|
This chapter contains platform and system requirements, and provides instructions for installing and setting up the NetFlow FlowAnalyzer application.
Before you begin installation of the NetFlow FlowAnalyzer application (the FlowAnalyzer), ensure that you have the correct version of platform software and that your workstation has enough logical memory and disk space as well as access to a browser
The NetFlow FlowAnalyzer application runs on the following platforms:
To ensure a successful installation of the FlowAnalyzer application, see that your workstation meets the following requirements:
The FlowAnalyzer application is available on CD-ROM. This section provides instructions for installing the FlowAnalyzer programs FlowAnalyzer DisplayServer and FlowAnalyzer Display. The NFADisplayServer program runs on Solaris 2.5.1 and uses Java classes and native libraries. The NFADisplay program includes a set of Java classes and an html file and should be installed on the same machine where your web server is running.
$ pkgrm NFA
or
$ pkgrm CSCOnfa
Use the following installation procedure after installing the FlowAnalyzer software package:
Step 1 Log in as root.
Step 2 Copy the tar file from the CD and untar the file.
For Solaris
For HP-UX
Step 3 Run the installation script and answer all questions.
For the Solaris platform, enter the following:
For the HP-UX platform, enter the following:
To set up the FlowAnalyzer Display program on your workstation, use the following procedure:
Step 1 Edit the NFAnalyzerB.html file located in the /opt/CSCOnfa/NFADisplay/bin directory so that NFDISPLAYSERVERPORT (6544 is the default) uses the port value that the server is listening on.
Also, the NFDISPLAYSERVERDATAPATH must point to the directory where the data is collected.
Step 2 Move the FlowAnalyzer files to a web server directory. For example:
The http-web-server-root-directory is the directory where the http web server is installed.
Step 3 Create a directory for the nfa files and move to that directory.
Step 4 Copy the nfa files to this new directory.
Step 5 Open the NFAnalyzer.html file by clicking on the Open button or use the Open Location option from the File pull down menu in your browser. Enter the following:
The http-web-servername is the name of the host where the http web server is running.
To set up the FlowAnalyzer DisplayServer program to retrieve traffic statistics from the NetFlow FlowCollector application, you can configure the DisplayServer program using the resource file or using the default parameters. Some additional setup is required for installation on the HP-UX platform.
The following quick start procedures for the DisplayServer are provided here for your convenience.
Step 1 Verify that you have at least 256 MB of physical RAM and 400 MB of available swap space. If you do not, refer to the section entitled "Memory Management."
To reduce the MaxMB value, edit the NFADS.resources file. For example:
with
Step 2 Start the DisplayServer program from the {DisplayServerBaseDir}/bin directory to begin listening to Port 6544.
Step 1 Verify that you have at least 256 MB of physical RAM and 300 MB of available swap space. Enter
If you do not, refer to the section entitled "Memory Management."
To reduce the MaxMB value, edit the NFADS.resources file. For example:
with
Step 2 Ensure that your execution path is set with HP-UX Java Version 1.0.3. If it is not, refer to the section entitled "Configure the DisplayServer."
Step 3 Start the DisplayServer program from the {DisplayServerBaseDir}/bin directory to begin listening to Port 6544.
The DisplayServer's resource file NFADS.resource contains a variety of parameters you can use to configure the DisplayServer so that it retrieves summarized traffic statistics from the NetFlow FlowCollector.
To redefine configuration parameters from their default values in the NFADS.resources file, use the guidelines described in the following list:
The format to use for redefining the parameters is
<parameter_keyword> <new_value>
The DisplayServer program includes two files used to change the information displayed by the FlowAnalyzer user interface. The files are located in the NFAServer/imported_files directory. Edit the following files to define router aliases:
The NetFlow reporting router defined in the RouterAliases.txt file has three columns:
In the RouterAliases.txt file, you can leave the router's identifying text blank (second column) and still define the router's AS number in the third column. This allows you to continue to view the router and its IP address and still have the AS 0 replacement. This also implies that you cannot use a number from 0 to 65535 as a router identifying string, unless you also provide an AS number on that line. The DisplayServer's interpretation of the RouterAliases.txt file is printed near the top of the DisplayServer's log file.
The AS.txt file has two columns; the first column includes the AS number, and the second column is used to create a textual description associated with the AS number.
Run the NetFlow FlowCollector application using the GMT reference. To run the FlowCollector in this mode, you must edit the nf.resources file to uncomment the line GMT_FLAG. The GMT_FLAG parameter by default is turned on (yes). If you do not uncomment the GMT_FLAG parameter, you must use a distinct DataSetPath for each local time zone in your collection of data. There can be only one time zone for each DataSetPath directory of your FlowCollector database. For example:
GMT_FLAG yes
The NFADisplayServer can accommodate the shift to daylight saving time and will support the locally named file for a single time zone used for each DataSetPath (Data Location). The DataSetPath is defined for each thread in your nfconfig.file and is the same as the DataLocation. The FlowCollector database may contain anomalies if you collect data from different time zones from the same DataSetPath, or if you are not running the GMT reference when daylight saving time causes the local clock to be shifted back.
The router name should always be specified in decimal byte format (a.b.c.d). This prevents ambiguity, which could cause the analysis module to miss requested data. For example, the format should be
171.69.204.5
The FlowCollector uses the dot-decimal format only in order to prevent data from the same router being stored in only one location in the FlowCollector database. For example, the format should be
DEV_DOTTEDADDRESS yes
Use a consistent router alias. If the FlowCollector cannot find the router alias, it uses the decimal byte format, DEV_DOTTEDADDRESS. To avoid inconsistencies using router identifiers, use the DEV_DOTTEDADDRESS format.
Run HP-UX Java 1.0.3, which you can access using the URL:
http://hpcc920.external.hp.com/gsyinternet/hpjdk/productbrief.html
Then select "1.0.3 Release for HP-UX 10.20 or 10.10..."
Problems can arise if you use inconsistent router identifiers of HP's 1.0.2 and 1.0.3 releases. Ensure you are running the correct version:
$ which java
/opt/java/bin/java
bee /tmp_mnt/home/jdoe/HPUX
$ java -version
java version "1.03.01 HP-UX 10.20: 970327"
bee /tmp_mnt/home/jdoe/HPUX
$
Specifically, delete any /usr/bin/java script or file, and do not refer to the /usr/java directory on your disk. If you have these references, run a clean install of HP 1.0.3 only.
Additional setup is required when you are running the DisplayServer on an HP-UX platform:
Step 1 Install the Java runtime environment, Version 1.0.2 (HP-UX Version 1.0.3), on your workstation.
Step 2 Ensure that the correct Java runtime environment is in your execution path. Use one of the following methods:
Method 1: Verify that Java is in your execution path.
Verify the Java runtime version installed.
Method 2: The shell script set_path.JAVABIN returns the correct location of the Java runtime environment. If you have performed the standard installation of Java, it is not necessary to edit the set_path.JAVAVIN file. To check the location of Java, enter
If you have installed the HP-UX version of Java in the /opt/java/bin default directory, the set_path.JAVABIN script is correct and your installation of HP-UX is complete.
If you have installed the HP-UX version of Java in a different location, you must edit the set_path.JAVABIN script file to include the location of the java executable file, which is actually a wrapper shell script named "java."
You use two memory management parameters to configure the DisplayServer for your workstation and the FlowAnalyzer application:
MaxMBperCommand 280 most used on one command
MaxMB 224 size of memory pool
The MaxMBperCommand parameter is automatically truncated to MaxMB.
The memory use of DisplayServer is limited primarily by the MaxMB parameter in the NFADS.resources file. When you are tuning the memory configuration, be careful not to configure the DisplayServer to use too much memory, which would exhaust your workstation system swap space. If this does happen, the operating system might terminate the DisplayServer and cause a (possibly large) core dump in the /opt/CSCOnfa/NFAServer/bin directory. You can save time and inhibit this core dump by creating an unwritable core file in the DisplayServer bin directory. Doing so creates an unwritable core file in the NFADisplayServer directory:
$ rm core
$ touch core
$ chmod 444 core
If Java runs out of memory, the message "java.lang.OutOfMemoryError" appears in your log file. If this happens, you should stop and then restart your DisplayServer using the stop and start shell scripts provided.
The following memory setup procedures are required for the Solaris and HP-UX platforms. For more information about memory setup, refer to the Release Notes for NetFlow FlowAnalyzer Release 1.0.
This memory setup procedure runs on the Solaris platform in normal running mode with all applications other than DisplayServer active.
Step 1 Verify the amount of available logical memory on your workstation. You can run vmstat to check your available memory. (The first line of vmstat's output is not valid.)
The column labeled swap shows the number of kilobytes of space available. Divide this number by 1024 to calculate the amount of memory available. For example, 420056 divided by 1024 is approximately 410 MB.
Another method of verifying the amount of swap space available is to run the "swap -s" program. For example:
Step 2 Configure the DisplayServer to allow a large amount of unused memory. The largest reasonable starting value for MaxMB is
The allowance should be at least 100 MB of memory. For example, a reasonable value is
The value 224 is selected because this is 32 MB less than the physical memory in the workstation. The DisplayServer program may use up to 76 MB of additional memory. A cushion of 110 MB is allowed. For example:
For optimum performance, keep the MaxMB below the amount of actual RAM you have in your workstation. This is particularly important if you plan to process up to the MaxMB of Detail disk data in a single command. Failure to allow for some extra physical RAM can cause disk thrashing while you are accessing the dispersed locations of data over the range of flow keys. CPU utilization can drop below 2 percent and the time to get a response to a command can be exceedingly large.
For example, on a busy ULTRA-1 with 256 MB of actual RAM, extra memory of 32 MB, and MaxMB = 224, the performance is sufficient to minimize disk thrashing.
On a moderately busy ULTRA-1, the expected performance for the DisplayServer is approximately 0.6 to 3.5 MB of disk data per second. Consequently, processing and sorting 400 MB of HostMatrix data should take about 90 seconds, and 100 MB of DetailHostMatrix could require about 90 seconds. Performance varies with the amount of paging/context switching required. If you must change the maxMB setting, it is a good idea to run vmstat 60 to monitor your swap space and activity when the DisplayServer is processing large volumes of Detail* aggregation scheme data. The perfmeter program is also useful when you are tuning for the spot of maximal processing storage capacity with minimal disk thrashing.
This memory setup procedure runs on the HP-UX platform. The assumption here is that you have the recommended 256 MB of physical RAM and at least 350 MB of free logical memory space.
The MaxMB parameter in the NFADS.resources file limits the amount of memory used to store data when a command is being processed. The MaxMB value should not be more than the actual amount of physical RAM in your workstation minus 32 MB. If you have 256 MB of RAM, you should keep MaxMB less than or equal to 224 in order to minimize disk thrashing and poor performance. The recommended value for the workstation is MaxMB 224.
The workstation needs to be configured so that the DisplayServer application is allowed to use the MaxMB memory space, plus about 32 MB. The system parameter maxdsize is the kernel process limit of the amount of memory a single application is allowed to use. The recommended value is maxdsize >= (MaxMB + 32)MB. Given these calculations, the maxdsize should be configured to represent at least 256 MB on our recommended platform.
Step 1 Monitor the amount of memory used and the amount of memory remaining. Run swapinfo under root access to monitor logical memory:
If you run the top program while processing a large command, you may find that the "%CPU" is small; the process may be causing disk thrashing.
In the following example, the DisplayServer process is efficiently processing several commands simultaneously:
Step 2 Calculate the amount of available memory. Keep MaxMB below the amount of actual RAM you have on your workstation. This is particularly important if you plan to use a single command to process up to the MaxMB of Detail disk data. Failure to allow for some extra physical RAM will cause disk thrashing while you are accessing the dispersed locations of data over the range of flow keys.
The NFADisplayServer running on a Solaris host can serve data only from the host's local disks and from valid NFS mounts to that machine. An automounter may allow your NFADisplayServer's workstation to NFS mount many shared file systems that are not really valid NFS mount points.
To obtain a list of valid NFS mount points from a NetFlow database machine, log in to the database machine and type the command showmount -e. For example, suppose that you have data on your_database_WS:
$ /usr/sbin/showmount -e
export list for your_database_WS:
/u0 [list_of_hosts_having_permission]
/u1 [list_of_hosts_having_permission]
Any of the Solaris machines on the list_of_hosts_having_permission can run the NFADisplayServer and serve any local NetFlow data they have in addition to the your_database_WS. You can also obtain the same valid list without logging in to the database workstation by typing
$ /usr/sbin/showmount -e your_database_WS
You can expect better performance if you use file structures local to the NFADisplayServer's workstation.
The files exported from the DisplayServer through the use of the Export button are located in the exported_files directory. The location for a standard installation is
/opt/CSCOnfa/NFAServer/exported_files
This section describes how to start and stop the DisplayServer and check the DisplayServer's status while you are running the FlowAnalyzer on the Solaris platform.
To start the DisplayServer, run the start.DisplayServer shell script. The DisplayServer command starts and generates a log file of sessions.
$ /opt/CSCOnfa/NFAServer/bin/start.DisplayServer [server_logfile]
If you do not include a <server_logfile>, the filename server.out is used. If a server_logfile already exists, the log file is stored in the lowest-numbered server_logfileNUM (NUM is a nonnegative integer).
To stop the DisplayServer, run the stop.DisplayServer shell script:
$ /opt/CSCOnfa/NFAServer/bin/stop.DisplayServer
To check the status of the DisplayServer, run the check.DisplayServer shell script:
$ /opt/CSCOnfa/NFAServer/bin/check.DisplayServer
|