.604402 class=4 module=tracker sev=maj corrid=606343948 count=1 type=12 refobj=detectorB subobj=19 value=75.001 cond=>75% desc=HighOccupancyin

ventQueue

Apr 26 10:10:16 detectorB aware: [awared] Receiving Packets

Apr 26 10:10:16 detectorB ser: [SystemEventCollector] detector=detectorB time=1209219015.747128 class=4 module=tracker sev=clear corrid=606339080 count=1 type=8 refobj=detectorB subobj=0 value=0.000 cond=Receivingpackets desc=Receivi

show log gui

The show log gui command shows all clients connecting to the GUI (that is, user name). For example, when clients shut down, and duplicate client connections. The following is sample output from the CLI screen.

central> show log gui

<15>Jun 29 11:38:20 INFO: [GUIBootstrap] Connection UP to GUI(port):cory(4702)

<15>Jun 29 08:51:58 INFO: [GUIBootstrap] Connection DOWN to GUI(port):omwal(4248)



<13>Jun 29 08:51:58 WARNING: [GUIHandlerThread$WriteToClient] IO Error writing to gui client... terminating with error: Connection has been shutdown: javax.net.ssl.SSLException: java.net.SocketException: Connection reset

<13>Jun 29 08:51:58 WARNING: [GUIHandlerThread$ReadFromClient] IOException: Connection reset

GUI User: omwal

Execution Time: Tue Jun 29 14:51:39 CEST 2010

Operation: Network Forensic Hop Report

Start Time: Tue Jun 29 02:51:24 CEST 2010

End Time: Tue Jun 29 14:51:24 CEST 2010

Hop Start: RNC_520

Start Hop Type: RNC

Hop End: 4024003C1773

End Hop Type: BS

Report Type : Consise

Query Duration : 13016 ms

<15>Jun 29 08:51:41 INFO: [GUIHandlerThread$ReadFromClient] Received following operation from gui client:

GUI User: omwal

Execution Time: Tue Jun 29 14:50:10 CEST 2010


Start Time: Tue Jun 29 02:50:03 CEST 2010

End Time: Tue Jun 29 14:50:03 CEST 2010

Hop Start: RNC_AB

Start Hop Type: RNC

Hop End: 31041057e59eae

End Hop Type: BS

Report Type : Consise

Query Duration : 4391 ms

show log ipmi

The show log ipmi CLI command displays BMC logging information for the 9900 WNG Central. The following is sample output from the CLI screen.

central:sudo# show log ipmi



ipmiutil ver 2.54

showsel: version 2.54


SEL Ver 51 Support 0f, Size = 3938 records (Used=629, Free=3309)

RecId Date/Time_______ Source_ Evt_Type SensNum Evt_detail - Trig [Evt_data]

0004 12/24/09 18:33:01 BMC 10 SEL Disabled #09 Log Cleared 6f [42 0f ff]

0018 12/24/09 18:38:34 BMC 14 Button #84 Power Button pressed 6f [40 0f ff]

002c 12/24/09 18:38:36 BIOS 12 System Event #83 Boot: ClockSync_1 6f [05 00 ff]

0040 12/24/09 18:38:36 BIOS 12 System Event #83 Boot: ClockSync_2 6f [05 80 ff]

0054 12/24/09 18:38:36 BMC 09 Power Unit #01 Power Off 6f [40 0f ff]

0068 02/01/10 21:16:03 BMC 07 Processor #90 Present 6f [47 0f ff]

007c 02/01/10 21:16:03 BMC 07 Processor #91 Present 6f [47 0f ff]

0090 12/24/09 19:39:02 BMC 09 Power Unit #01 AC Lost 6f [44 0f ff]

00a4 02/01/10 21:16:04 BMC 09 Power Unit #01 AC Regained ef [44 0f ff]

00b8 02/01/10 21:16:06 BMC 08 Power Supply #70 Inserted 6f [40 0f ff]

00cc 02/01/10 21:16:10 BMC 14 Button #84 Power Button pressed 6f [40 0f ff]

show log compression

The show log compression CLI command displays information about the hourly and daily summaries. The following is sample output from the CLI screen.

<15>Jun 25 04:56:29 INFO: [DataSummaryGenerator] Now obtaining hourly summary for hour=2010-06-25 00:00

<15>Jun 25 04:52:10 INFO: [DataSummaryGenerator] Now obtaining hourly summary for hour=2010-06-24 23:00

<15>Jun 25 02:34:30 INFO: [DataSummaryGenerator] Running daily summary for: 20100624 with start,endtimes = 1277352000,1277438400

show log motive

The show log motive command shows information about the Motive API. The following is sample output from the CLI screen.

sudo# show log motive



maximum durations applicationInfo=0 dataUsage=0 networkCongestion=0 subscriberInfo=0 subscriberIssues=0 deviceInfo=0

minimum durations applicationInfo=0 dataUsage=0 networkCongestion=0 subscriberInfo=0 subscriberIssues=0 deviceInfo=0

average durations applicationInfo=0 dataUsage=0 networkCongestion=0 subscriberInfo=0 subscriberIssues=0 deviceInfo=0

com.alcatel_lucent.aware.motive.MotiveServer instance(2) complete. Statistics: Server Start: Wed Jun 23 10:03:46 EDT 2010, Server End Time: Wed Jun 23 10:38:13 EDT 2010 # of transactions applicationInfo=0 dataUsage=0 networkCongestion=0 subscriberInfo=0 subscriber

Issues=0 deviceInfo=0 maximum durations applicationInfo=0 dataUsage=0 networkCongestion=0 subscriberInfo=0 subscriberIssues=0 deviceInfo=0


average durations applicationInfo=0 dataUsage=0 networkCongestion=0 subscriberInfo=0 subscriberIssues=0 deviceInfo=0

com.alcatel_lucent.aware.motive.MotiveServer instance(1) complete. Statistics: Server Start: Wed Jun 23 10:03:46 EDT 2010, Server End Time: Wed Jun 23 10:16:18 EDT 2010 # of transactions applicationInfo=0 dataUsage=0 networkCongestion=0 subscriberInfo=0 subscriber

Issues=0 deviceInfo=0

maximum durations applicationInfo=0 dataUsage=0 networkCongestion=0 subscriberInfo=0 subscriberIssues=0 deviceInfo=0


show log syslog

The show log syslog command shows all important messages. For example, disk errors. The following is sample output from the CLI screen:

central> show log syslog

Feb 4 04:32:46 central123.company.com syslogd 1.4.1: restart (remote reception).

Feb 4 04:32:45 central123.company.com syslogd 1.4.1: restart (remote reception).

Feb 4 00:01:02 central123.company.com logger: root 26059 2055 0 Feb03 pts/1 Ss 0:00 -bash

Feb 3 18:54:04 central123.company.com init: Re-reading inittab

central>

show log systemEvents

The show log systemEvents command shows all system events that have occurred in the system. The following is sample output from the CLI screen.



central> show log systemEvents

<15>Jun 29 06:49:56 INFO: [SystemEventHandlerThread$EventMessageHandlerThread] WROTE TO DB: detector=1 time=1.277808596644E9 class=4 module=sysmon sev=crit corrid=16859658 count=1 type=Line rate threshold status=active endtime=0.0 value=955.729 referencedObject=aware-detector99 referencedSubObject=Capture Port A condition=A>950Mbits/sec description=PortAcaptureratetoohigh

<15>Jun 29 06:49:56 INFO: [SystemEventBootstrap$SnmpThread] WROTE TO SNMP: detector=1 time=1277808596.644 class=4 module=sysmon sev=crit corrid=16859658 count=1 type=10 refobj=aware-detector99 subobj=66 value=955.729 cond=A>950Mbits/sec desc=PortAcaptureratetoohigh

<15>Jun 29 06:49:56 INFO: [SystemEventHandlerThread] RECEIVED: detector=1 time=1277808596.644 class=4 module=sysmon sev=crit corrid=16859658 count=1 type=10 refobj=aware-detector99 subobj=66 value=955.729 cond=A>950Mbits/sec desc=PortAcaptureratetoohigh

show log webAccess

The show log webAccess command shows all system events that have occurred in the system. The following is sample output from the CLI screen.

Jun 29 11:36:31 [info] user cory launched the GUI client

Jun 29 11:36:20 [info] user cory from 138.120.141.128 logged in

Jun 29 10:30:45 [info] demotaylor: file: alu9900mibs.zip

Jun 29 09:27:09 [info] user demotaylor from 138.120.134.113 logged in

Jun 29 09:17:50 [info] user hbouvier from 135.120.193.183 logged in

Jun 29 09:01:31 [info] user hbouvier from 135.120.193.183 logged in

Jun 29 08:37:14 [info] user omwal launched the GUI client

Jun 29 08:37:08 [info] user omwal from 172.31.149.32 logged in

Jun 29 08:04:05 [info] user vantan from 135.244.112.98 logged in

Jun 29 08:04:05 [info] user vantan session timed out or expired

Jun 29 08:04:05 [info] user democenter session timed out or expired

Jun 29 08:04:05 [info] user fryandi session timed out or expired

Jun 29 08:04:05 [info] user scm session timed out or expired

37.3 Monitoring GUI reports and queries

The system generates messages in the log file of the 9900 WNG Central for the following reports and queries that are initiated on the GUI.

• Subscriber Report• Network Forensic Element Report



• Network Forensic Hop Report• Mobile Flow Query

The logs contain the user name, execution time, operation, query start time, query end time, query key like mobile ID, IP addresses or network element name.

Subscriber Report

The following is an example of the Subscriber Report log file:

<15>Mar 21 14:51:54 INFO: [GUIHandlerThread$ReadFromClient] Received following operation from gui client:

GUI User: jsmith

Execution Time: Sun Mar 21 14:51:53 EDT 2010

Operation: Subscriber Report

Start Time: Sun Mar 21 10:51:00 EDT 2010

End Time: Sun Mar 21 14:51:00 EDT 2010

Mobile ID: [email protected]

Subscriber Report Type: Individual

Network Forensic Element Report

The following is an example of the Network Forensic Element Report log file:


GUI User: jsmith


Operation: Network Forensic Element Report



Network Element: 402400000B83

Element Type: BS

Report Type : Concise

Network Forensic Hop Report

The following is an example of the Network Forensic Hop Report log file:




GUI User: jsmith





Hop Start: rnc043

Start Hop Type: RNC

Hop End: 402400000B83

End Hop Type: BS

Report Type : Non-concise

Mobile Flow Query

The following is an example of the Mobile Flow Query log file:


GUI User: jsmith


Operation: Mobile Flow Query



IP 1: 172.19.43.233

ID 1: none

IP 2: none

ID 2: none

Flow Indicator: IP_1 Orig

37.4 Measuring system performance

Performance measurements allow you to assess system activity to engineer the system capacity and identify system faults.

Table 37-3 lists the CLI commands that are used to measure 9900 WNG performance.



Table 37-3 Performance measurement CLI commands

show stats

The show stats CLI command when performed at the 9900 WNG Central prompt, provides information about the state of the internal memory buffers and other statistics collected by 9900 WNG Central for each 9900 WNG Detector connected to it. For example, the show stats CLI command displays the number of mobile flows, anomalies, and the breakdown of the types of anomalies from the latest update from the Detector.

When the show stats CLI command is performed at the 9900 WNG Detector prompt, it provides similar statistics of the events generated by each 9900 WNG Detector including whether any events are dropped at the 9900 WNG Detector and the timestamp of the last packet seen at the 9900 WNG Detector.

The following output is displayed when you enter the show stats command on the 9900 WNG Central.

Number of Connected EMS Clients: 7 (user1:138.120.134.125,user2:137.244.35.254,user3:134.183.211.144,user4:135.144.119.249,user5:136.222.252.126,user6:138.222.155.111,user7:139.244.145.151)

Number of Connected Detectors: 2

aware-detectorA (192.168.1.3)

Anomaly Channel UP since Jun 14 13:43:47 2010 EDT

Awareness Channel UP since Jun 14 13:43:49 2010 EDT

aware-intel3 (135.112.180.91)

Anomaly Channel UP since Jun 14 13:43:49 2010 EDT

Awareness Channel UP since Jun 14 13:43:49 2010 EDT

Queue Usage at Central:

Anomaly Queue: 0

Periodic Status Queue: 90

Mobile Flow Queue: 9736

CLI command Executed on

show stats 9900 WNG Central and Detector

show memory 9900 WNG Central and Detector

show system 9900 WNG Central and Detector

show backhaul 9900 WNG Central

show compressionStatus 9900 WNG Central

show top 9900 WNG Central



Subscriber Queue: 1412

Syslog queue: 0

Active Topology View

GGSN/HA count: 196

SGSN/FA count: 5593

RNC count: 9079

Base Station count: 16262

Active Hop count: 22673

Events not written to DB

Anomaly: 0

Periodic Status: 0

Mobile Flow: 0

Billing Discrepancy Session: 0

Subscriber Session: 0

Detector:aware-detectorA

Link_Status: Up since Jun 14 13:43:47 2010 EDT

Total Events Received: 25647825

Anomaly Events: 1725

Periodic Status Events: 779182

Subscriber/Connection Events: 3192493

Mobile Flow Events: 21674425

Anomaly Events Last Reported by Detector at Jun 14 15:35:02 2010 EDT

Signaling Attacks: 14

RNC Overloads: 0

Battery Attacks: 8

Vertical Portscans: 0

Horizontal Portscans: 24

Always Active Subscribers: 0

High Usage Subscribers: 56



Subscribers using p2p: 62

Sources of Unwanted traffic: 9

High signaling subscribers: 659

Distributed Battery Attacks: 0

Mobile Flood(Single Source): 0

Distributed Mobile Floods: 0

Router Discovery Anomalies: 0

Number of Active Mobiles: 767660

Detector:aware-intel3

Link_Status: Up since Jun 14 13:43:49 2010 EDT

Total Events Received: 28086957

Anomaly Events: 1191

Periodic Status Events: 1124394

Subscriber/Connection Events: 3529436

Mobile Flow Events: 23431936

Anomaly Events Last Reported by Detector at Jun 14 15:38:29 2010 EDT

Signaling Attacks: 14

RNC Overloads: 0

Battery Attacks: 22

Vertical Portscans: 0

Horizontal Portscans: 23

Always Active Subscribers: 0

High Usage Subscribers: 62

Subscribers using p2p: 76

Sources of Unwanted traffic: 9

High signaling subscribers: 334

Distributed Battery Attacks: 14

Mobile Flood(Single Source): 0

Distributed Mobile Floods: 0

Router Discovery Anomalies: 0



Number of Active Mobiles: 856139

show memory

The show memory CLI command provides a detailed snapshot of memory usage on the 9900 WNG Central or Detector.

The following output is displayed when you enter the show memory command on the 9900 WNG.

MemTotal: 32959952 kB

MemFree: 1576692 kB

Buffers: 155320 kB

Cached: 20200104 kB

SwapCached: 0 kB

Active: 25577028 kB

Inactive: 5294484 kB

HighTotal: 0 kB

HighFree: 0 kB

LowTotal: 32959952 kB

LowFree: 1576692 kB

SwapTotal: 16777208 kB

SwapFree: 16777076 kB

Dirty: 1268 kB

Writeback: 0 kB

AnonPages: 10516320 kB

Mapped: 29220 kB

Slab: 435620 kB

PageTables: 39280 kB

NFS_Unstable: 0 kB

Bounce: 0 kB

CommitLimit: 33257184 kB

Committed_AS: 11707416 kB

Note See the RHEL 5.0 or later manual pages for information about memory statistics.



VmallocTotal: 34359738367 kB

VmallocUsed: 271080 kB

VmallocChunk: 34359466919 kB

HugePages_Total: 0

HugePages_Free: 0

HugePages_Rsvd: 0

Hugepagesize: 2048 kB

central> :

show system

The show system CLI command provides performance measurements for the CPU, disk usage, and memory consumption.

The following output is displayed when you enter the show system command on the 9900 WNG Central.

Uptime: 09:05:46 up 30 days, 7 min, 4 users, load average: 0.18, 0.14, 0.10

CPU Usage:

Cpu(s): 3.0%us, 0.2%sy, 0.0%ni, 96.6%id, 0.1%wa, 0.0%hi, 0.0%si, 0.0%st

Memory Usage:

MemTotal: 32959952 kB

MemFree: 1531956 kB

Active: 25605692 kB

Inactive: 5309488 kB

Disk Usage:

Filesystem Size Used Avail Use% Mounted on

/dev/mapper/VolGroup00-LogVol00

593G 2.7G 560G 1% /

/dev/sdb1 2.0T 1.5T 465G 76% /awaredb

/dev/mapper/VolGroup00-LogVol01

49G 428M 46G 1% /var



show backhaul

The show backhaul CLI command displays the current and peak management backhaul communication rates between 9900 WNG Detector and Central, which can be used to size the backhaul communication from the 9900 WNG Detector to the 9900 WNG Central.

The following output is displayed when you enter the show backhaul command on the 9900 WNG Central.

eth0: Receive: 14.9 Mbits/sec 1710.9 packets/sec ( 98.4 Mbits/sec peak - 14:41 04/15/10)

eth0: Transmit: 0.5 Mbits/sec 1052.9 packets/sec ( 40.1 Mbits/sec peak - 11:38 06/07/10)

eth1: Receive: 13.5 Mbits/sec 1363.4 packets/sec ( 26.9 Mbits/sec peak - 13:41 06/14/10)

eth1: Transmit: 0.2 Mbits/sec 470.4 packets/sec ( 1.1 Mbits/sec peak - 20:48 06/13/10)

show compressionStatus

The show compressionStatus command displays compression related information.

central:sudo# show compressionStatus

Hourly summary available until 2010-06-24 03:00:00

Number of uncompressed tables 3

Latest dailySummary available for 2010-06-22 00:00:00

show top

The show top command displays information about UNIX utilities:

central:sudo# show top

top - 10:33:03 up 35 days, 20:07, 15 users, load average: 1.20, 1.56, 1.57

Tasks: 226 total, 2 running, 224 sleeping, 0 stopped, 0 zombie

Cpu(s): 14.1%us, 1.3%sy, 0.0%ni, 81.5%id, 2.7%wa, 0.1%hi, 0.3%si, 0.0%st

Mem: 63924972k total, 61092684k used, 2832288k free, 136728k buffers

Swap: 16777208k total, 204k used, 16777004k free, 27523412k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND



17587 root 25 0 155m 130m 888 R 100.8 0.2 0:43.19 myisamchk

9024 root 17 0 10.4g 134m 9072 S 13.8 0.2 2926:12 java

1 root 15 0 10348 712 596 S 0.0 0.0 0:02.65 init

2 root RT -5 0 0 0 S 0.0 0.0 0:00.07 migration/0

3 root 34 19 0 0 0 S 0.0 0.0 0:00.21 ksoftirqd/0

4 root RT -5 0 0 0 S 0.0 0.0 0:00.00 watchdog/0


6 root 34 19 0 0 0 S 0.0 0.0 1:37.52 ksoftirqd/1



9 root 34 19 0 0 0 S 0.0 0.0 3:15.74 ksoftirqd/2



12 root 34 19 0 0 0 S 0.0 0.0 0:08.73 ksoftirqd/3



15 root 34 19 0 0 0 S 0.0 0.0 0:00.31 ksoftirqd/4



18 root 34 19 0 0 0 S 0.0 0.0 0:01.49 ksoftirqd/5





21 root 34 19 0 0 0 S 0.0 0.0 0:05.45 ksoftirqd/6



24 root 34 19 0 0 0 S 0.0 0.0 0:00.57 ksoftirqd/7


26 root 10 -5 0 0 0 S 0.0 0.0 0:00.07 events/0

27 root 10 -5 0 0 0 S 0.0 0.0 0:00.01 events/1

28 root 10 -5 0 0 0 S 0.0 0.0 0:00.02 events/2

29 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 events/3

30 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 events/4

31 root 10 -5 0 0 0 S 0.0 0.0 0:00.69 events/5

32 root 10 -5 0 0 0 S 0.0 0.0 0:00.02 events/6

33 root 10 -5 0 0 0 S 0.0 0.0 0:00.18 events/7

34 root 10 -5 0 0 0 S 0.0 0.0 0:00.18 khelper

543 root 10 -5 0 0 0 S 0.0 0.0 0:00.61 kthread

554 root 10 -5 0 0 0 S 0.0 0.0 0:00.10 kblockd/0

555 root 10 -5 0 0 0 S 0.0 0.0 0:00.32 kblockd/1

556 root 10 -5 0 0 0 S 0.0 0.0 0:02.19 kblockd/2

557 root 10 -5 0 0 0 S 0.0 0.0 0:00.11 kblockd/3

558 root 10 -5 0 0 0 S 0.0 0.0 0:00.03 kblockd/4



559 root 10 -5 0 0 0 S 0.0 0.0 0:00.44 kblockd/5

560 root 10 -5 0 0 0 S 0.0 0.0 0:02.02 kblockd/6

561 root 10 -5 0 0 0 S 0.0 0.0 0:00.06 kblockd/7

562 root 20 -5 0 0 0 S 0.0 0.0 0:00.00 kacpid

708 root 19 -5 0 0 0 S 0.0 0.0 0:00.00 cqueue/0

709 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 cqueue/1

710 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 cqueue/2

711 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 cqueue/3

712 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 cqueue/4

713 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 cqueue/5

714 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 cqueue/6

715 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 cqueue/7

718 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 khubd

720 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 kseriod

837 root 15 0 0 0 0 S 0.0 0.0 0:00.00 khungtaskd

840 root 10 -5 0 0 0 S 0.0 0.0 9:33.62 kswapd0

841 root 16 -5 0 0 0 S 0.0 0.0 0:00.00 aio/0

842 root 17 -5 0 0 0 S 0.0 0.0 0:00.00 aio/1

843 root 17 -5 0 0 0 S 0.0 0.0 0:00.00 aio/2

844 root 19 -5 0 0 0 S 0.0 0.0 0:00.00 aio/3

845 root 20 -5 0 0 0 S 0.0 0.0 0:00.00 aio/4



846 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 aio/5

847 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 aio/6

848 root 20 -5 0 0 0 S 0.0 0.0 0:00.00 aio/7

1011 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 kpsmoused

1090 root 12 -5 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_0

1136 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 mpt_poll_0

1137 root 12 -5 0 0 0 S 0.0 0.0 0:00.00 mpt/0

1138 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_1

1148 root 13 -5 0 0 0 S 0.0 0.0 0:00.00 ata/0

1149 root 14 -5 0 0 0 S 0.0 0.0 0:00.00 ata/1

1150 root 15 -5 0 0 0 S 0.0 0.0 0:00.00 ata/2

1151 root 16 -5 0 0 0 S 0.0 0.0 0:00.00 ata/3

1152 root 17 -5 0 0 0 S 0.0 0.0 0:00.00 ata/4

1153 root 17 -5 0 0 0 S 0.0 0.0 0:00.00 ata/5

1154 root 19 -5 0 0 0 S 0.0 0.0 0:00.00 ata/6

1155 root 19 -5 0 0 0 S 0.0 0.0 0:00.00 ata/7

1156 root 18 -5 0 0 0 S 0.0 0.0 0:00.00 ata_aux

1175 root 19 -5 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_2

1176 root 10 -5 0 0 0 S 0.0 0.0 3:08.16 usb-storage

1178 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_3




1181 root 12 -5 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_4


1184 root 14 -5 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_5


1196 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 kstriped

1233 root 12 -5 0 0 0 S 0.0 0.0 0:00.00 ksnapd

1272 root 10 -5 0 0 0 S 0.0 0.0 0:13.09 kjournald

1299 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 kauditd

1332 root 12 -4 12764 780 456 S 0.0 0.0 0:00.14 udevd

2054 root 17 0 109m 1808 1388 S 0.0 0.0 0:00.00 su

2055 root 23 0 8700 992 844 S 0.0 0.0 0:00.00 awarecli.sh

2061 root 18 0 36292 3412 1312 S 0.0 0.0 0:00.02 clish

2126 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 kedac

2558 root 15 0 98912 3872 2976 S 0.0 0.0 0:03.71 sshd

2562 root 15 0 66184 1704 1212 S 0.0 0.0 0:00.34 bash

2962 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 kmpathd/0

2963 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 kmpathd/1

2964 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 kmpathd/2

2965 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 kmpathd/3

2966 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 kmpathd/4

2967 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 kmpathd/5



2968 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 kmpathd/6

2969 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 kmpathd/7

2970 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 kmpath_handlerd

2997 root 10 -5 0 0 0 S 0.0 0.0 3:19.47 kjournald

3003 root 10 -5 0 0 0 S 0.0 0.0 1:44.19 kjournald

3037 root 10 -5 0 0 0 S 0.0 0.0 1:07.01 jbd2/sda3-8

3038 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 ext4-dio-unwrit








3049 root 10 -5 0 0 0 S 0.0 0.0 0:00.01 kjournald

3201 root 15 0 62624 1216 656 S 0.0 0.0 0:00.44 sshd

3475 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 kondemand/0

3476 root 14 -5 0 0 0 S 0.0 0.0 0:00.00 kondemand/1

3477 root 15 -5 0 0 0 S 0.0 0.0 0:00.00 kondemand/2

3478 root 16 -5 0 0 0 S 0.0 0.0 0:00.00 kondemand/3

3479 root 16 -5 0 0 0 S 0.0 0.0 0:00.00 kondemand/4



3480 root 17 -5 0 0 0 S 0.0 0.0 0:00.00 kondemand/5

3481 root 16 -5 0 0 0 S 0.0 0.0 0:00.00 kondemand/6

3482 root 17 -5 0 0 0 S 0.0 0.0 0:00.00 kondemand/7

3898 root 18 0 10760 372 244 S 0.0 0.0 0:11.94 irqbalance

3912 dbus 15 0 21256 892 676 S 0.0 0.0 0:00.00 dbus-daemon

3948 ntp 15 0 23388 5028 3904 S 0.0 0.0 0:00.36 ntpd

4532 root 15 0 74804 1152 576 S 0.0 0.0 0:00.33 crond

4556 haldaemo 15 0 31260 4292 1564 S 0.0 0.0 0:00.81 hald

4557 root 15 0 21692 1076 868 S 0.0 0.0 0:00.00 hald-runner

4564 haldaemo 25 0 12324 844 724 S 0.0 0.0 0:00.00 hald-addon-acpi

4567 haldaemo 25 0 12324 844 732 S 0.0 0.0 0:00.00 hald-addon-keyb

4580 root 18 0 10228 684 584 S 0.0 0.0 3:12.11 hald-addon-stor





4612 root 18 0 18416 472 268 S 0.0 0.0 0:00.00 smartd

4643 root 18 0 3792 484 412 S 0.0 0.0 0:00.00 mingetty

4644 root 18 0 3792 484 412 S 0.0 0.0 0:00.00 mingetty

4645 root 18 0 3792 484 412 S 0.0 0.0 0:00.00 mingetty

4646 root 20 0 3792 484 412 S 0.0 0.0 0:00.00 mingetty



4648 root 21 0 3792 480 412 S 0.0 0.0 0:00.00 mingetty

4650 root 18 0 3792 480 412 S 0.0 0.0 0:00.00 mingetty

4651 root 17 0 3800 536 464 S 0.0 0.0 0:00.00 agetty

7023 root 15 0 98908 3804 2956 S 0.0 0.0 0:22.07 sshd

7027 root 16 0 66056 1568 1152 S 0.0 0.0 0:00.01 bash

7557 root 15 0 98908 3824 2952 S 0.0 0.0 0:00.31 sshd

7561 root 15 0 66156 1592 1168 S 0.0 0.0 0:00.01 bash

7833 root 17 0 109m 1808 1388 S 0.0 0.0 0:00.00 su


7840 root 18 0 36292 3416 1316 S 0.0 0.0 0:00.02 clish

7976 root 15 0 77448 2004 1268 S 0.0 0.0 0:00.07 mysql

8187 root 16 0 12868 1208 804 S 0.0 0.0 9:56.87 top

8228 root 15 0 98908 3820 2956 S 0.0 0.0 0:00.07 sshd

8232 root 15 0 66056 1568 1148 S 0.0 0.0 0:00.00 bash

8345 root 16 0 66164 1588 1168 S 0.0 0.0 0:00.00 bash

8481 root 15 0 77308 1932 1208 S 0.0 0.0 0:00.00 mysql

8488 root 18 0 9700 1224 996 S 0.0 0.0 0:00.00 run_snmpagent.s

8501 root 21 0 9700 1232 1000 S 0.0 0.0 0:00.00 run_systemEvent

8505 root 18 0 346m 220m 2932 S 0.0 0.4 16:17.24 sysmon

8510 root 17 0 3784 424 360 S 0.0 0.0 0:00.00 logger

8511 root 15 0 391m 224m 2904 S 0.0 0.4 0:42.93 snmpagent



8523 root 16 0 3784 424 360 S 0.0 0.0 0:00.00 logger

8524 root 16 0 888m 152m 8880 S 0.0 0.2 0:08.47 java

8608 root 15 0 98908 3800 2952 S 0.0 0.0 0:00.03 sshd

8612 root 15 0 66156 1572 1156 S 0.0 0.0 0:00.00 bash

8862 root 20 0 9700 1228 1000 S 0.0 0.0 0:00.00 run_central.sh

9023 root 16 0 3784 424 360 S 0.0 0.0 0:00.00 logger

9076 root 15 0 77460 2020 1268 S 0.0 0.0 0:00.10 mysql

9121 root 15 0 98912 3836 2964 S 0.0 0.0 0:01.50 sshd

9125 root 15 0 66192 1612 1160 S 0.0 0.0 0:00.06 bash

9860 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_6



10241 root 15 0 77428 1940 1208 S 0.0 0.0 0:00.00 mysql

11812 tomcat 25 0 2598m 1.7g 13m S 0.0 2.7 4:39.30 java

16630 root 25 0 8704 1100 888 S 0.0 0.0 0:00.00 mysqld_safe

16672 root 15 0 0 0 0 S 0.0 0.0 0:03.00 pdflush

16751 mysql 15 0 25.1g 23g 4.8g S 0.0 37.9 7809:37 mysqld

17302 root 15 0 0 0 0 S 0.0 0.0 0:00.82 pdflush

17352 root 15 0 98928 4376 3460 S 0.0 0.0 0:00.02 sshd


17362 root 18 0 36292 3380 1288 S 0.0 0.0 0:00.04 clish



17540 apache 15 0 245m 6380 1936 S 0.0 0.0 0:00.00 httpd

17541 apache 15 0 245m 6376 1936 S 0.0 0.0 0:00.00 httpd

17561 root 15 0 77432 1940 1212 S 0.0 0.0 0:00.00 mysql

17588 root 18 0 3784 428 364 S 0.0 0.0 0:00.00 logger

17590 root 15 0 8700 944 800 S 0.0 0.0 0:00.00 sh

17591 root 19 0 8700 972 828 S 0.0 0.0 0:00.00 command.sh

17592 root 20 0 9700 1208 976 S 0.0 0.0 0:00.00 paginate.sh

17595 root 15 0 12736 1064 708 R 0.0 0.0 0:00.00 top

17597 root 21 0 3796 392 324 S 0.0 0.0 0:00.00 cat

18903 root 16 0 99688 3848 2976 S 0.0 0.0 0:08.73 sshd

18908 root 15 0 66060 1572 1148 S 0.0 0.0 0:00.01 bash

19601 root 15 0 99820 3820 2952 S 0.0 0.0 0:00.02 sshd

19605 root 16 0 66052 1536 1132 S 0.0 0.0 0:00.00 bash

19622 root 16 0 77448 1992 1264 S 0.0 0.0 0:00.00 mysql

24390 root 18 0 11060 1432 968 S 0.0 0.0 0:00.03 dailySummary.sh

24568 root 15 0 9924 1472 980 S 0.0 0.0 0:00.02 syncConfigs.sh

26483 root 16 0 5908 672 528 S 0.0 0.0 0:00.70 syslogd

26486 root 20 0 3804 432 344 S 0.0 0.0 0:00.00 klogd

26777 root 18 0 245m 8940 4636 S 0.0 0.0 0:00.14 httpd

27530 root 18 0 9700 1228 1000 S 0.0 0.0 0:00.00 run_mobile_flow

27544 root 17 0 3784 424 360 S 0.0 0.0 0:00.00 logger



27545 root 18 0 568m 243m 8744 S 0.0 0.4 0:58.31 java

28010 root 15 0 99688 3812 2952 S 0.0 0.0 0:00.49 sshd

28014 root 15 0 66160 1604 1180 S 0.0 0.0 0:00.05 bash

29647 root 15 0 98912 3828 2972 S 0.0 0.0 0:00.08 sshd

29651 root 15 0 66176 1612 1176 S 0.0 0.0 0:00.03 bash

30393 root 15 0 77440 2008 1280 S 0.0 0.0 0:00.01 mysql

30591 root 17 0 109m 1816 1388 S 0.0 0.0 0:00.00 su


30598 root 18 0 36292 3424 1324 S 0.0 0.0 0:00.05 clish

30657 root 15 0 99820 3816 2952 S 0.0 0.0 0:00.20 sshd

30661 root 15 0 66188 1568 1160 S 0.0 0.0 0:00.01 bash

30863 root 15 0 99688 3828 2972 S 0.0 0.0 0:00.06 sshd

30867 root 16 0 66176 1616 1188 S 0.0 0.0 0:00.06 bash

31105 root 15 0 98928 4376 3460 S 0.0 0.0 0:00.17 sshd


31126 root 18 0 36292 3448 1328 S 0.0 0.0 0:00.05 clish

37.5 Monitoring a remote 9900 WNG Central and Detector using the BMC

The BMC can be used to monitor the 9900 WNG Central and Detector remotely. The BMC can monitor the status of the fan, system temperature, and the power being supplied to the device.

Perform Procedure 37-2 to monitor a 9900 WNG Detector or Central remotely using the BMC.



Procedure 37-2 To monitor a 9900 WNG Detector or Central remotely using the BMC

1 Ensure that the following tasks are complete:

• The BMC interface has been configured as described in Procedure 7-2.• The IPMI management utility has been installed on the machine (Linux or

Windows) from which you access the BMC.

2 Type:

showsel -N nodename -U admin -R password -l count ↵

wherenodename is the nodename or IP address of the BMC LAN interfacepassword is the remote password for the specified nodenamecount is the number of recent events you want to view

In the following example, the showsel command displays the ten most recent events for the remote device with IP address 1.1.1.2 and remote password admin.

showsel -N 1.1.1.2 -U admin -R admin -l 10

0658 09/12/08 11:25:39 BMC 2a Session Audit #0a Deactivated User 2 6f [a1 02 11]

0644 09/12/08 11:25:39 BMC 2a Session Audit #0a Activated User 2 6f [a0 02 01]


061c 09/11/08 13:15:02 BMC 2a Session Audit #0a Deactivated User 2 6f [a1 02 11]


05f4 08/31/08 15:07:56 BMC 09 Power Unit #02 Not Redundant 0b [43 0f ff]

05e0 08/31/08 15:07:56 BMC 09 Power Unit #02 Redundancy Lost 0b [41 0f ff]

05cc 08/31/08 15:07:56 BMC 08 Power Supply #70 AC Lost 6f [43 0f ff]

05b8 08/25/08 13:01:11 BMC 2a Session Audit #0a Deactivated User 2 6f [a1 02 11]

05a4 08/25/08 12:19:46 BMC 2a Session Audit #0a Deactivated User 2 6f [a1 02 11



Displaying the health status of the 9900 WNG Detector or Central

Perform Procedure 37-3 to display the health status of the 9900 WNG Detector or Central remotely using the BMC.

Procedure 37-3 To display the health status of the 9900 WNG Detector or Central

1 Log in to one of the following:

a 9900 WNG Central, as described in Procedure 14-1 or 14-2.

b 9900 WNG Detector, as described in Procedure 14-3.

2 Display the status of the 9900 WNG Central or Detector by typing:

bmchealth -N nodename -U admin -R password ↵

wherenodename is the nodename or IP address of the BMC LAN interfacepassword is the remote password for the specified nodename

In the following example, the bmchealth command is used to display the health status of the remote device with IP address 1.1.1.2 and remote password admin.

bmchealth -N 1.1.1.2 -U admin -R admin

bmchealth ver 1.9

Opening connection to node 1.1.1.2 ...

BMC version 0.62, IPMI version 2.0

BMC manufacturer = 000157 (Intel), product = 0028 (S5000PAL)

Power State = 00 (S0: working)

Selftest status = 0055 (OK)

Channel 1 Auth Types: MD5 Straight_Passwd

Status = 04, OEM ID 000000 OEM Aux 00

bmchealth: completed successfully

Displaying the sensor status of the 9900 WNG Central or Detector

Perform Procedure 37-4 to display the sensor status of the 9900 WNG Central or Detector remotely using the BMC.



Procedure 37-4 To display the sensor status of the 9900 WNG Central or Detector

1 Log in to one of the following:

a 9900 WNG Central, as described in Procedure 14-1 or 14-2.

b 9900 WNG Detector, , as described in Procedure 14-3.

2 View the sensor status of the 9900 WNG Central or Detector by typing:

sensor -N nodename -U admin -R password

wherenodename is the nodename or IP address of the BMC LAN interfacepassword is the remote password for the specified nodename

In the following example, the sensor command is used to display the sensor status of the remote device with IP address 1.1.1.2 and remote password admin.

sensor -N 1.1.1.2 -U admin -R admin

sensor: version 1.53

Opening connection to node 135.112.180.71 ...


_ID_ SDR_Type_xx Sz Own Typ S_Num Sens_Description Hex & Interp Reading

0001 SDR Full 01 37 20 a 02 snum 10 BB +1.1V Vtt = ae OK 1.10 Volts

0002 SDR Full 01 37 20 a 02 snum 12 BB +1.5V AUX = bd OK 1.47 Volts

0003 SDR Full 01 33 20 a 02 snum 13 BB +1.5V = 72 OK 1.48 Volts

0004 SDR Full 01 33 20 a 02 snum 14 BB +1.8V = af OK 1.79 Volts

0005 SDR Full 01 33 20 a 02 snum 15 BB +3.3V = c4 OK 3.37 Volts

0006 SDR Full 01 37 20 a 02 snum 16 BB +3.3V STB = c5 OK 3.39 Volts

0007 SDR Full 01 37 20 a 02 snum 17 BB +1.5V ESB = c0 OK 1.50 Volts

0008 SDR Full 01 31 20 a 02 snum 18 BB +5V = c1 OK 5.02 Volts

0009 SDR Full 01 36 20 a 02 snum 1a BB +12V AUX = bf OK 11.84 Volts

000a SDR Full 01 33 20 a 02 snum 1b BB +0.9V = be OK 0.91 Volts



000b SDR Full 01 39 20 a 01 snum 30 Baseboard Temp = 21 OK 33.00 degrees C

000c SDR Full 01 3b 20 a 01 snum 32 Front Panel Temp = 1e OK 30.00 degrees C

000d SDR Full 01 3b 20 a 01 snum 48 Mem Therm Margin = 00 OK 0.00 degrees C

000e SDR Full 01 30 20 m 04 snum 50 Fan 1 = 90 OK 4896.00 RPM

000f SDR Full 01 30 20 m 04 snum 51 Fan 2 = 8e OK 4828.00 RPM

0010 SDR Full 01 31 20 m 04 snum 52 Fan 3A = 87 OK 9315.00 RPM

0011 SDR Full 01 31 20 m 04 snum 53 Fan 4A = 86 OK 9246.00 RPM

0012 SDR Full 01 31 20 m 04 snum 58 Fan 3B = 95 OK 7599.00 RPM




38 System events

38.1 System events overview 38-2

38.2 License Violation system event 38-2

38.3 Link Down system event 38-3

38.4 Process Down system event 38-3

38.5 Process Start system event 38-4

38.6 CPU Usage system event 38-4

38.7 Disk Usage system event 38-4

38.8 Memory Usage system event 38-5

38.9 No Packet system event 38-6

38.10 Packet Drop system event 38-6

38.11 Line rate threshold system event 38-6

38.12 Queue Usage system event 38-7

38.13 Hardware Failure system event 38-8

38.14 Swap Usage system event 38-8

38 System events


38.1 System events overview

A 9900 WNG Central or Detector can generate system event notifications. System events that are generated on the 9900 WNG Detector are sent to the 9900 WNG Central, stored in the database, and displayed on the client GUI.

Generated system events are also stored in a log file on the 9900 WNG Central. Most system events are also reported as SNMP traps. See chapter 19 for more information about SNMP.

The following system resources are monitored:

• CPU Utilization• memory utilization• disk utilization—triggers database cleanup, if required• swap space utilization• external disk array• processes—Process Down events for daemon processes are generated if a process

is not running or stalled

Viewing system events

You can view system events using the GUI. The System View on the 9900 WNG Central GUI displays the system events that have occurred on the 9900 WNG system. You can view the most recent events from the Systems Events view or display past events based on specific criteria in the System History view. See chapter 26 for more information about viewing system events in the GUI.

System Event typesSee the following sections for information about each type of system event:

38.2 License Violation system event

A license violation event is reported when one of the following conditions occurs:

• The maximum number of sessions is exceeded• The license has expired • The license file is invalid (no license, license validity check failed, invalid hostid)

This event is reported on the 9900 WNG Central device.

• License Violation system event• Link Down system event• Process Down system event• Process Start system event• CPU Usage system event• Disk Usage system event• Memory Usage system event

• No Packet system event• Packet Drop system event• Line rate threshold system event• Queue Usage system event• Hardware Failure system event• Swap Usage system event

38 System events


A license violation event can be cleared by obtaining a new license with the required capacity or obtaining license with an extended date

See chapter 6 for more information about the license.

38.3 Link Down system event

Link Down system events are generated when key communication channels cannot be established. They are detected when a communication end point tries to read or write from the channel. The Link Down event is automatically cleared when the channel communication is reestablished.

The system monitors the following types of communication channels:

• AnomalyChannel (reported by the 9900 WNG Central and Detector)• AwarenessChannel (reported by the 9900 WNG Central and Detector)• SystemEventChannel (reported by the 9900 WNG Central)• SNMPChannel (reported by the 9900 WNG Central) • SysMonToSECChannel (reported by the 9900 WNG Central and Detector) • CentralToSECChannel (reported by the 9900 WNG Central)

Clearing a Link Down eventYou can use one of the following strategies to clear a Link Down system event:

• When a Link Down event is generated for the anomaly or awareness channels, both the 9900 WNG Detector and 9900 WNG Central report the event. You can use the log in 9900 WNG Central to investigate the cause of the event. For information about log files in 9900 WNG Central, see the chapter, Monitoring the 9900 WNG system.

• A Link Down event can be generated because of a physical link or router problem. If this is the suspected cause, investigate the physical link or the condition of the router. Ping the 9900 WNG Detector from the CLI to verify connectivity.

• A Link Down event can be generated because of a Process Down condition. For related information, see section 38.4. You can restart the process to clear the event.

• A Link Down event can indicate an issue with keys used for SSH communication. If this is the suspected cause, backup the detector configuration, delete the detector administratively, and then add it back.

38.4 Process Down system event

Process Down events are generated by the 9900 WNG Detector and Central to indicate that a process has stopped.

Separate Process Down events are generated for the 9900 WNG Detector Central. The objectID field indicates the server on which the condition was detected. The value can be Central or the object ID of the 9900 WNG Detector.

38 System events


For a 9900 WNG Central, the SubobjectID can be one of the following:

• CentralD—the central service/process on the 9900 WNG Central• SNMP—the SNMP service/process on the 9900 WNG Central• System Monitor—the system monitor service/process on the 9900 WNG Central• MySQL—the MySQL service/process on the 9900 WNG Central• Tomcat— the Tomcat service/process on the 9900 WNG Central• Compression—the compression service/process on the 9900 WNG Central• NTP daemon—the NTP daemon on the 9900 WNG Central

For a 9900 WNG Detector, the SubobjectID can be one of the following:

• AwareD—the detector service/process on a 9900 WNG Detector• System Monitor—the system monitor service/process on a 9900 WNG Detector• System Event Reporter—the system event reporter service/process on a

9900 WNG Detector • NTP daemon—the NTP daemon on the 9900 WNG Detector

The event is cleared when the process restarts.

38.5 Process Start system event

Process Start events are generated by 9900 WNG Detector and Central daemons to indicate that a key daemon has restarted. This event is reported with a severity “Info” and does not clear automatically.

38.6 CPU Usage system event

A CPU usage event is generated when the CPU usage at WNG Central or a WNG Detector exceeds the threshold value. The 9900 WNG Detector and 9900 WNG Central devices report separate CPU usage events. This event is critical.

A Critical event is generated when CPU usage is greater than or equal to 90% of capacity. The event is automatically cleared when usage is less than or equal to 80%.

38.7 Disk Usage system event

Table 38-1 lists when a critical Disk Usage event is generated.

Note A 9900 WNG Detector can run with very high CPU consumption numbers.

38 System events


Table 38-1 Disk Usage system event

Disk usage is verified every 3 min. The objectID field indicates the machine on which the condition was detected. The SubobjectID specifies the disk partition.

For the 9900 WNG Central, the SubobjectID can be one of the following partitions:

• root partition• /tmp partition• /var partition• /awaredb partition (for the database)• /awaredb-ext (external disk array)• /awared partition• /dev/shm partition

For a 9900 WNG Detector device, the SubobjectID can be one of the following partitions:

• root partition• /tmp partition• /var partition• /aware partition

Exceptions for the 9900 WNG Central root partition

The root partition on the 9900 WNG Central machine hosts the reports (those you can see from the 9900 WNG webpage). Reports are not deleted automatically. When you see a Disk Usage High system event for the root partition, see section 39.2 to backup your reports to an external storage device such a USB stick or SCP to another machine. Then, delete old reports as necessary to free up disk space.

For all the other partitions, if a Disk Usage High event persists for a long time, contact your Alcatel-Lucent technical support representative to investigate and rectify the problem.

38.8 Memory Usage system event

A separate Memory Usage event is generated for the 9900 WNG Central and each Detector. Memory usage is checked every 60 s. The objectID field reports the device on which the condition was detected. Table 38-2 lists when a Memory usage system event is generated and cleared.

Device Generated Cleared

9900 WNG Central9900 WNG Detector

≥ 90% ≤ 80%

External disk array ≥ 95% ≤ 90%

38 System events


Table 38-2 Memory usage system event

38.9 No Packet system event

A No Packet event is generated when no packets are received at the Packet Capture Card ports during a 60-s interval. This event indicates a possible issue with the packet capture card connections or tapping point.

When this event is reported, verify the following;

• The packet capture cards are properly connected• The tapping points are properly installed.

If the packet capture cards are properly connected and the tapping points are properly installed, contact your Alcatel-Lucent technical support representative.

38.10 Packet Drop system event

Packet Drop event is generated when 1000 packets are lost in a 5-minute interval. A Packet Drop event indicates that packets are being dropped from the packet capture card interface and are not being processed. The ObjectID field indicates the 9900 WNG Detector device on where this condition was detected.

This event indicates that the 9900 WNG Detector processing cannot keep up with incoming rate of packets. If traffic is too high for a single Detector, the system might need an additional 9900 WNG Detector.

For information about how to clear this event, contact your Alcatel-Lucent technical support representative.

38.11 Line rate threshold system event

Table 38-3 describes when the Line rate threshold system event is generated and cleared.

Device Generated Cleared

9900 WNG Central ≥ 97% ≤ 92%

9900 WNG Detector ≥ 98% ≤ 93%

38 System events


Table 38-3 Line rate threshold system event

The objectId field reports whether the detected problem was for the 9900 WNG Central or Detector (central or detector). The subobjectId can be one of the following:

38.12 Queue Usage system event

A Queue Usage event is generated when any of the queue or pool usage reaches 75% of thresholds. This event is applicable only on 9900 WNG Detectors.

The reported value for the SubObject IDs field can be one of the following values:

Generated Cleared

When the traffic feed input is greater than or equal to:• 950 Mbits/s for the 1G card• 3900 Mbits/sec for the 10G card

The event indicates that there is a high probability that packets are being dropped.

When the traffic feed input rate drops less than or equal to:• 900 Mbits/s for the 1G card• 3750 Mbits/s for the 10G card

When the transmitting rate for the 9900 WNG Detector is greater than or equal to 30 MBits/s or receiving rate for the 9900 WNG Central is greater than or equal to 40 Mbits/s

When the transmitting rate for the 9900 WNG Detector and the receiving rate for the 9900 WNG Central is equal to or less than 15 Mbits/s

• PortA• PortB• PortC

• PortD• BACKHAULRCV• BACKHAULXMIT

• MIP Memory Pool• Signaling Attack Pool• Detector Traffic Update Pool• RNC Overload Pool• Battery Attack Pool• Vertical Portscan Pool• Horizontal Portscan Pool• Always Active Subscriber Pool• High Usage Subscriber Pool• Unwanted Source Pool• P2P Mobile • RNC Load Status Pool• PDSN Traffic Update Pool• HA Traffic Update Pool• Radius Session Update Pool

• MIP Session Update Pool• Connection Record Pool• Mobile Flow Record Pool• Anomaly Queue• Awareness Queue• SystemEvent Queue• Syslog Queue• Battery Attack Distributed Pool• Flood Mobile Single Pool• Flood Mobile Distributed Pool• High Signaling Abuse Pool• Router Discovery Abuse Pool• All Session Update Pool• UMTS Session Update Pool

38 System events


Queue usage events are cleared when the usage goes below factory configured thresholds. For the 9900 WNG Detector, it is cleared automatically when the pool usage is less than or equal to 60% of the capacity.

• When the reported SubObject ID is ANOMALYQ, AWARENESSQ, or SYSTEMEVENTQ, check if the 9900 WNG Central is overloaded.

• Use the show eventrate anomalyEvents CLI command for controlling the event rate of anomaly events.

• Use the show eventrate awarenessEvents CLI command for controlling the event rate of awareness events.

• If the pools are in high usage, contact your Alcatel-Lucent technical support representative to determine if pool sizes can be increased, within memory constraints.

38.13 Hardware Failure system event

The critical Hardware Failure system event is generated for the 9900 WNG Central when there is a failure in external disk array. The system event indicates that a disk should be replaced. The sub-object instance value for this event is EXTARRAY.

38.14 Swap Usage system event

A Swap Usage event generated when the swap utilization is greater than or equal to 50%. The event is cleared when the swap utilization is less than or equal to 10%.


Database administration

39 Backup and restore 39-1



39 Backup and restore

39.1 Backup and restore overview 39-2

39.2 Backing up 9900 WNG Central files 39-4

39.3 Restoring 9900 WNG Central files 39-5

39.4 Backing up 9900 WNG Detector files 39-7

39.5 Restoring 9900 WNG Detector files 39-7



39.1 Backup and restore overview

You can backup and restore the database for a 9900 WNG system using CLI commands. There are two types of backups, and the type of backup performed depends on the category of files you need to back up. The types of backups are:

• archive backups, which erase the original files that are being backed up after they have been successfully stored in an archive

• system backups, which store system files but the original files are not erased

Table 39-1 describes the categories of files that you can back up and the type of backup that is performed for each category.

Table 39-1 Backup file types

Note(1) You can perform an incremental backup of report data, which archives information from the

reports database that has changed since the last backup was performed. See Procedure 39-1 for more information.

Recommended frequency of full database backupsSystem Administrators should perform regular backups to prevent loss of data. Loss of data can be caused by the following:

• system failures• accidental file removal• malicious user activity• hardware failures; see section 38.13 for information about Hardware Failure

system events• errors during installation of system upgrades or updates

File type Description Backup type

9900 WNG Central files

All All 9900 WNG Central files. The backup includes configuration, system, license, log, report, and security files.

System

Configuration 9900 WNG Central configuration files and stored 9900 WNG Detector backup files

System

License 9900 WNG Central license files. See chapter 6 for more information about license files.

System

Log 9900 WNG Central activity log files Archive

Report (1) 9900 WNG Central raw data files that are used to create reports Archive

Security 9900 WNG Central security records, user data, and passwords System

System 9900 WNG Central system database files System

9900 WNG Detector files

Detector All 9900 WNG Detector files. 9900 WNG Detector backup files are stored on the 9900 WNG Central.

System



Alcatel-Lucent recommends that you perform full database backups as part of regular maintenance. To preserve your data, full backups should be performed before the following tasks:

• applying software updates• generic retrofits

Restoring backup data

You can use the restore command to restore backup data. The 9900 WNG restoration process can copy backup files to the original location, or to a location that you specify. The restore files overwrite the existing files. See section 39.3 for information about restoring 9900 WNG Central files. See section 39.5 for information about restoring 9900 WNG Detector files.

Location of backup and restore filesBackup and restore tasks are performed using the CLI. Backup files are saved to a USB drive or a specified SCP location, except for 9900 WNG Detector backups; the 9900 WNG Detector backup data is stored on the 9900 WNG Central server, but a *.tar.gz file is not created. When you use SCP, you may be prompted for a password before you can use the target directory. When you use USB, you are prompted to eject the USB drive when the backup is complete.

Accessing SCP locationsWhen you backup to, or restore from, a remote location accessed using SCP, you may be prompted for a password. You can eliminate the need to enter a password each time you access the SCP location by registering your public key with the remote system. Depending on the configuration of the remote location, you may be able to add the public key of your 9900 WNG Central CLI login account to the list of authorized keys at the remote location.

You can view the public key for your account by using the show publickey command. See section 12.3 for more information about using the show publickey command.

Backup filename formatBackup filenames have the following format:

timestamp-backup type.tar.gz

where

timestamp is in MMDDYYhhmm format

backup type is the type of backup. The backup types are:

• config• security• license• db

• logs• reports• all



39.2 Backing up 9900 WNG Central files

You can back up files on the 9900 WNG Central to a USB device or a location specified using SCP, such as an external disk array. You can also perform an incremental backup of the reports database.

Procedure 39-1 describes how to perform a backup of 9900 WNG Central files.

Procedure 39-1 To back up 9900 WNG Central files


2 Perform a backup by typing:

backup file_type location_type location ↵

where file_type is the type of file you need to back up; Table 39-2 describes the file type command optionslocation_type is USB or SCPlocation is the filename or SCP location of the backup file. If the SCP location requires a password, you are prompted to enter the password.

Table 39-2 Backup command file type options

A backup file is created in the specified location.

Note The first time you perform a backup on a 9900 WNG Central, you are prompted to accept an RSA key for the device. Accept the key to continue the backup procedure.

Option Files affected

all 9900 WNG Central configuration, system, license, log, report, and security files

config Configuration files

db System database files

license License files

logs Log files

reports Raw data files that are used to create reports

security Security files



Incremental backups of the reports databaseYou can perform an incremental backup of the reports database, which backs up the changes made to the reports database since the last time you performed a backup. You cannot perform an incremental backup unless a backup has been performed in the last 30 days. Procedure 39-2 describes how to perform an incremental backup.

Procedure 39-2 To perform an incremental backup of the reports database


2 Perform an incremental backup by typing:

backup incremental location_type location ↵

where location_type is USB or SCPlocation is the filename or SCP location of the backup file. If the SCP location requires a password, you are prompted to enter the password.

39.3 Restoring 9900 WNG Central files

You can restore 9900 WNG Central files from a backup archive on a USB device or at an SCP location, and restore a reports database that has been backed up in increments.

Procedure 39-3 describes how to restore files.

Procedure 39-3 To restore 9900 WNG Central files


2 Restore the files from a backup archive by typing:

restore file_type location_type location ↵

where file_type is the type of file you need to restore; Table 39-3 describes the file type command optionslocation_type is USB or SCPlocation is the filename or SCP location of the backup file. If the SCP location requires a password, you are prompted to enter the password.

Caution Restoring system database files causes the 9900 WNG Central device to restart automatically.



Table 39-3 Restore command file type options

Note(1) When you restore files of this type, the 9900 WNG Central device restarts.

The files in the specified backup file are restored.

Incrementally restoring report database filesYou can restore report database files that have been backed up in increments. You must first restore the full reports database backup, and then restore the increments, beginning with the oldest increment. Procedure 39-4 describes how to restore reports database increments.

Procedure 39-4 To restore reports database increments


2 Restore the primary reports database backup by typing:

restore reports location_type location ↵

wherelocation_type is USB or SCPlocation is the filename or SCP location of the backup file

3 Restore the first, oldest backup increment by typing:

restore reports location_type location ↵

wherelocation_type is USB or SCPlocation is the filename or SCP location of the incremental backup file

4 Repeat step 3 for each increment, from the oldest file to the newest. The report files are restored.

Option Files affected

all (1) 9900 WNG Central configuration, system, license, log, report, and security files

config Configuration files

db (1) System database files

license License files

logs Log files

reports Raw data files that are used to create reports

security Security files



39.4 Backing up 9900 WNG Detector files

You can back up the files on a 9900 WNG Detector to the 9900 WNG Central. The backup files are stored on the 9900 WNG Central. Perform Procedure 39-5 to backup a 9900 WNG Detector.

Procedure 39-5 To backup a 9900 WNG Detector


2 Type:

backup detector detector-id ↵

where detector-id is the name of the 9900 WNG Detector for the backup

39.5 Restoring 9900 WNG Detector files

You can restore the files on a 9900 WNG Detector from the 9900 WNG Central. Procedure 39-6 describes how to restore a 9900 WNG Detector.

Procedure 39-6 To restore a 9900 WNG Detector


2 Restore a 9900 WNG Detector by typing:

restore detector detector-id ↵

where detector-id is the name of the 9900 WNG detector to restore

The backed up files are restored on the specified 9900 WNG Detector.

Caution Restoring a 9900 WNG Detector restarts the device automatically.



Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 GL-1July 2010 3HE 06049 AAAA TQZZA

Glossary

Numerics

1xRTT One times the number of 1.25 MHz channels for wireless radio transmission technology that is used in CDMA cellular networks.

2.5G See GPRS.

2G second generation

Second generation of wireless telephone technology.

3G third generation

Third generation of mobile standards and technology.

3GPP 3rd Generation Partnership Project

The joint standardization partnership responsible for standardizing UMTS, HSPA, and LTE.

4G fourth generation

Fourth generation of mobile standards and technology.

9900 WNG 9900 Wireless Network Guardian

The 9900 WNG is a GUI-based system that is designed to manage data flows, and monitor network activities and demands for network resources.

9900 WNG Central 9900 Wireless Network Guardian Central

The component of the 9900 WNG that is deployed in a network or security operations centre.

Glossary

GL-2 Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1July 2010 3HE 06049 AAAA TQZZA

9900 WNG Detector 9900 Wireless Network Guardian Detector

A NEBS-3 and ETSI certified product that is suitable for many applications in the Telecom Central Office and industrial environment.

A

A11 interface The A11 interface is used to carry signaling information between the PDSN and the PCF.

AAA authentication, authorization, and accounting

The functions of security-based protocols, such as RADIUS, to provide secure communications.

AC alternating current

AC refers to the 120 V electricity delivered by the local power utility to the 3-pin power outlet in a wall. The polarity of the current alternates between positive and negative, 60 times each second.

See also DC.

ano anomaly

ANSI American National Standards Institute

Nonprofit, nongovernmental body supported by over 1000 trade organizations, professional societies, and companies; ANSI was established for the creation of voluntary industry standards.

ARIN American Registry for Internet Numbers

ARIN manages the distribution of Internet number resources, such as IPv4 and IPv6 addresses.

AWG American Wire Gauge

U.S. standard set of conductor sizes for copper electrical wiring and telephone wiring, where gauge refers to the diameter of the wire. Telephone wire is usually 22, 24, or 26. The higher the gauge wire, the smaller the diameter and the thinner the wire.

B

BMC baseboard management controller

A BMC is a specialized microcontroller that is on the motherboard of a computer, usually a server. The BMC manages the interface between the system management software and the platform hardware.

BTS base transceiver station

Glossary


C

Cat5e category 5 cable enhanced

Cat5e has 100 Ω impedance and electrical characteristics that support transmissions up to 100 MHz. Cat5e was designed for high-speed GigE.

CBN common bonding network

CDMA code-division multiple access

CDMA refers to 2G and 3G wireless communications. CDMA is a type of multiplexing that allows many signals to occupy a transmission channel. The transmission channel optimizes the available bandwidth. CDMA is used in UHF cellular telephone systems that have 800-MHz and 1.9-GHz bands.

CLEI Common Language Equipment Identification

CLI command line interface

A workstation access method interface that uses CLI commands to communicate with any NE in the network

CRU customer replaceable units

CRUs are components that can be removed and replaced by service provider personnel without technical assistance or special training from Alcatel-Lucent.

CSA Canadian Standards Organization

The CSA is the nonprofit Canadian agency that certifies electrical and electronic products that conform to Canadian national safety standards.

D

DC direct current

DC is an electric current that flows in one direction only.

See also AC.

DoS denial of service

A type of attack on a network that involves flooding the network with dummy data packets to render the network incapable of transmitting legitimate traffic.

E

EIA Electronic Industries Association

A group that specifies electrical transmission standards. For EIA-spaced equipment racks, 1 RU equals 1.75 in. (4.45 cm).

Glossary


EMS element management system

An application that manages one or more NEs.

ESD electrostatic discharge

ETSI European Telecommunications Standards Institute

Established to produce telecommunication standards integration in the European community for users, manufacturers, suppliers, and Post Telephone and Telegraph administration.

See also ANSI.

EV-DO rev 0 EV-DO rev 0 provides access to mobile devices with forward link air interface speeds of up to 2.4 Mb/s.

EV-DO rev A EV-DO rev A is a 3G CDMA technology that is an upgrade of EV-DO. Rev A has faster downlink speeds than EV-DO Rev 0, at 3.1 Mb/s, and faster uplink speeds of 1.8 Mb/s.

F

FCAPS FCAPS is the acronym for a broad categorization of network and service management activities that includes:

• fault management• configuration management• accounting/administration management• performance management• security management

FIPS federal information processing standards

A set of standards issued by the U.S. National Institute of Standards and Technology.

FTP File Transfer Protocol

FTP is the Internet standard client-server protocol to transfer files from one computer to another computer. FTP generally runs over TCP or UDP.

G

GGSN Gateway GPRS Service Node

GGSN provides network access to external hosts that need to communicate with mobile subscribers. GGSN is the gateway between the GPRS wireless data network and other external PDNs such as radio networks, IP networks, or private networks.

Glossary


GigE Gigabit Ethernet

An Ethernet interface with a peak data rate of 1000 Mb/s.

GPRS General Packet Radio Service

A mobile data service extension to the GSM system. Also called 2.5G.

GSM Global System of Mobile communications

GSM is a type of 2G network.

GTP-C GTP-Control plane

This protocol tunnels signalling messages between:

• SGN and MME over the S3 interface• SGSN and SGW over the S4 interface• SGW and PGW over the S5/S8 interface• MMEs over the S10 interface

GTP-U GTP-User plane

This protocol tunnels user data between the Node B and the S-GW, as well as between the S-GW and the P-GW in the backbone network. GTP encapsulates all end-user IP packets.

H

HA home agent

HDD hard disk drive

HSPA high-speed packet access

HTTPS HTTPS is HTTP over SSL, which uses a public and private key encryption system, including the use of a digital certificate for secure transfer of web messages.

I

I Internet

I2M Internet to mobile

IEC International Electrotechnical Commission

IEEE Institute of Electrical and Electronics Engineers

The IEEE is a worldwide engineering publishing and standards-making body. It is the organization responsible for defining many of the standards used in the computer, electrical, and electronics industries.

Glossary


IPMI intelligent platform management interface

IPMI is a standard, which defines a set of common interfaces for a computer system that system administrators can use to monitor the health of the system and manage the system. IPMI operates independently of the operating system and therefore allows system administrators to remotely manage a system remotely. The system can be managed if there is no operating system or system management software, or if the monitored system is powered off, but connected to a power source.

IPv4 Internet protocol version 4

The version of IP in use since the 1970s. IPv4 addresses are 32 bits. IPv4 headers vary in length and are at least 20 bytes.

IPv6 Internet protocol version 6

The version of IP that succeeds IPv4. IPv6 addresses are 128 bits. IPv6 headers are 40 bytes.

J

JRE Java Runtime Environment

K

Keps nut A Keps nut is a nut that has an attached, free-spinning washer.

KPI key performance indicator

L

LMT local management terminal

An LMT has all of the required functions to locally operate an HMS-based NE.

LOM lights-out management

LOM is IPMI implemented by Apple.

LTE Long Term Evolution

LTE is a standard for wireless mobile broadband networks. LTE networks can offer higher data throughput to mobile terminals than other technologies. LTE is the accepted evolution path for GSM, WCDMA, and CDMA networks. LTE is developed and maintained by the 3GPP standards body.

M

M mobile

Glossary


M2I mobile to Internet

M2M mobile to mobile

MD5 message digest 5

MD5 is a security algorithm that takes an input message of arbitrary length and produces as an output a 128-bit message digest of the input. MD5 is intended for digital signature applications, where a large file must be compressed securely before being encrypted.

MIB management information base

A formal description of a set of network objects that can be managed using SNMP.

MIP mobile IP

MME mobility management entity

MMF multimode fiber

N

NAI network access identifier

An NAI is the subscriber identity in a 3GPP2 CDMA network.

NE NE can be expanded two ways:

1 network element

A physical device, such as a router, switch, or bridge, that participates in a network.

2 network

An access level for the GUI role.

NEBS Network Equipment Building Standards

The requirement for equipment deployed in a central office environment. Covers spatial, hardware, craftsperson interface, thermal, fire resistance, handling and transportation, earthquake and vibration, airborne contaminants, grounding, acoustical noise, illumination, electromagnetic compatibility, and electrostatic discharge requirements.

NEBS-3 Network Equipment Building Standards level 3

NEBS-3 is a Bellcore standard that has specifications for fire suppression, thermal margin testing, vibration resistance (earthquakes), airflow patterns, acoustic limits, failover and partial operational requirements (such as chassis fan failures), failure severity levels, RF emissions and tolerances, and testing/certification requirements.

Glossary


NFPA National Fire Protection Association

A nonprofit organization that develops and publishes codes and standards to reduce the risk of fires.

NIC network interface card

NMS network management system

An NMS is a system that manages at least part of a network. An NMS is generally a reasonably powerful and well-equipped computer such as an engineering workstation that communicates with agents to help keep track of network statistics and resources.

NOC network operations center

O

OID Object Identifier

Each object in the MIB has an OID value. The management station uses the OID to request the object value from the SNMP agent. An OID is a sequence of integers that uniquely identifies a managed object. The OID defines a path to the object through an OID tree or registration tree.

OS operating system

P

PCF Packet Control Function

PDSN public data switched network

PGW packet data network gateway

PTS pseudo terminal

R

RADIUS remote authentication dial-in user service

An AAA protocol for applications that allows remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. RADIUS allows an organization to maintain user profiles in a central database that all remote servers can share. An organization can set up a policy that can be applied at a single administered network point.

RNC radio network controller

An RNC controls radio resource management in the radio access networks of UMTSs

Glossary


ROI return on investment

RPM Red Hat Linux Package Manager

RPM is a core component of the Red Hat Enterprise Linux Operating System.

RSA Rivest, Shamir, and Adleman algorithm

An-FIPS approved algorithm to generate and verify digital signatures.

RTSP real time streaming protocol

RTSP is used to control streaming media servers by establishing and controlling media sessions between endpoints.

RTT Round-Trip Time

The time required for a packet to travel from a source computer to a remote computer or system and back.

S

SAI Service Area Interface

An outdoor telecommunications cabinet in which twisted pair wires connect with feeder cables for routing to a central office or remote switch.

SAS Serial Attached SCSI

SCP secure copy protocol

A method of securely transferring files between hosts, based on the SSH protocol.

SCSI small computer system interface

An SCSI is a set of standards, that specify the commands, protocols, and electrical an optical interfaces, to physically connect and transfer data between computers and peripheral devices.

SEMS Sealed Expansion Module Shelf

SFP Small Form Factor Pluggable

SGSN Serving GPRS Service Node

SGW serving gateway

SNMP simple network management protocol

A protocol used for the transport of network management information between a network manager and an NE. SNMP is the most commonly used standard for most interworking devices.

Glossary


SSH secure shell

The SSH protocol is used to support secure remote login. SSH runs over TCP, authenticating and then encrypting a session. SSH is a secure alternative to Telnet but can also be used for FTP, SNMP, and remote execution of programs.

SSL secure socket layer

A protocol that provides endpoint authentication and communications privacy over the Internet using cryptography. The SSL is layered beneath application protocols such as HTTP, Telnet, and FTP, and is layered above TCP. The SSL can add security to any protocol that uses TCP.

subs subscriber

sudo superuser do

The account in the CLI that has the highest level of privileges.

T

TCP transmission control protocol

A transport layer protocol that is used to establish connections and send data between computers over the Internet. TCP runs on top of IP.

Telnet The Internet-standard TCP/IP for remote login service. Telnet allows a user at one site to interact with a remote system at another site.

TIA Telecommunications Industry Association

U

UDP User Datagram Protocol

A minimal transport protocol above the IP network layer that does not guarantee datagram delivery. UDP is for applications that do not require the level of service that TCP provides or need to use communications services, such as multicast or broadcast delivery, which are not available in TCP.

UHF ultra-high frequency

UMTS Universal Mobile Telecommunications System

UMTS is the technology for 3G mobile services. In addition to voice and video telephony services, UMTS supports data transfer rates up to 144 kb/s in a rural environment and 2 Mb/s in an indoor environment.

Glossary


UNI user-network interface

UNI is an interface point between ATM end users and a private ATM switch, or between a private ATM switch and the public carrier ATM network. UNI is defined by physical and protocol specifications per ATM Forum UNI documents. UNI is the standard adopted by the ATM Forum to define connections between users or end stations and a local ATM network switch.

USB Universal Serial Bus

A serial bus standard that provides an interface to other USB devices that can be connected.

USM user-based security model

V

VACM view-based access control model

SNMP v3 view-based access control model that defines the elements of the procedure for controlling access to management information.

VLAN virtual local area network

A VLAN is a logical group of NEs that may be on the same physical network segment. The NEs share the same IP network number. VLAN specifications are in IEEE 802.1Q.

VRTN virtual real-time network

W

WCDMA Wideband Code Division Multiple Access

WCDMA is an air interface standard for 3G mobile networks.

whitelisted subnet A subnet from which traffic is ignored by the 9900 WNG.

WiMAX Worldwide Interoperability for Microwave Access

WiMAX is a protocol that provides fixed and fully mobile Internet access.

WSDL Web Services Description Language

WSP wireless service provider

Y

Yum Yum is a software package manager tool that is used to install, update, and remove packages and their dependencies on RPM-based systems.

Glossary


Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 IN-1July 2010 3HE 06049 AAAA TQZZA

Index

Numbers

9900 Wireless Network Guardian; See 9900 WNG

9900 WNG, 10-29900 WNG Central web page, 17-2Central, 10-6components, 1-2, 10-4Detector, 10-6external user interfaces, 10-7features, 11-2hardware, 1-5in a CDMA network, 10-5in a UMTS environment, 10-5in a wireless network, 10-4key benefits, 10-3key functions, 10-2license, 6-2planning, 2-2regulatory specifications, 3-6safety hazards, 3-2software, 1-6software repositories, 9-3software upgrades, 9-2system architecture, 10-2user accounts, 36-2user interfaces, 13-2

9900 WNG Centraladding entries to application map tables,

12-16changing modes in CLI, 14-8changing to 9900 WNG Detector, 14-9changing to 9900 WNG Detector and

modes, 14-10configuring anomaly alerts, 19-11configuring as the software repository, 9-4configuring congestion alerts, 19-11configuring for the first time, 7-5configuring SNMPv1/v2c, 19-3configuring SNMPv3, 19-5configuring trend alerts, 19-11dashboard, 16-6, 21-2deleting SNMP communities, 19-10deleting SNMP hosts, 19-11deleting SNMP server IP addresses, 19-10deleting SNMP views, 19-11displaying health, 37-31displaying sensor status, 37-31enabling security event manager feed,

12-20exceptions for the root partition, 38-5external ports, 4-18generating public keys, 12-21hardware, 1-6inputs and outputs, 33-5installing, 4-2

Index

IN-2 Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1July 2010 3HE 06049 AAAA TQZZA

loading saved login banners, 12-21logging in to CLI from GUI, 14-7logging in to CLI using SSH, 14-6mandatory configuration procedures, 7-2monitoring, 37-2monitoring using BMC, 37-30obtaining host identifier, 6-3optional configuration procedures, 12-16ordering CRUs, 8-2planning, 2-2powering down, 5-3powering down using BMC, 5-5powering up, 5-2powering up using BMC, 5-5replacing hard disk drive, 8-4replacing power supply, 8-3resetting using BMC, 5-5SNMP, 19-2software upgrades, 9-2updating SNMP agent contact, 19-9updating SNMP location information, 19-9upgrading software using a USB, 9-8upgrading software using the 9900 WNG

Central repository, 9-6upgrading software using the external

software repository, 9-79900 WNG Central web page, 17-2

accessing, 17-2changing your password, 36-6

9900 WNG Centralrinputs and outputs, 33-3

9900 WNG Detectoradding, 12-14backing up, 39-4backing up files, 39-7changing modes in CLI, 14-8changing to 9900 WNG Central, 14-9changing to 9900 WNG Central and

modes, 14-10configuring for the first time, 7-6configuring RNC load threshold, 12-4configuring RNC-to-PCF IP address

mapping, 12-4configuring UMTS RNC-to-SAI mapping

threshold, 12-5

copying configuration files, 12-15deleting, 12-16deployment mode, 12-2disabling reporting of anomaly events,

12-11displaying health, 37-31displaying sensor status, 37-31estimating number needed, 2-5external ports, 4-18hardware, 1-5inputs and outputs, 33-3, 33-5installing, 4-2location, 2-6logging in to CLI, 14-8mandatory configuration procedures, 7-2modifying anomaly event throttle rates,

12-8modifying mobile dormancy timeout

values, 12-9monitoring, 37-2monitoring using BMC, 37-30optional configuration procedures, 12-2ordering CRUs, 8-2planning, 2-3powering down, 5-5powering down using BMC, 5-5powering up, 5-4powering up using BMC, 5-5replacing hard disk drive, 8-4replacing power supply, 8-3resetting using BMC, 5-5restoring, 39-7restoring files, 39-7software upgrades, 9-2specifying intensity levels for anomaly

events, 12-13specifying IP addresses for whitelists, 12-8specifying mobile IP address ranges, 12-7specifying VLANs, 12-10upgrading software using a USB, 9-8upgrading software using the 9900 WNG

Central repository, 9-6upgrading software using the external

software repository, 9-7

9900 WNG Central (continued) 9900 WNG Detector

Index


9900 WNG EMSinstalling, 15-2system requirements, 15-2

9900 WNG GUI; See GUI

A

abusive subscriber events, 33-17AC

power requirements, 4-3AC power supply, 2-13access privileges; See privilegesaccess roles; See rolesaccessing

9900 WNG Central web page, 17-2accounts

creating, 20-3deleting SNMP, 19-8

accounts; See user accountsActive Reports tab

Subscriber view, 29-3always-active subscriber events, 33-19anomaly alerts

configuring, 19-11anomaly event throttle rates

modifying, 12-8Anomaly Events

filtering, 22-8anomaly events

investigating, 33-5specifying threshold, 33-21unwanted source, 33-16

Anomaly Events tab, 29-11in subscriber reports, 29-11

Anomaly Events view, 22-5anomaly types, 22-7components, 22-6Event Details panel, 22-7filtering events, 22-8opening Mobile Flow view from, 22-9operations, 22-9working in, 22-9

Anomaly History view, 22-12components, 22-12filtering, 22-12

anomaly typesin Anomaly Events view, 22-7

API; See Motive APIapplication

browser-based reports, 31-36Application Comparison Table report, 31-36application map tables

adding entries, 12-16application reports, 31-36

application choosers, 31-41application filters, 31-41configuring, 31-40fields in, 31-40parameters, 31-40

axes in Dashboard View charts, 21-9

B

backing up, 39-29900 WNG Detector, 39-4configuration files, 39-4full database, 39-4full system, 39-4license files, 39-4log files, 39-4reports, 39-4security files, 39-4system files, 39-4

backup datarestoring, 39-3

battery attacks, 33-8Billing Discrepancy report, 31-34Billing tab, 29-15

in subscriber reports, 29-15BMC, 13-2, 18-2

monitoring 9900 WNG Central, 37-30monitoring 9900 WNG Detector, 37-30powering down 9900 WNG Central, 5-5powering down 9900 WNG Detector, 5-5powering up 9900 WNG Central, 5-5powering up 9900 WNG Detector, 5-5resetting 9900 WNG Central, 5-5resetting 9900 WNG Detector, 5-5

9900 WNG EMS BMC

Index


browser-based reportsapplication, 31-36CDF charts, 30-9considerations for early-morning queries,

30-6controls, 30-4device, 31-41export icons, 30-12exporting, 30-12exporting to CSV file, 30-13exporting to Excel, 30-13filters, 30-4generating, 30-2hop, 31-25input parameters page, 30-3lag period, 30-5legacy reports, 30-2navigation icons in, 30-6network elements, 31-10network resource usage, 31-2network statistics, 31-5pie charts, 30-10presentation page, 30-6security, 31-28stacked area charts, 30-8subscriber, 31-29tables, 30-11time parameters, 30-4time zones, 30-5time-series charts, 30-7tool tips in, 30-6troubleshooting, 31-47types, 30-7

C

cablesconnecting, 4-17

calendar and time widgetin GUI, 16-7

calendar widgets, 30-5CDF charts

in browser-based reports, 30-9CDMA network

threat detection, 33-2

Cell comparison table (CDMA) report, 31-10, 31-11

Cell cumulative dist. (CDMA; session & perf) report, 31-14

Cell cumulative dist. (CDMA; traffic) report, 31-14

Cell cumulative dist. (UMTS; session & perf) report, 31-15

Cell cumulative dist. (UMTS; traffic) report, 31-15

Cell multi-element time-trend table (CDMA) report, 31-13

Cell multi-element time-trend table (UMTS) report, 31-13

Cell time plot (sessions and performances) report, 31-12

Cell time plot (traffic) report, 31-11cells

displaying in Network Graph view, 24-9Central dashboard, 16-6, 21-2Central web page, 13-2Central web page; See 9900 WNG Central web

pageCentral; See 9900 WNG Centralchart display properties

configuring in Dashboard View, 21-12in Dashboard View, 21-12right-click options, 21-12

CLEI labels, 8-4CLI, 13-2, 14-2

See also CLI commandschanging modes, 14-8changing target servers, 14-9changing target servers and modes, 14-10logging in to 9900 WNG Central from

GUI, 14-7logging in to 9900 WNG Central using

SSH, 14-6logging in to 9900 WNG Detector, 14-8managing user accounts, 36-4measuring performance, 37-12modes, 14-3monitoring user accounts, 36-10navigation tips, 14-12privileges, 14-3

browser-based reports CLI

Index


prompts, 14-5role, 36-2roles, 14-3shortcuts, 14-13timeouts, 14-5viewing log files, 37-3

CLI commands, 14-14See also CLIbacking up, 39-2Motive API, 20-4restoring, 39-2show backhaul, 37-18show compressionStatus, 37-18show memory, 37-16show stats, 37-13show system, 37-17show top, 37-18software upgrades, 9-2syntax, 14-12

CLI prompts, 14-5CLI role, 36-2

creating, 36-5CLI view, 28-2

opening from GUI, 28-2commands

SNMP, 19-12components

GUI, 16-2in Anomaly Events view, 22-6in Mobile Flow record, 27-3in Network Graph view, 24-7in Performance Events view, 22-10in subscriber reports, 29-7in Subscriber view, 29-3in System Events view, 26-3

configuration filesbacking up, 39-4copying, 12-15restoring, 39-5

configuration procedures; See optional configuration procedures, mandatory configuration procedures

configuringchart display properties in Dashboard

View, 21-12Dashboard View intensity preferences,

21-10congestion alerts

configuring, 19-11connecting

cables, 4-17connections, 4-17controls

Dashboard View, 21-8Dashboard View axes, 21-9Dashboard View element display, 21-9

CPU Usage system event, 38-4CRUs

replacing, 8-2CSV file

exporting browser-based reports to, 30-13Cumulative Resources chart

in Flow/Session tab, 29-14

D

daily summarization process and browser-based reports, 30-6

Dashboard Viewchart display properties, 21-12components, 21-2configuring optional properties for element

charts, 21-11element icons, 21-4elements, 21-4features, 21-2plotting elements in, 21-5

Dashboard View elementsmoving to a new dashboard, 21-13

dashboardsmoving elements, 21-13

data retrieval settingspreferences in GUI, 16-9

databasebacking up, 39-4restoring, 39-5

CLI (continued) database

Index


DCpower requirements, 4-4

DC power supply, 2-13deployment mode

specifying, 12-2deployment options

Northbound of a PDSN, 2-8Southbound of an HA, 2-7

Detector time plot (sessions and events) report, 31-7

Detector time plot (traffic) report, 31-6Detector; See 9900 WNG Detectordevice

browser-based reports, 31-41device details

in Mobile Flow view, 27-7device reports, 31-41

fields in, 31-46manufacturer versus models, 31-47parameters, 31-46

Disk Usage system event, 38-4distributed battery attacks, 33-9distributed mobile floods, 33-12

E

Element Tablesnaming conventions for provisioning,

24-11provisioning NE groups, 24-11provisioning operations, 24-11searching for NEs, 24-12

Element Tables viewin Topology view, 24-2right-click operations, 24-6sort function, 24-6working in, 24-5

elements plotsin Dashboard View, 21-5maximum number of, 21-5procedures, 21-5

EMS GUI:See GUIenvironmental requirements, 2-15

Event Details panelAnomaly Events view, 22-7in Mobile Flow, 27-5

event typesnetwork usage reports, 31-5

eventsabusive subscriber, 33-17always-active subscriber, 33-19battery attacks, 33-8distributed battery attacks, 33-9distributed mobile floods, 33-12high signaling subscriber, 33-18high-usage subscriber, 33-17horizontal port scans, 33-14ICMP router discovery abuses, 33-13license violations, 35-2Memory Usage, 38-5mobile floods, 33-11network anomaly, 33-6peer-to-peer mobile traffic, 33-20real-time, 22-2RNC overloads, 33-10signaling attack, 33-7system, 38-2unwanted source, 33-14vertical port scans, 33-15wireless attack, 33-7

Events Details panelForensic View, 23-5querying forensic events, 23-6

Excelexporting browser-based reports to, 30-13

exportingbrowser-based reports, 30-12data from Network Forensic view, 25-7graphical browser-based reports, 30-13

exporting datafrom the GUI, 16-7

external interfacesMotive API, 20-2SNMP, 19-2

external ports9900 WNG Central, 4-189900 WNG Detector, 4-18

DC external ports

Index


external user interfaces, 1-7, 10-7BMC, 13-2Central web page, 13-2CLI, 13-2EMS GUI, 13-2NMS, 13-2SNMP, 13-2

F

featuresnew, 11-2

filteringAnomaly Events, 22-8anomaly events, 22-8Anomaly History events, 22-13browser-based reports, 30-4Performance Events, 22-11System Events, 26-5

Flow Details buttonin Flow/Session tab, 29-14

Flow/Session tab, 29-11Cumulative Resources chart, 29-14Flow Details button, 29-14in subscriber reports, 29-11Mobile Flow chart, 29-13plots in, 29-13Session chart, 29-14

Forensic View, 23-2Events Details panel, 23-5generating, 23-2generating from Anomaly Events view,

23-2generating from Anomaly History view,

23-2generating from Performance Events view,

23-2GUI-based reports, 23-3menu components, 23-2opening Mobile Flow view from, 23-6operations, 23-5querying data in Events Details panel, 23-6reports components, 23-4tab, 23-2

table columns in, 23-5working in, 23-5

G

generatingbrowser-based reports, 30-2Mobile Flow reports, 27-2reports in Subscriber view, 29-4

GGSN or HA time plot (sessions and performances) report, 31-21

GGSN or HA time plot (traffic) report, 31-21GGSN-to-SGSN or HA-to-PDSN hop time plot

reports, 31-26GGSN/HA comparison table report, 31-20GGSN/HA multi-element time-trend table

report, 31-22graphical browser-based reports

exporting, 30-13grounding

servers, 4-15GUI

components, 16-2configuring language, 16-8Dashboard View, 21-2data retrieval settings, 16-9disconnecting users, 36-9features and functions, 16-6launching, 15-3logging in to, 16-2menus, 16-4monitoring the 9900 WNG system, 16-4navigation menu, 16-6opening CLI view, 28-2provisioning your PC, 15-2role, 36-2

GUI componentsDashboard View, 21-2

GUI featurescalendar and time widget, 16-7exporting data, 16-7sorting data, 16-6whois query, 16-7

GUI role, 36-2creating, 36-5

external user interfaces GUI role

Index


GUI-based reportsForensic View, 23-3

H

hard disk driveordering, 8-2replacing, 8-4

hardware9900 WNG, 1-59900 WNG Central, 1-69900 WNG Detector, 1-5connections, 4-17installing, 4-2replacing hard disk drive, 8-4replacing power supply, 8-3

Hardware Failure system event, 38-8hardware requirements, 4-2hardware specifications, 2-12

cabling, 2-14power requirements, 2-13racks, 2-12

hazard statements, 3-2high signaling subscriber events, 33-18high-usage subscriber events, 33-17Historic Reports tab

Subscriber view, 29-3Historic View

tab, 23-3hop

browser-based reports, 31-25hop reports, 31-25

in Network Forensic view, 25-2parameters, 31-27specifying hops, 31-27time resolution, 31-28

horizontal port scans, 33-14Hour-of-day trend comparing applications

report, 31-37Hour-of-day trend comparing days of week

report, 31-38Hour-of-day trend comparing days report,

31-37Hour-of-day trend comparing manufacturers

report, 31-42

Hour-of-day trend comparing models report, 31-42

I

ICMP router discovery abuses, 33-13icons

to export browser-based reports, 30-12idle timeouts

displaying, 36-12Incident breakdown by event type (pie chart)

report, 31-3, 31-3Incident breakdown by event type (time plot)

report, 31-2installing, 4-2

2-post racks, 4-114-post racks, 4-79900 WNG Central, 4-29900 WNG Detector, 4-29900 WNG EMS, 15-2brackets, 4-7hardware, 4-2license, 6-3server rack, 4-6servers, 4-7

intensity levels for anomaly eventsspecifying, 12-13

intensity preferences in Dashboard View, 21-10

IP addressesspecifying for whitelists, 12-8

L

lag period in browser-based reports, 30-5language

configuring choice of in GUI, 16-8LEDs

status indicators, 16-4troubleshooting, 16-5

legacy reports, 30-2license, 6-2

expiration, 6-2installing, 6-3obtaining, 6-3

GUI-based reports license

Index


obtaining 9900 WNG Central host identifier, 6-3

viewing status, 35-2viewing violations, 35-2

license filesbacking up, 39-4restoring, 39-5

License Violation system event, 38-2Line rate threshold system event, 38-6Link Down system event, 38-3log files, 37-2

backing up, 39-4displaying for Motive API, 20-6GUI queries, 37-10GUI reports, 37-10restoring, 39-5using to monitor the system, 37-3viewing using CLI, 37-3

log reportssamples, 37-3

logging in9900 WNG Central CLI from GUI, 14-79900 WNG Central CLI using SSH, 14-69900 WNG Detector, 14-8

logging in to GUI, 16-2login banners

loading, 12-21

M

mandatory configuration procedures9900 WNG Central, 7-29900 WNG Detector, 7-2configuring 9900 WNG Central servers,

7-5configuring 9900 WNG Detector servers,

7-6configuring management interfaces and

BMC LANs, 7-3prerequisites, 7-2

Memory Usage system event, 38-5menu icons in System View, 26-2

menusForensic View, 23-2GUI, 16-4Subscriber View, 29-2

MIBs; See SNMP MIBsmobile dormancy timeout values

modifying, 12-9mobile floods, 33-11Mobile Flow chart

in Flow/Session tab, 29-13Mobile Flow measurements

RTT, 27-8throughput, 27-8

Mobile Flow Queries, 37-12Mobile Flow record

components, 27-3Mobile Flow report

Event Details tab, 27-5Path tab, 27-7Performance tab, 27-6

Mobile Flow reportsgenerating, 27-2

Mobile Flow viewmeasurements, 27-8opening from Anomaly Events view, 22-9opening from Forensic View, 23-6opening Network Forensic reports from,

27-8operations, 27-7records, 27-2viewing device details, 27-7working in, 27-7

mobile IP address rangesspecifying, 12-7

modeschanging, 14-8CLI, 14-3

monitoringusing log files, 37-2

Motive API, 20-2adding subnets, 20-4CLI commands, 20-4creating accounts, 20-3deleting subnets, 20-5deleting users, 20-3

license (continued) Motive API

Index


displaying log files, 20-6displaying statistics, 20-6displaying users, 20-4interface, 20-2role, 36-2security, 20-3

Motive API role, 36-2creating, 20-3

mouse-over functionin Network Graph view, 24-9

multiple params) report, 31-31

N

navigation iconsin browser-based reports, 30-6

NE reportsin Network Forensic view, 25-2

network anomaly events, 33-6network elements

browser-based reports, 31-10network elements reports, 31-10

configuration options, 31-24parameters, 31-22sessions and performance parameters,

31-23traffic measure types parameters, 31-23traffic parameters, 31-23

Network Forensic Element Reports, 37-11Network Forensic Hop Reports, 37-11Network Forensic reports

components, 25-4concise format, 25-5detailed format, 25-5generating from the Network Graph view,

24-10opening from Mobile Flow view, 27-8statistics, 25-5

Network Forensic view, 25-2export functions, 25-7generating reports, 25-3History tab, 25-4hop reports, 25-2in navigation menu, 25-2NE reports, 25-2

operations, 25-7sorting data in, 25-7working in, 25-7

Network Graph view, 24-6components, 24-7display functions, 24-8displaying and collapsing cell view, 24-9generating a Network Forensic report from,

24-10mouse-over function, 24-9opening, 24-6operations in, 24-10preferences, 24-8working in, 24-8

network resource usagebrowser-based reports, 31-2

network resource usage reports, 31-2network statistics

browser-based reports, 31-5network statistics reports, 31-5

parameters, 31-8sessions and events parameters, 31-9traffic parameters, 31-8

network usage reportsevent types, 31-5resource types, 31-5

NMS, 13-2No Packet system event, 38-6

O

operationsAnomaly Events view, 22-9in Element Tables view, 24-6in Forensic View, 23-5in Network Forensic view, 25-7in System View, 26-6Performance Events view, 22-11

optional configuration procedures, 12-29900 WNG Central, 12-169900 WNG Detector, 12-2adding 9900 WNG Detectors, 12-14adding entries to application map tables,

12-16configuring anomaly alerts, 19-11

Motive API (continued) optional configuration procedures

Index


configuring congestion alerts, 19-11configuring RNC load threshold, 12-4configuring RNC-to-PCF IP addresses,

12-4configuring SNMPv1/v2c, 19-3configuring SNMPv3, 19-5configuring trend alerts, 19-11configuring UMTS RNC-to-SAI

mappings, 12-5copying 9900 WNG Detector

configuration files, 12-15deleting 9900 WNG Detectors, 12-16deleting SNMP communities, 19-10deleting SNMP hosts, 19-11deleting SNMP server IP addresses, 19-10deleting SNMP views, 19-11disabling anomaly event reporting, 12-11enabling security event manager feed,

12-20generating public keys, 12-21loading saved login banners, 12-21modifying anomaly throttle rates, 12-8modifying mobile dormancy timeout

values, 12-9specifying anomaly event intensity levels,

12-13specifying deployment modes, 12-2specifying IP addresses for whitelists, 12-8specifying mobile IP address ranges, 12-7specifying VLANs, 12-10updating SNMP agent contact, 19-9updating SNMP location information, 19-9

Overall network time plot (sessions and events) report, 31-6

Overall network time plot (traffic) report, 31-5Overall subscriber cumulative distribution

report, 31-30

P

Packet Drop system event, 38-6parameters

browser-based reports input page, 30-3

passwordschanging for users, 36-6changing your account using the CLI, 36-6changing your account using the GUI, 36-6expiration, 36-3requirements, 36-3

Path tab, 29-14in subscriber reports, 29-14

peer-to-peer mobile traffic events, 33-20performance

measuring using CLI, 37-12Performance Events view, 22-10

components, 22-10filtering data, 22-11operations, 22-11working in, 22-11

Performance KPI by manufacturer/model report, 31-45

pie chartsin browser-based reports, 30-10

planning, 2-29900 WNG Central, 2-29900 WNG Detector, 2-3cabling, 2-14environmental requirements, 2-15IP addresses, 2-11port numbers, 2-11power requirements, 2-13

port scans, 33-14horizontal, 33-14vertical, 33-15

ports9900 WNG Central, 4-189900 WNG Detector, 4-18

power requirements, 4-3AC, 4-3DC, 4-4

power supplyordering, 8-2replacing, 8-3

powering down, 5-29900 WNG Central, 5-39900 WNG Detector, 5-5

optional configuration procedures (continued) powering down

Index


powering up, 5-29900 WNG Central, 5-29900 WNG Detector, 5-4

preferencesGUI, 16-9menu, 16-9

presentation pagebrowser-based reports, 30-6

privileges, 36-2admin, 36-2anomaly, 36-2application devices, 36-2changing, 36-7CLI, 14-3demo only, 36-2escalating, 36-3NE, 36-2reportonly, 36-2subscriber, 36-2sudo, 36-2user, 36-2

Process Down system event, 38-3Process Start system event, 38-4public keys

generating, 12-21

Q

queriesMobile Flow, 37-12

Queue Usage system event, 38-7

R

Real-time Events view, 22-2anomalies, 22-5Anomaly History, 22-12columns in table, 22-3common components, 22-2common features, 22-2Performance Events, 22-10severity indicators, 22-4

Realm/APN comparison table report, 31-34records

Mobile Flow view, 27-2regulatory specifications, 3-6

reporting of anomaly eventsdisabling, 12-11

Reportsrole, 36-2

reportsbacking up, 39-4generating browser-based, 30-2generating for subscriber, 29-5generating from Network Forensic view,

25-3mobile flow, 27-2Network Forensic Element, 37-11Network Forensic Hop, 37-11restoring, 39-5subscriber, 16-11Subscriber view, 29-2

reports databaseperforming an incremental backup, 39-5restoring increments, 39-6

Reports role, 36-2creating, 36-5

resetting9900 WNG Central using BMC, 5-59900 WNG Detector using BMC, 5-5

resource typesnetwork usage reports, 31-5

Resources breakdown by top application report, 31-4

restoring, 39-29900 WNG Detector, 39-7configuration files, 39-5database, 39-5full system, 39-5license files, 39-5log files, 39-5procedures, 39-5reports, 39-5security files, 39-5system files, 39-5

restoring backup data, 39-3right-click options

for charts in Dashboard View, 21-12RNC comparison table report, 31-16RNC load thresholds

configuring, 12-4

powering up RNC load thresholds

Index


RNC multi-element time-trend table report, 31-17, 31-18

RNC overloads, 33-10RNC time plot (sessions and performances)

report, 31-17RNC time plot (traffic) report, 31-16RNC-to-cell hop time plot report, 31-26RNC-to-PCF IP address mapping

configuring, 12-4Roaming traffic report, 31-7roles, 36-2

changing, 36-7CLI, 14-3, 36-2GUI, 36-2managing, 36-4monitoring, 36-10Motive API, 36-2Reports, 36-2SNMP, 36-2

RTT in Mobile Flow measurements, 27-8

S

safetyguidelines, 3-3hazards, 3-2

safety guidelines, 3-3safety hazards, 3-2security, 34-2

browser-based reports, 31-28Motive API, 20-3passwords, 36-3privileges, 36-2RBAC, 34-2roles, 36-2SNMPv3, 34-2SSH protocol, 34-2SSL, 34-2supported protocols, 34-2

security event manager feedenabling, 12-20

security filesbacking up, 39-4restoring, 39-5

security reports, 31-28

servergrounding, 4-15installing racks, 4-6specifications, 2-12

Session chartin Flow/Session tab, 29-14

severity indicatorsin Real-time Events view, 22-4

SGSN or PDSN time plot (sessions and performances) report, 31-19

SGSN or PDSN time plot (traffic) report, 31-18SGSN/PDSN multi-element time-trend table

report, 31-20SGSN/PDSN-to-RNC hop time plot report,

31-26show backhaul, 37-18show compressionStatus, 37-18show memory, 37-16show stats, 37-13show system, 37-17show top, 37-18signaling attack events, 33-7Single subscriber time trend table report, 31-31SNMP, 13-2

9900 WNG Central, 19-2creating accounts, 19-5deleting accounts, 19-8deleting communities, 19-10deleting groups, 19-8deleting hosts, 19-11deleting server IP addresses, 19-10deleting views, 19-11displaying users, 19-8interface, 19-2MIBs, 19-15role, 36-2trap events, 19-13updating agent contact, 19-9updating location information, 19-9

SNMP commands, 19-12GET, 19-12SET, 19-12TRAP, 19-12

SNMP MIBs, 19-15accessing, 19-15

RNC multi-element time-trend table report SNMP MIBs

Index


SNMP role, 36-2creating, 19-5

SNMPv1/v2cconfiguring, 19-3

SNMPv3configuring, 19-5

software9900 WNG, 1-6displaying enabled repository, 9-4displaying packages, 9-9repository, 9-3upgrading using an external repository, 9-7upgrading using the 9900 WNG Central

repository, 9-6upgrading using USB, 9-8

software repositoryconfiguring the 9900 WNG Central, 9-4displaying, 9-4displaying packages, 9-9

software upgrades, 9-2CLI commands, 9-2

sortingdata in Element Tables view, 24-6data in Network Forensic view, 25-7data in tables, 16-6data in the GUI, 16-6

stacked area chartsin browser-based reports, 30-8

statisticsdisplaying for Motive API, 20-6

Statistics tabin subscriber reports, 29-8

subnetsadding for Motive API, 20-4deleting for Motive API, 20-5

subscriberbrowser-based reports, 31-29

Subscriber Group Manager, 32-2subscriber group view

changing, 32-4subscriber groups

changing view, 32-4creating, 32-3importing data, 32-5

Subscriber Reports, 37-11

subscriber reports, 29-4, 31-29Anomaly Events tab, 29-11Billingtab, 29-15components, 29-7fields in, 31-35Flow/Session tab, 29-11modifying preferences, 16-11parameters, 31-35Path tab, 29-14Statistics tab, 29-8Top Applications tab, 29-8Top Servers tab, 29-10

Subscriber Statistics tab, 29-8, 29-8Subscriber time plot report, 31-30Subscriber view

acquiring IDs for reports, 29-4Active Reports tab, 29-3components, 29-3generating reports, 29-4Historic Reports tab, 29-3reports, 29-2reports characteristics, 29-4

subscriberssearching, 32-4

Swap Usage system event, 38-8system

backing up, 39-4restoring, 39-5

system architecture, 1-2, 10-2system events, 38-2

CPU Usage, 38-4Disk Usage, 38-4Hardware Failure, 38-8License Violation, 38-2Line rate threshold, 38-6Link Down, 38-3No Packet, 38-6Packet Drop, 38-6Process Down, 38-3Process Start, 38-4Queue Usage, 38-7Swap Usage, 38-8viewing, 38-2

SNMP role system events

Index


System Events view, 26-2components, 26-3display preferences, 26-4table columns, 26-4

system filesbacking up, 39-4restoring, 39-5

System History view, 26-5system requirements

9900 WNG EMS, 15-2System View, 26-2

menu icons, 26-2operations, 26-6working in, 26-6

T

Table comparing manufacturers report, 31-44Table comparing models report, 31-45tables

in browser-based reports, 30-11threat detection

CDMA network, 33-2UMTS network, 33-3

threshold values, 33-21throughput in Mobile Flow measurements,

27-8time parameters

browser-based reports, 30-4Time plot comparing applications report, 31-38Time plot comparing manufacturers report,

31-43Time plot comparing models report, 31-44time zones in browser-based reports, 30-5time-series charts

in browser-based reports, 30-7timeouts

See also idle timeoutsin CLI, 14-5

tool tipsin browser-based reports, 30-6

Top applications reports, 31-39Top Applications tab

in subscriber reports, 29-8

Top attackers at or above a specified intensity level report, 31-28

Top mobile (single day, 31-31Top Mobiles reports, 31-32Top scanners report, 31-29Top servers report, 31-33Top Servers tab, 29-10

in subscriber reports, 29-10Topology view, 24-2

Element Tables view, 24-2trend alerts

configuring, 19-11troubleshooting

browser-based reports, 31-47using LEDs, 16-5

U

UMTS networkthreat detection, 33-3

UMTS RNC-to-SAI mappingconfiguring, 12-5

unwanted source anomaly event, 33-16upgrading

9900 WNG Central software using a USB, 9-8

9900 WNG Central software using the 9900 WNG Central repository, 9-6

9900 WNG Central software using the external software repository, 9-7

9900 WNG Detector software using a USB, 9-8

9900 WNG Detector software using the 9900 WNG Central repository, 9-6

9900 WNG Detector software using the external software repository, 9-7

user accounts, 36-2changing names, 36-8changing password, 36-6changing passwords using the CLI, 36-6changing passwords using the GUI, 36-6changing roles, 36-7CLI role, 36-2creating, 36-5creating for SNMP, 19-5

System Events view user accounts

Index


deleting, 36-10deleting motive API, 20-3deleting SNMP, 19-8disconnecting, 36-9displaying, 36-11displaying idle timeouts, 36-12displaying Motive API users, 20-4displaying patterns, 36-12displaying SNMP users, 19-8GUI role, 36-2managing, 36-4monitoring, 36-10Motive API role, 36-2passwords, 36-3privileges, 36-2Reports role, 36-2resetting the password timeout for all, 36-8roles, 36-2setting the idle timeout, 36-9setting the password timeout for one, 36-8SNMP role, 36-2

user interfaces, 13-29900 WNG Central web page, 17-2BMC, 18-2CLI, 14-2GUI, 16-2GUI Dashboard View, 21-2logging in, 13-3

usersSee also user accountscreating accounts, 36-5

V

vertical port scans, 33-15viewing

license status, 35-2system events, 38-2

viewsAnomaly Events, 22-5Anomaly History, 22-12CLI, 28-2Element Tables, 24-2Forensic, 23-2Network Forensic, 25-2

Network Graph, 24-6Performance Events, 22-10Subscriber, 29-3System, 26-2Topology, 24-2

VLANsspecifying, 12-10

W

warning hazards, 3-2whois query, 16-7widgets

calendar, 30-5wireless attack events, 33-7

user accounts (continued) wireless attack events

Customer documentation and product support

Customer documentationhttp://www.alcatel-lucent.com/myaccessProduct manuals and documentation updates are available at alcatel-lucent.com. If you are a new user and require access to this service, please contact your Alcatel-Lucent sales representative.

Technical Supporthttp://support.alcatel-lucent.com

Documentation [email protected]

http://www.alcatel-lucent.com/myaccess

http://support.alcatel-lucent.com

mailto:[email protected]

© 2010 Alcatel-Lucent. All rights reserved.

3HE 06049 AAAA TQZZA