Allot NetXplorer and Allot NetEnforcer

(AC-1400 and AC-502) FOR GILAT

PRODUCTION AND TECHSUPPORT
Installation and Configuration Manual

December 2013
Revision 0.6

Document Number: DC-003030(F)

Notice
This document contains information proprietary to Gilat Satellite Networks Ltd. and its affiliates and may not be reproduced
in whole or in part without the express written consent of Gilat Satellite Networks Ltd. The disclosure by Gilat Satellite
Networks Ltd. of information contained herein does not constitute any license or authorization to use or disclose the
information, ideas or concepts presented. The contents of this document are subject to change without prior notice.
Contents
Chapter 1: Introduction ................................................................................................................ 7
Document Scope ............................................................................................................ 7
What's New .................................................................................................................... 7
QoS Overview ................................................................................................................ 7
Outbound QoS in SkyEdge and SkyEdge II Systems ..................................................... 7
Hardware Components .............................................................................................................. 8
Active Redundancy Concept ..................................................................................................... 9
Working with Bypass Unit ........................................................................................................ 10
Switchover Triggers ................................................................................................................. 10

Chapter 2: Installing QoS System .............................................................................................. 11

Requirements for Installing Allot NetXplorer Server ...................................................... 11
Installing Allot NetXplorer Server on Linux .................................................................... 12
Installing Kick-Start Image on Allot NetXplorer Linux Server .................................................. 13
Checking Connectivity ............................................................................................................. 15
Verifying Normal Operation of NetXplorer Server on Linux ..................................................... 15
Installing NetAccounting Application on NetXplorer Linux Server ........................................... 16
Installing Allot NetEnforcer Machine ............................................................................. 18
Configuring IP Address ............................................................................................................ 18
Physical Connections ............................................................................................................... 18
Installing and Updating Allot Protocols Pack Version on NetXplorer and NetEnforcer
Machines ...................................................................................................................... 20
Installing and Updating Protocols Pack Version on NetXplorer Linux Server ......................... 20
Upgrading NetEnforcer Machine with New Protocols Pack Version ....................................... 21
Synchronizing Allot NetXplorer and NetEnforcer Clocks ............................................... 22
Synchronizing Allot NetXplorer Server Linux Machine and NMS Timezone .................. 24
Enabling QoS on DPS .................................................................................................. 24

Chapter 3: Configuring Active Redundancy ............................................................................. 27

Configuration Overview ................................................................................................ 27
Configuring Networking Attributes on AC-1400 NetEnforcer Machine .......................... 27
Configuring Networking Attributes on AC-502 NetEnforcer Machine ............................ 28
Configuring Ports .......................................................................................................... 30

Chapter 4: Checking Test VSAT QoS Functionality ................................................................. 35

Overview ...................................................................................................................... 35
Displaying MPN and SLA Configuration ....................................................................... 35
Activating Real-Time Monitoring ................................................................................... 37
Removing Test VSAT from VGroup 2 ........................................................................... 40
Adding a Test VSAT to VGroup1 .................................................................................. 41
Removing Test VSAT from VGroup 1 ........................................................................... 42

December, 2013 i
Proprietary and Confidential
 Adding Test VSAT to VGroup 3 .................................................................................... 43
Removing Test VSAT from VGroup 3 ........................................................................... 43
Adding Test VSAT to VGroup 2 .................................................................................... 43

Chapter 5: Testing Active Redundancy ..................................................................................... 45

Testing Active Redundancy on Satellite Switch ............................................................ 45
Verifying Configuration on Satellite Switch ..............................................................................45
Verifying Flex-Link Status on Satellite Switch ..........................................................................46
Verifying UDLD Configuration on Satellite Switch ...................................................................46
Understanding LEDs Status on Satellite Switch ......................................................................46
Testing Active Redundancy on Application Switch ........................................................ 46
Verifying Configuration on Application Switch .........................................................................47
Verifying Flex-Link Status on Application Switch .....................................................................47
Verifying UDLD Configuration on Application Switch ..............................................................48
Understanding LEDs Status on Application Switch .................................................................48
Verifying Active Redundancy on NetEnforcer Machine ................................................. 48
Verifying Active Redundancy System Status ................................................................ 48
Verifying Bypass (Internal) Unit on AC-502 (QoS2) NetEnforcer Machine .................... 50
Reverting from Bypass (Internal) Unit and Resuming Traffic Transmission ............................50

Chapter 6: Configuring QoS System ......................................................................................... 51

Recommended QoS Techniques .................................................................................. 51
Catalog Definition .....................................................................................................................51
Classification Level Hierarchy ..................................................................................................51
Policy Creation at Each Classification Level ............................................................................51
Configuring Catalog Entries .......................................................................................... 52
Defining VSAT (Subnet) ...........................................................................................................52
Defining VSAT Group (SLA) ....................................................................................................53
Defining Enhanced QoS for Lines ............................................................................................55
Defining Enhanced QoS for Pipes ...........................................................................................57
Defining Enhanced QoS for Virtual Channels ..........................................................................60
Defining RPA Service...............................................................................................................63
Defining UDP Dummy Service .................................................................................................64
Defining Policies ........................................................................................................... 65
Outbound Configuration (NetEnforcer Level) ..........................................................................65
MPN Configuration (Line Level) ...............................................................................................67
SLA Configuration (Pipe Template Level) ...............................................................................70
Application Configuration (VC Level) .......................................................................................73
Applying Policy Distribution .......................................................................................... 75

Chapter 7: System Maintenance ................................................................................................ 79

Verifying Traffic Status.................................................................................................. 79
Switching from Active to Bypass Operation Mode ......................................................... 79
Recovering from Bypass to Active Operation Mode ...................................................... 80
 Document Scope

Chapter 8: Monitoring Allot NetXplorer and NetEnforcer Machines ....................................... 81

Monitoring Allot NetEnforcer Bandwidth Limits ............................................................. 81
Monitoring Tools for Allot NetXplorer Linux Server ....................................................... 81
Monitoring Processes via NetXplorer Server GUI ................................................................... 81
Process Running ...................................................................................................................... 83
Monitoring Processes Using Logs ........................................................................................... 83
Monitoring Processes via Wireshark Sniffer ............................................................................ 83
Enabling VNC on Allot NetXplorer Linux Server ...................................................................... 84

Chapter 9: Shutting Linux NetXplorer Server Service .............................................................. 87

Performing Normal NetXplorer Server Service Shutdown ............................................. 87
Performing Workaround during NetXplorer Server Service Shutdown or Reset ............ 87

Appendix A: Troubleshooting .................................................................................................... 89

Troubleshooting Bypass Mode ..................................................................................... 89
Applying Bypass Configuration ................................................................................................ 89
Changing Redundancy Mode .................................................................................................. 90
Disabling Network Bypass Unit ................................................................................................ 90
Creating Manual Bypass .......................................................................................................... 90
Troubleshooting Clocks Synchronization Issues ........................................................... 90
Troubleshooting Clocks Synchronization between NetXplorer Server and Client................... 90
Troubleshooting Clocks Synchronization between NetXplorer Server and NetEnforcer
Machines .................................................................................................................................. 91
Troubleshooting Network Security Thread .................................................................... 94
Network Security Guidelines .................................................................................................... 94
Configuring Network Access Policy ......................................................................................... 94

Appendix B: Adding New Allot NetEnforcer Machine .............................................................. 99

Appendix C: Deleting Allot NetEnforcer Machine................................................................... 101

Deleting Allot NetEnforcer Machine from NetXplorer Server Configuration ................. 101
Activating Internal Bypass Unit for AC-502 NetEnforcer Machine ............................... 104

Appendix D: Loading a New License Key ............................................................................... 105

Appendix E: Changing IP Address of Allot NetXplorer Linux Server .................................... 107

Appendix F: Upgrading Allot NetXplorer Server Firmware .................................................... 111

Verifying Firmware Version......................................................................................... 111
Upgrading Firmware ................................................................................................... 111

Appendix G: Defining RAID ...................................................................................................... 113

Appendix H: Upgrading NetAccounting Application on NetXplorer Linux Server ............... 117

Appendix I: Upgrading and Downgrading Allot NetEnforcer ................................................. 119

Upgrade and Downgrade Prerequisites ...................................................................... 119

December, 2013 iii

Proprietary and Confidential
 Upgrading Allot NetEnforcer Software Version ........................................................... 119
Downgrading Allot NetEnforcer Software Version ....................................................... 120
Troubleshooting Upgrade/Downgrade of NetEnforcer Software Version ..................... 121

Appendix J: Moving Database Contents from AC-402/802/804 to AC-1400/AC-502

NetEnforcer Machine (and Vice Versa) .................................................................................... 123

Appendix K: Upgrading Allot NetXplorer Software Version on Linux ................................... 125

Appendix L: Upgrading Satellite / Application Switch Configuration ................................... 127

Appendix M: Installing Patches after Upgrade to Version 11.2.200-B2 on AC-1400 ............ 129
Installing Script for Fixing Extra Space on Telnet Prompt on AC-1400........................ 129
Installing Script for Fixing Switchover on AC-1400...................................................... 130
Verifying AC-1400 Operation after Running Post-Upgrade Script ............................... 130

Appendix N: Installing Patches after Upgrade to Version 12.2.3_B26 on AC-502 ................ 133
Installing Script for Fixing Extra Space on Telnet Prompt on AC-502.......................... 133
Installing Script for Fixing Links Status on AC-502...................................................... 134

Appendix O: Installing Allot AC-502 and AC-1400 in SkyEdge System ................................ 135
Procedure Overview ................................................................................................... 135
Installing and Configuring Server Farm of Version 5.X.X ............................................ 135
Server Farm Network Architecture for Version 5.X.X ............................................................136
Preparing QoS System for Server Farm 5.X.X Installation ....................................................136
Configuring QoS Switch .........................................................................................................137
Configuring Satellite Switch ...................................................................................................138
Configuring Application Switch ..............................................................................................139
Installing and Configuring Server Farm of Version 15.X.X .......................................... 139
Server Farm Network Architecture for Version 15.X.X ..........................................................140
Preparing QoS System for Server Farm 15.X.X Installation ..................................................140
Configuring Satellite Switch ...................................................................................................141
Configuring CID Extension Switch .........................................................................................141
Configuring Application Switch ..............................................................................................142

Appendix P: Verifying Bandwidth Changes from DPS to NetEnforcer AC-502/1400 ........... 143

Appendix Q: Applications with High Drop Precedence ......................................................... 145

Appendix R: Activating Scheduled Reports Sending by Mail ................................................ 147

Procedure Overview ................................................................................................... 147
Configuring Permanent Route on Customer's RAR .................................................... 147
Configuring Permanent Route on Windows-Based NetXplorer Server ........................ 148
Configuring Permanent Route on Linux-Based NetXplorer Server .............................. 148
Configuring Mail Server Properties ............................................................................. 148
Scheduling Mobile Analytics Reports on NetXplorer Server ........................................ 151
 Document Scope

Appendix S: References ........................................................................................................... 155

December, 2013 v
Proprietary and Confidential
Chapter 1: Introduction

In This Chapter
Document Scope .............................................................................................................................. 7
What's New ...................................................................................................................................... 7
QoS Overview .................................................................................................................................. 7
Outbound QoS in SkyEdge and SkyEdge II Systems ..................................................................... 7

Document Scope
This document explains how to install, configure, maintain, and troubleshoot Allot
NetXplorer Server and Allot NetEnforcer (AC-1400 and AC-502) machines in SkyEdge
and SkyEdge II systems.

What's New
In this document release, the following procedures have been added / modified:
 Troubleshooting Upgrade/Downgrade of NetEnforcer Software Version
(on page 121)
 Installing Allot AC-502 and AC-1400 in SkyEdge System (on page 135)

QoS Overview
QoS refers to the ability of a network to provide improved service to selected network
traffic over various underlying technologies. In particular, QoS feature provides
improved and more predictable network behavior by providing the following services:
 Supporting dedicated bandwidth
 Improving loss characteristics
 Avoiding and managing network congestion
 Shaping network traffic
 Setting traffic priorities across the network

Outbound QoS in SkyEdge and SkyEdge II Systems

Gilat system provides QoS (Quality of Service) capabilities in both traffic directions. On
the Inbound, the QoS is implemented at the VSAT before traffic reaches the satellite
media. On the Outbound, the QoS is implemented at the hub before traffic reaches the
satellite media. The Outbound QoS is provided by Allot Communications Ltd.
equipment.
The figure below illustrates a schematic view of the SkyEdge II Outbound QoS solution.

December, 2013 7
Proprietary and Confidential
Outbound QoS in SkyEdge and SkyEdge II Systems Introduction

Figure 1: Outbound QoS Solution

Allot NetEnforcer implements the Outbound QoS functionalities in the SkyEdge II

network. Outbound traffic coming from the Internet/Intranet passes through the
NetEnforcer device and then goes to the hub. Each Network Segment (NS) includes
two active Allot NetEnforcer units.
At the NetEnforcer, the traffic is prioritized and shaped according to the QoS policies
defined in the NetXplorer Server.
NetXplorer Server provides one centralized management platform for all NetEnforcer
units in the system. One NetXplorer Server is used for multiple Network Segments.
NetXplorer application provides real-time traffic statistics at all levels for up to 48 hours
(at 5-minute interval) and long-term (Reporter) traffic statistics at all levels with
volume-based traffic reports for up to 1 year.

The Short-Term Reporting (Real-Time) feature requires an additional license per

NetEnforcer machine.

Hardware Components
To provide the QoS in SkyEdge and SkyEdge II systems, the following hardware
components must be installed:

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
8
TECHSUPPORT
Proprietary and Confidential
 Outbound QoS in SkyEdge and SkyEdge II Systems

 NetXplorer Server - Linux Red-Hat machine with RAID 1, 4 / 8GB RAM, and 500G
hard drive.
 NetEnforcer AC-1400 - two units (per Network Segment) that support QoS from
100Mb up to 1Gb (full duplex).

Figure 2: Allot AC-1400

 NetEnforcer AC-502 - two units (per Network Segment) that support QoS from
45Mb to 200Mb (full duplex).

Figure 3: Allot AC-502

Active Redundancy Concept

Operation of the Allot NetEnforcer machine (AC-1400 and AC-502) is based on the
Active Redundancy concept. Both NetEnforcer machines are identified as active, share
the same policy configuration, and receive Outbound transmission from the hub. At
any point of time, only one of the NetEnforcer machines (NS1 QoS 1) is passing traffic.
The two NetEnforcer machines communicate with each other using the Flex Links and
UDLD (UniDirectional Link Detection Protocol) mechanisms to determine which one of
the NetEnforcer machines is passing traffic. Once enabled in the system, the Flex Links
and UDLD mechanisms operate as follows:
 When UDLD detects a unidirectional link, it administratively shuts down the
affected port and alerts you (within 15 seconds).
 UDLD supports two modes of operation: normal (the default) and aggressive. In
normal mode, UDLD can detect unidirectional links due to misconnected interfaces
on fiber-optic connections. In aggressive mode, (as we implement), UDLD can also
detect unidirectional links due to one-way traffic on fiber-optic and twisted-pair
links and to misconnected interfaces on fiber-optic links.
 In aggressive mode, if the link state of the port is determined to be bidirectional and
the UDLD information times out while the link on the port is still up, UDLD tries to
re-establish the state of the port. If not successful, the port is put into the
errdisable state.

December, 2013 9
Proprietary and Confidential
Outbound QoS in SkyEdge and SkyEdge II Systems Introduction

 In aggressive mode, once the information is aged, UDLD will attempt to re-establish
the link state by sending packets every second for eight seconds. If the link state is
still not determined, the link is disabled.
 A pair of interfaces on the Application (on page 46) and Satellite (on page 45)
switches is identified to act as primary active and back-up links.
 The back-up link is in the standby mode until the primary link is up and forwarding
traffic.
 If the primary link shuts down, the standby link takes over and starts forwarding
traffic.
 When the primary link comes back to be active, it goes into standby mode and does
not participate in traffic forwarding for about 35 seconds, after which the primary
NetEnforcer machine starts passing the traffic again. In the period of 35 seconds,
the traffic remains on the secondary NetEnforcer machine.

Working with Bypass Unit

When working in Active Redundancy mode, there is no Bypass machine installed
between the two NetEnforcer machines.
However, in the AC-502 NetEnforcer machine, there is an internal Bypass unit that can
be configured to enable a networks links backup. By enabling the internal Bypass unit
configuration, it is possible to maintain network connectivity in case of the secondary
AC-502 NetEnforcer machine failure.
For maintenance and troubleshooting purposes, there is a possibility to enable
transparent traffic transmission (i.e., apply Bypass mode) using one of the following
ways:
 Invoking the CLI command - see Section Switching from Active to Bypass Operation
Mode (on page 79).
 Configuring to ignore QoS - see Section Applying Bypass Configuration
(on page 89).
 Changing physical connections between the NetEnforcer machines and the switches
- see Section Creating Manual Bypass (on page 90).

Switchover Triggers
The switchover between the two NetEnforcer machines can be triggered by at least one
of the following causes:
 Loss of the UDLD hello packets
 Power Failure
 Disconnection from the Application Switch
 Disconnection from the Satellite Switch
 Reboot / Shutdown command initiated from the NetXplorer Server or NetEnforcer
machine
 CLI command (on page 79) to switch one of the NetEnforcer machines to the
Bypass operation mode

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
10
TECHSUPPORT
Proprietary and Confidential
Chapter 2: Installing QoS System

In This Section
Requirements for Installing Allot NetXplorer Server ...................................................................... 11
Installing Allot NetXplorer Server on Linux .................................................................................... 12
Installing Allot NetEnforcer Machine .............................................................................................. 18
Installing and Updating Allot Protocols Pack Version on NetXplorer and NetEnforcer Machines . 20
Synchronizing Allot NetXplorer and NetEnforcer Clocks ............................................................... 22
Synchronizing Allot NetXplorer Server Linux Machine and NMS Timezone ................................. 24
Enabling QoS on DPS.................................................................................................................... 24

Requirements for Installing Allot NetXplorer Server

To install the Allot NetXplorer Server machine, the following requirements must be
met:

Installing NetXplorer Installing NetXplorer

Server on Linux Server on Linux
(on page 12) (on page 12)
Hardware Gross Point platform - Bluff Creek – SR1630BC 12 GB
Requirements X3430 2.4 GHz RAM, 2.4 GHz processor 4 core
processor quad core, 8
GB RAM
Software Linux CentOS 5.5 Linux CentOS 5.5 Enterprise 64
Requirements Enterprise 64 bit x86 bit x86 (or RedHat 5.6 - special
(or RedHat 5.6 - special license required from RedHat)
license required from
RedHat)
Number of Up to 2 NetEnforcer From 2 to 8 NetEnforcer
NetEnforcer machines machines
Machines to be
Managed
With Not recommended to be From 2 to 4 NetEnforcer
NetAccounting installed on the same machines
platform

In systems with more than one NS and with more than one couple of Allot
NetEnforcer machines, an additional license is required for the Allot NetXplorer
server. The license is obtained from Allot.

December, 2013 11
Proprietary and Confidential
Installing Allot NetXplorer Server on Linux Installing QoS System

If the NetXplorer Server machine is to be sent to a customer as an RMA, make

sure you delete the NetEnforcer devices added to the NetXplorer Server
application before shipping the NetXplorer Server to a customer. Otherwise, once
a customer connects the NetXplorer Server machine to the existing NetEnforcer
devices, the database that it holds overwrites the database that is stored on the
NetEnforcer devices.

Installing Allot NetXplorer Server on Linux

This section explains how to install Allot NetXplorer Server machine on a PC running
Linux CentOS.

The NetXplorer Server machine and Client are installed on different hardware
platforms. To manage the NetXplorer Server machine using Linux commands,
open an SSH connection from the Management PC (Client) to the NetXplorer
Server machine (otherwise, use the GUI installed on the Management PC).

Make sure that the following ports are opened in the RAR:
 TCP/80 HTTP
 TCP/3873 Catalog Interaction with the Server
 TCP/443 SSL
 TCP/1098 The RMI service bind address
 TCP/1099 JNP server bind address
 TCP/4446 RMI Object ports
 TCP/4457 Alarms
 TCP/50010 Alarms
 UDP/161 SNMP
 UDP/162 SNMP Trap
 UDP/123 NTP
 TCP/123 NTP

To install Allot NetXplorer Server on Linux:

1. Insert the Allot NetXplorer Server in the designated location of the SkyEdge II hub
rack. For detailed information, refer to the hub rack design and SkyEdge II Hub
Installation Guide (DC-4286-XX).
2. Connect the Allot NetXplorer Server to the Application Switch - VLAN 17 (see figure
below).

Figure 4: Connecting Allot NetXplorer Server to Application Switch in SkyEdge II System

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
12
TECHSUPPORT
Proprietary and Confidential
 Installing Allot NetXplorer Server on Linux

For information on physical connections in SkyEdge system, see Section Installing

Allot AC-502 and AC-1400 in SkyEdge System (on page 135).

3. Connect the Allot NetXplorer Server to the KVM and power source.
4. Power on the Allot NetXplorer Server.
5. During the power-boot process, verify that the hard disk is in the RAID 1 mode.
6. Perform the procedure in Section Installing Kick-Start Image on Allot NetXplorer
Linux Server (on page 13).
7. Check the connectivity between the NetXplorer server and all the NetEnforcer
machines installed in the hub, as described in Section Checking Connectivity
(on page 15).
8. Verify normal operation of NetXplorer Server on Linux, as described in Section
Verifying Normal Operation of NetXplorer Server on Linux (on page 15).
9. Install the NetXplorer Accounting application, if required. For more information, see
Section Installing NetAccounting Application on NetXplorer Linux Server
(on page 16).

Installing Kick-Start Image on Allot NetXplorer Linux Server

This section explains how to install a Kick-Start image on the Allot NetXplorer Server
machine running Linux CentOS.
To install a Kick-Start image on the Allot NetXplorer Server machine:
1. Insert the DVD with the CentOS 5.5 Kick-Start image into the DVD-drive on the
Allot NetXplorer Server and boot the server from the DVD ROM.
'

While NetXplorer Server is rebooting, verify that the Intel RAID is Online
message is displayed. (This message may not appear on older hardware.)
In case the RAID indicates the Offline status, perform the Defining RAID
(on page 113) procedure. If the RAID is still not recognized by the Allot NetXplorer
Server machine, perform the procedure in Section Upgrading Allot NetXplorer
Server Firmware (on page 111).

The installation takes approximately 25 minutes, after which the DVD is ejected and
the system is automatically rebooted.
2. On the login prompt, type the username root password $SatCom$. The
NetXplorer Server GUI is opened.
3. Download the NXServer_post_install folder from the
\\gna2\shared\pituach\540\SW
modules\ServerFarm\Software\Allot\NXServer_post_install directory to the
NetXplorer Server machine.
4. From the NXServer_post_install folder, type the command ./centos_post.sh.
This script contains the following: RAID Driver installation, NTP installation and
configuration, Java jdk6.5.rpm, change TZ to GMT.

December, 2013 13
Proprietary and Confidential
Installing Allot NetXplorer Server on Linux Installing QoS System

The Starting centos post-installation part is displayed:

After each part of the installation, a verification line is displayed as follows:
 NXLinux host name configuration…OK
 Eth0 IP configuration 172.17.7.1…OK
 NTP configuration…OK
 Java installation package…OK

In NetXplorer rpm of version 12.3, the Java jdk.rpm file is included in the
NetXplorer software version. Therefore, when running the centos_post.sh script,
installation of the Java package will result with an ERROR.

5. From the /tmp/NXServer_post_install folder, type the command rpm –ivh

netxplorer-12.3.0-10.i386.rpm (where 12.3.0-10.i386 represents the new
software version for the NetXplorer Server), then press Enter. This action installs
the NetXplorer Server application.
The installation process takes up to 60 minutes.

Do NOT reboot the device when the Reboot prompt is displayed.

6. When the installation process is completed, type the command

./nx_cache_memory_set.sh. This script adjusts the memory of the application
according to the physical memory installed.
7. Reboot the NetXplorer Server machine by typing the command init 6.
8. Log in to the NetXplorer Server machine and stop netxplorer service by the
command service netxplorer stop.
9. From the /tmp/NXServer_post_install/DB_files folder, open the database for
AC-1400/502, run the script ./Open_NX_AOS_DB.sh
10. Restart the NetXplorer Server machine.
11. Run the ./ProtocolsPack.sh script from the /tmp/NXServer_post_install
folder, as described in Section Installing and Updating Allot Protocols Pack Version
on NetXplorer and NetEnforcer Machines (on page 20).
12. From the Management PC, open an Internet browser and type the IP address of the
NetXplorer Server machine (172.17.14.1 – SkyEdge system or 172.17.7.1 – for
SkyEdge II system).
13. Install the Java JDK. The NetXplorer Java Installation screen is displayed.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
14
TECHSUPPORT
Proprietary and Confidential
 Installing Allot NetXplorer Server on Linux

Figure 5: NetXplorer Java Installation Screen

14. In the NetXplorer Java Installation screen, select Microsoft Windows users
or All Other Users Download JRE From Sun. You are prompted to close the
browser.
15. Re-open the browser, type the NetXplorer Server IP address (172.17.14.1 –
SkyEdge system or 172.17.7.1 – for SkyEdge II system), and launch the
NetXplorer application.
16. On the Login prompt, type the username admin password $SatCom$.

Checking Connectivity
To check connectivity:
1. Connect via SSH to the Allot NetXplorer Server machine with user name root and
password $SatCom$.
2. Issue ping commands to all Allot NetEnforcer machines installed at the hub.
3. Verify that all ping commands are returned successfully.

Verifying Normal Operation of NetXplorer Server on Linux

To verify normal operation of NetXplorer server on Linux:
1. Open the NetXplorer application.
2. From the Help menu, select the about NetXplorer option and verify the installed
software version.
3. From the Tools menu, select the NetXplorer Application Server Registration
option and verify that the correct features are activated.

December, 2013 15
Proprietary and Confidential
Installing Allot NetXplorer Server on Linux Installing QoS System

4. Select the NetEnforcers on your network and open the configuration dialog to check
that the NetXplorer is correctly communicating with the devices.
5. Build a real-time or long-term report (depending on the license purchased) and
verify a graph's functionality.

Installing NetAccounting Application on NetXplorer Linux Server

Currently, the NetAccounting application must be installed on a separate machine.

This procedure is optional. It is not relevant for the SkyEdge system.

 Prior to installing the NetAccounting application on the NetXplorer

Linux Server, connect the NetXplorer Linux Server to port 18 on the
Application switch and configure the port with access VLAN 17.
 Any customer using the NetAccounting application must get a proper
NetXplorer license to include the NetAccounting application within it.

To install the NetAccounting application on NetXplorer Linux Server:

1. Configure the ETH 0 interface with IP address 172.17.7.5 and mask
255.255.0.0.
2. Download the relevant <Accounting filename>.rpm package from Allot website,
and store it on a removable drive or on the Management PC. To download the
package, perform either of the following:
 Connect to the NetAccounting Server machine using the SSH connection and
open the FTP connection to the Management PC.
 Connect a removable drive to the NetAccounting Server machine and copy the
.rpm package to tmp folder.
3. To install the packages, type rpm -ivh <JDK filename>.rpm (version numbers
may differ).
After the installation is finished, the following script is displayed:

rpm -ivh accounting-manager-12.3.0-10.i386.rpm Preparing...

###########################################
[100%]
1: accounting-manager ###########################################
[100%]
Installation finished.
Please set NetXplorer IP Address by running
accounting/bin/set_acct_nx_ip.sh.
Then, please reboot your device.

4. To set the NetXplorer IP address in order to enable the communication with the
NetAccounting Server, type /opt/allot/accounting/bin/set_acct_nx_ip.sh.
5. Reboot the NetAccounting Server machine.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
16
TECHSUPPORT
Proprietary and Confidential
 Installing Allot NetXplorer Server on Linux

6. When the NetAccounting Server machine is online, verify that NTP and
NetAccounting services are running. To start, stop, or check the status of the
services, run the following commands:
 service ntpd start
 service nxacct stop
 service nxacct status

For information on how to upgrade the NetXplorer Accounting application, see

Section Upgrading NetAccounting Application on NetXplorer Linux Server
(on page 117).

Verifying Operation of NetXplorer Accounting Application

To verify that NetXplorer Accounting is working correctly, perform the following steps:
1. Open the NetXplorer Server application
2. From the Tools menu, select NetXplorer Application Server Registration and
verify that NetAccounting is activated by the Allot license.
3. On the Navigation pane, select Network, right-click it, and select Configuration.
4. On the Configuration screen, select the NetAccounting tab.

Figure 6: Verifying Operation of NetAccounting Application

5. Verify that Enabled Accounting checkbox is selected.

6. Verify that the path mentioned in the Export Directory field is as follows:
/opt/allot/accounting_export.
7. Log in to the Accounting Server and open the Export directory.
8. Verify that TRN files are recorded in the Export directory every 5 minutes or every
1 hour (depending on the configuration).

December, 2013 17
Proprietary and Confidential
Installing Allot NetEnforcer Machine Installing QoS System

Installing Allot NetEnforcer Machine

Configuring IP Address
The console connection is used to configure the NetEnforcer IP address.

The default factory IP address of the NetEnforcer machine is 22.22.22.22.

To configure the IP address:

1. On the Management PC, open a Telnet connection to one of the Allot NetEnforcer
machines.
2. Open the Hyper Terminal connection.
3. In the Hyper Terminal connection, set the speed to 19200 Bits per second and Flow
Control to None.
4. At the user login prompt, enter sysadmin.
5. At the password prompt, enter sysadmin.
6. Type go config ips - ip[ip address]:[mask]. For example, go config ips
- ip 172.17.17.1:255.255.0.0.
7. Press Enter.
8. To verify that the IP address is configured, type go config view ips.
9. Press Enter.
10. To enable Telnet, type go config security -telnet enable.
11. To verify that the Telnet is enabled, type go config view security. The Telnet
and ping ssh are enabled.
12. Press Enter.

Perform the above procedure for the second NetEnforcer machine.

Physical Connections
This section describes physical connections of the Allot NetEnforcer machines in the
SkyEdge II system. For information on physical connections in SkyEdge system, see
Section Installing Allot AC-502 and AC-1400 in SkyEdge System (on page 135).

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
18
TECHSUPPORT
Proprietary and Confidential
 Installing Allot NetEnforcer Machine

Each Network Segment contains two active Allot NetEnforcer (AC-1400 or

AC-502) machines without a Bypass unit between them.

To install an Allot NetEnforcer AC-1400/AC-502 machine in the SkyEdge II system:

1. Insert the NetEnforcer machines into the designated locations in the rack. For
detailed information, refer to the hub rack design and SkyEdge II Hub Installation
Guide (DC-4286-XX).

Figure 7: AC-1400 Physical Connections

Figure 8: AC-502 Physical Connections

2. Connect the two NetEnforcer machines to Satellite and Application switches, as

described in the table below.
Table 1: Physical Connections
NetEnforcer Machine From Port To Port
NS QoS 1 Internal 1 Port 39 on the Satellite Switch
External 1 Port 10 on the Application Switch
Internal 2 (Sync) Internal 2 of QoS 2 (Sync)
External 2 (Sync) External 2 of QoS 2 (Sync)

December, 2013 19
Proprietary and Confidential
Installing and Updating Allot Protocols Pack Version on NetXplorer and NetEnforcer Machines Installing QoS System

NetEnforcer Machine From Port To Port

NS QoS 2 Internal 1 Port 40 on the Satellite Switch

External 1 Port 11 on the Application Switch

3. Power on the two Allot NetEnforcer machines.

In case one of the Sync cables is disconnected by any reason, a disruption of

synchronization between the two NetEnforcer machines is indicated. However,
there is no influence on actual traffic link.

Installing and Updating Allot Protocols Pack Version on

NetXplorer and NetEnforcer Machines
Installing and Updating Protocols Pack Version on NetXplorer Linux Server
This section describes how to install and update the NetXplorer Server Protocols Pack
version installed on Linux OS.

This procedure must be performed after completing the Kick-Start Image

installation.

To install and update Allot Protocols Pack on NetXplorer Linux Server:

1. On the NetXplorer Linux Server, go to NXServer_post_install folder by typing the
command cd /tmp/NXServer_post_install.
2. Perform either of the following actions:
 Run the ProtocolsPack.sh script by the command ./ProtocolsPack.sh.
 To manually extract the files (instead of executing the script), perform the
following:
a. Log in to the NetXplorer Server machine.
b. Run the following commands:

mkdir /root/APU
cd /root/APU/
mkdir ProtocolsPack
cd /tmp/NXServer_post_install
unzip -j ProtocolsPack.zip -d /root/APU/ProtocolsPack/

3. Go to the /root/APU/ProtocolsPack folder and verify that several zip files and
one xml file (web_update_site.xml) have been created in this folder.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
20
TECHSUPPORT
Proprietary and Confidential
 Installing and Updating Allot Protocols Pack Version on NetXplorer and NetEnforcer Machines

The web_update_site.xml file defines the current protocol pack version and the
next one to be installed. ZIP file(s) contain the Protocol Pack(s) for installation;
while only the most updated Protocol Pack is installed (older packs are used in case
a rollback is required).
4. On the NetXplorer Server application GUI, select
Tools Protocol Updates From Local Package.
5. In the dialog box, type in the Protocol Pack path (/root/APU/ProtocolsPack),
and click Next. A dialog box with all available updates is displayed.
6. Click Update Now to begin the update process.
7. Upon successful process completion, click Next to upgrade the NetEnforcers in the
network (on page 21).

For more information on Protocols Pack, see

\\gna2\pituach\Delivery\System&Solutions\NetaM\Allot\Protocol Pack\PP3 19
Release Notes_v1.pdf.

Upgrading NetEnforcer Machine with New Protocols Pack Version

This section describes how to update a NetEnforcer machine with the newest Protocols
Pack version.
 After updating the NetXplorer Server, the Protocol Updates Wizard screen is
displayed. You may select to upgrade all, some, or none of the NetEnforcers.

December, 2013 21
Proprietary and Confidential
Synchronizing Allot NetXplorer and NetEnforcer Clocks Installing QoS System

Figure 9: Upgrading NetEnforcer Machine with New Protocol Pack Version

 To add the Protocols Pack manually to a NetEnforcer machine, on the NetXplorer

Server application GUI, select Tools Protocol Updates Install to
Devices.

For information on updating individual NetEnforcers, see NetXplorer Centralized,

Proactive Management of All Network Traffic Operation Guide, P/N D357102
R7, Allot Communications LTD.

 After a NetEnforcer’s Service Catalog has been updated, the new Protocols Pack
version will be indicated in the Identification and Keys tab of the Configuration
screen.

Synchronizing Allot NetXplorer and NetEnforcer Clocks

Make sure that the NetXplorer and NetEnforcer clocks and time zones are
synchronized.
If clocks are not synchronized, the real-time monitoring tool will not be operational.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
22
TECHSUPPORT
Proprietary and Confidential
 Synchronizing Allot NetXplorer and NetEnforcer Clocks

To synchronize the clocks:

1. On the Management PC, open a Telnet connection to one of the Allot NetEnforcer
machines.
2. At the user login prompt, enter sysadmin.
3. At the password prompt, enter sysadmin.
4. Type go config ips -ts 172.17.7.1 [for SkyEdge II] or 172.17.14.1 [for
SkyEdge]. The NetXplorer server and NetEnforcer machine are synchronized.
5. Perform the steps 1 - 4 for the second NetEnforcer machine.
6. Verify that the NetXplorer server and NetEnforcer machine are synchronized.
a. On the desktop tray of the NetXplorer Server machine, double-click the clock
icon. The Date and Time Properties screen is displayed.
b. Verify the time and time zone.
c. On the NetXplorer Navigation pane, select NS1 QoS 1.
d. To open the Configuration panel, right-click the NS1 QoS 1 and select
Configuration from the drop-down menu.
e. The Configuration screen with the General tab parameters is displayed.
f. Select the Date/Time tab. The Date/Time tab parameters are displayed.

Figure 10: Synchronizing Allot NetXplorer and NetEnforcer Clocks

g. Verify that the time and time zone set on the NS1 QoS 1 are the same as on the
NetXplorer server.
h. Perform the steps c - g for the NS1 QoS 2.

December, 2013 23
Proprietary and Confidential
Synchronizing Allot NetXplorer Server Linux Machine and NMS Timezone Installing QoS System

If you encounter a problem during the clock synchronization process, refer to

Section Troubleshooting Clock Synchronization Issues (on page 90).

Synchronizing Allot NetXplorer Server Linux Machine and

NMS Timezone
The timezone on the NetXplorer Server machine must the same as on the NMS.
To synchronize the timezone:
1. Log in to the NetXplorer Server machine (directly, not via Management PC).
2. On the desktop tray of the NetXplorer Server machine, double-click the clock icon.
The Date and Time Properties screen is displayed.
3. Select the Time Zone tab.
4. Uncheck the System Clock Uses UTC checkbox.
5. Click Apply.
6. Click OK.

Enabling QoS on DPS

For the Allot NetXplorer Server to be recognized by the SkyEdge II system, the DPS
must be configured accordingly.
To enable QoS on DPS:
1. In the NMS HUB View window, double-click the DPS icon or right-click the DPS
icon and select Configuration Configuration from the menu. The DPS
Configuration window is displayed.
2. In the DPS tree, select the Satellite node. The Satellite panel is displayed.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
24
TECHSUPPORT
Proprietary and Confidential
 Enabling QoS on DPS

Figure 11: Enabling QoS on DPS

3. From the QoS Server installed drop-down list, select Yes. The QoS server Login
parameters become available.
4. In the QoS Server IP address field, type in the IP address of the QoS Server
machine.
5. In the QoS Server User Name field, type in sysadmin.
6. In the QoS Server Password field, type in sysadmin.
7. Click the Save button.
8. Click the Commit button. The Commit Configuration confirmation box is
displayed.
9. Click Commit. The Apply Changes dialog box is displayed.
 Click Reboot Now to apply the changes and reboot the DPS immediately.
 Click Let Me Reboot Later to apply the changes on next reboot.

December, 2013 25
Proprietary and Confidential
Chapter 3: Configuring Active Redundancy

In This Section
Configuration Overview .................................................................................................................. 27
Configuring Networking Attributes on AC-1400 NetEnforcer Machine .......................................... 27
Configuring Networking Attributes on AC-502 NetEnforcer Machine ............................................ 28
Configuring Ports ........................................................................................................................... 30

Configuration Overview
To configure the Active Redundancy, perform the actions in the following order:
1. Configure Networking Attributes on AC-1400 NetEnforcer Machine (on page 27).
OR
2. Configure Networking Attributes on AC-502 NetEnforcer Machine (on page 28).
3. Configure Ports (on page 30).

Configuring Networking Attributes on AC-1400 NetEnforcer

Machine

Perform the Networking configuration sequentially on both NetEnforcer machines.

To configure NIC Active Redundancy:

1. On the Navigation pane, select NS1 QoS 1.
2. To open the Configuration panel, perform either of the following actions:
 Right-click the NS1 QoS 1 and select Configuration from the drop-down
menu.
OR

 On the toolbar, click the Configuration button .

The Configuration screen with the General tab parameters is displayed.
3. Select the Networking tab. The Networking tab parameters are displayed.

December, 2013 27
Proprietary and Confidential
Configuring Networking Attributes on AC-502 NetEnforcer Machine Configuring Active Redundancy

Figure 12: Configuring NIC Active Redundancy on N1S QoS1

4. From the Redundancy Mode drop-down list, select the Active option.
5. Verify that the Enable Bypass Unit checkbox is NOT selected.
6. Configure the ports as described in Section Configuring Ports (on page 30).

Configuring Networking Attributes on AC-502 NetEnforcer

Machine

Perform the Networking configuration sequentially on both NetEnforcer machines.

To configure NIC Active Redundancy:

1. On the Navigation pane, select NS1 QoS 1.
2. To open the Configuration panel, perform either of the following actions:
 Right-click the NS1 QoS 1 and select Configuration from the drop-down
menu.
OR

 On the toolbar, click the Configuration button .

The Configuration screen with the General tab parameters is displayed.
3. Select the Networking tab. The Networking tab parameters are displayed.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
28
TECHSUPPORT
Proprietary and Confidential
 Configuring Networking Attributes on AC-502 NetEnforcer Machine

Figure 13: Configuring NIC Active Redundancy on N1S QoS1

In case the AC-502 machine is stuck in the Standalone Redundancy mode,

perform the procedure described in Section Changing Redundancy Mode
(on page 90).
In case the AC-502 is configured with network Bypass, perform the procedure
described in Section Disabling Network Bypass Unit (on page 90).

On the Navigation pane, select NS1 QoS 2.

4. To open the Configuration panel, perform either of the following actions:
 Right-click the NS1 QoS 2 and select Configuration from the drop-down
menu.
OR

 On the toolbar, click the Configuration button .

The Configuration screen with the General tab parameters is displayed.
5. Select the Networking tab. The Networking tab parameters are displayed.

December, 2013 29
Proprietary and Confidential
Configuring Ports Configuring Active Redundancy

Figure 14: Configuring NIC Active Redundancy on AC-502

6. From the Redundancy Mode drop-down list, select the Active option.
7. Verify that the Enable Bypass Unit checkbox is selected.
Alternatively, to enable the Bypass Unit on the secondary NetEnforcer, open a
Telnet connection to the NetEnforcer machine and type the go config network
bypass_unit enable command.

8. Configure the ports as described in Section Configuring Ports (on page 30).

Configuring Ports
External/Internal 0 (i.e., External/Internal 1 on the Allot AC-1400 /AC-502 module's
interface) are used for passing actual traffic and connecting the NetEnforcer machines
to the corresponding switches.
External/Internal 1 (i.e., External/Internal 2 on the Allot AC-1400 /AC-502 module's
interface) are used for synchronizing traffic between the NetEnforcer machines. Traffic
that passes between NetEnforcer machines is not sent to adjacent network devices. It
is used only for monitoring and classification purposes.
To configure ports:
1. In the Configuration screen, select the NIC tab. The NIC tab parameters are
displayed.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
30
TECHSUPPORT
Proprietary and Confidential
 Configuring Ports

Figure 15: Configuring Port Properties - 1

2. Double-click anywhere in the EXTERNAL0 row. The Port Properties dialog box is
displayed.

Figure 16: Configuring Port Properties - 2

3. In the Port Properties dialog box:

a. From the Action on failure drop-down list, select the Fail paired port option.
This option means that if the External NIC fails, the system will shut down its
Internal counterpart (and vice versa).
b. Leave the rest parameters (Speed / Duplex Mode / Port Usage) with their
default values.

December, 2013 31
Proprietary and Confidential
Configuring Ports Configuring Active Redundancy

c. Click Apply.
4. Perform the steps 2 and 3 for the INTERNAL0 port.
5. Double-click anywhere in the EXTERNAL1 row. The Port Properties dialog box is
displayed.

Figure 17: Configuring Port Properties - 3

6. In the Port Properties dialog box:

a. From the Action on failure drop-down list, select the No action option. This
option means that no action will be taken, if the NIC fails.
b. Verify that the Port Usage is set to Cloned (HA).
c. Leave the rest parameters (Speed / Duplex Mode) with their default values.
d. Click Apply.
7. Perform the steps 5 and 6 for the INTERNAL1 port.
8. Click the Save button. The Save and Reboot system message is displayed.

Figure 18: Save and Reboot System Message

9. Click Yes. The Confirmation system message is displayed.

Figure 19: Confirmation System Message

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
32
TECHSUPPORT
Proprietary and Confidential
 Configuring Ports

10. Click OK. The system reboots.

11. Wait until the reboot sequence is completed and verify that the system changes are
activated from the Configuration tab.

December, 2013 33
Proprietary and Confidential
Chapter 4: Checking Test VSAT QoS Functionality

In This Section
Overview ........................................................................................................................................ 35
Displaying MPN and SLA Configuration ........................................................................................ 35
Activating Real-Time Monitoring .................................................................................................... 37
Removing Test VSAT from VGroup 2 ............................................................................................ 40
Adding a Test VSAT to VGroup1 ................................................................................................... 41
Removing Test VSAT from VGroup 1 ............................................................................................ 42
Adding Test VSAT to VGroup 3 ..................................................................................................... 43
Removing Test VSAT from VGroup 3 ............................................................................................ 43
Adding Test VSAT to VGroup 2 ..................................................................................................... 43

Overview
By default, there are three MPNs defined for each Allot NetEnforcer. There are three
SLAs defined in MPN1: Silver, Gold, and Platinum. MPN1 contains three VSAT Groups;
each group belongs to one SLA. The test VSAT (VSAT 2001) is configured in MPN1,
VGroup 2 and is assigned Gold SLA.
This section describes how to test the system QoS functionality using the test VSAT.
During the tests, the bandwidth will be measured for test VSAT with Gold SLA. Then the
test VSAT will be moved to Silver SLA and the traffic will be measured. Finally, the test
VSAT will be moved to Platinum SLA and the traffic will be measured.

Changes made on one of the Allot NetEnforcer machines are not automatically
saved on the second machine.
To update the second machine with the configuration changes:
 Open the Allot Communications application on the Allot NetXplorer.
 On the Network tab, right-click the name of the Allot NetEnforcer
machine (NS1 QoS1 or NS1 QoS2) and select Policy Distribution.

Displaying MPN and SLA Configuration

To display MPN and SLA configuration:
1. On the Navigation pane, select Network. The Network tree view is displayed.
2. In the Network tree view, expand the NS1QoS1 MPN1 nodes.

December, 2013 35
Proprietary and Confidential
Displaying MPN and SLA Configuration Checking Test VSAT QoS Functionality

Figure 20: NS1 QoS1 and MPN1 - Expanded View

3. Click the Policy Editor icon. The NS1 QoS 1 MPN1 Policy Editor screen opens.

Figure 21: NS1 QoS 1 Policies

The default policies for MPN1 are as follows:

SLA/Pipe Policy
Silver 256Kbps
Gold 512Kbps
Platinum 1024 Kbps

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
36
TECHSUPPORT
Proprietary and Confidential
 Activating Real-Time Monitoring

Activating Real-Time Monitoring

The Real-Time monitoring tool provides real-time data, enabling you to monitor
applications and protocols to enforce the most suitable QoS policy.
In Real-Time monitoring, data is available for four hours at 30-second resolution and
for two days at 5-minute resolution.
To activate real-time monitoring:
1. In the Network tree view, right-click the NS1 QoS 1 node and select Real-Time
Monitoring Pipes from the pop-up menu. The Real-Time Monitoring: Pipes
screen with the Time tab options is displayed.

Figure 22: Setting Time Parameters

2. In the Time tab, set the Date and Time Range and Data Resolution.
3. Select the Objects tab. The Objects tab options are displayed.

December, 2013 37
Proprietary and Confidential
Activating Real-Time Monitoring Checking Test VSAT QoS Functionality

Figure 23: Selecting Pipes

4. In the Available Pipes section, click anywhere on the screen to activate the
contents.
5. Expand the NS1 QoS 1 tree view and select the required Pipe(s) type(s).
6. Drag it to the Selected Pipes section using the Arrow button.
7. Expand the NS1 QoS 2 tree view and select the same Pipe(s) type(s).
8. Drag it to the Selected Pipes section using the Arrow button.
9. Select the Limits tab. The Limits tab options are displayed.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
38
TECHSUPPORT
Proprietary and Confidential
 Activating Real-Time Monitoring

Figure 24: Setting Limits

10. Select the required Limit option's checkbox to activate the corresponding list of
options.
11. Select the Display tab. The Display tab options are displayed.

December, 2013 39
Proprietary and Confidential
Removing Test VSAT from VGroup 2 Checking Test VSAT QoS Functionality

Figure 25: Setting Data View

12. Select the required Data Mode to show data by Rate or by Volume.
13. Click OK. The graph is displayed.

It is recommended to apply the Automatic Update option by right-clicking the graph

and selecting Start Automatic Update from the pop-up menu. The corresponding
icon appears by the title of the graph.

14. Start generating traffic on the test VSAT(s). It is recommended to use the FTP or
HTTP traffic on the Outbound.
15. Verify that the traffic bandwidth of the test VSAT(s) matches the relevant SLA pipe
and the policy.

Removing Test VSAT from VGroup 2

To remove Test VSAT from VGroup 2:
1. Click the Catalogs tab. The Catalog screen is displayed.
2. In the left pane, click Host. The Host list is displayed in the right pane.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
40
TECHSUPPORT
Proprietary and Confidential
 Adding a Test VSAT to VGroup1

Figure 26: Host View

3. In the right pane, double-click the VGroup (VGroup2) icon where the test VSAT is
defined. The Host Group Entry Properties window is displayed.

Figure 27: Removing a VSAT from VGroup 2

4. Select VSAT_2001 from the list and click Remove.

5. In the Host Group Entry Properties window, click Save and close the window.

Adding a Test VSAT to VGroup1

To add the Test VSAT to VGroup1:
1. Click the Host tab.

December, 2013 41
Proprietary and Confidential
Removing Test VSAT from VGroup 1 Checking Test VSAT QoS Functionality

2. In the right pane, double-click the VGroup icon (VGroup1) to which the test VSAT
will be moved. The Host Group Entry Properties window is displayed.

Figure 28: Host Group Entry Properties

3. Click Add. The Add Group Items window is displayed.

Figure 29: Add Group Items Dialog Box

4. Select the test VSAT (VSAT_2001) and click OK. The test VSAT is added to the
selected VGroup.
5. Check the traffic by building the graph using the Real-Time monitoring tool.
6. Leave the graph opened.

Removing Test VSAT from VGroup 1

Remove test VSAT from VGroup 1, as described in Section Removing Test VSAT from
VGroup 2 (on page 40).

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
42
TECHSUPPORT
Proprietary and Confidential
 Adding Test VSAT to VGroup 3

Adding Test VSAT to VGroup 3

To add the test VSAT to VGroup 3:
1. Add test VSAT to VGroup 3 as described in Section Adding a Test VSAT to VGroup1
(on page 41).
2. Check the traffic by building the graph using the Real-Time monitoring tool.

Removing Test VSAT from VGroup 3

Remove the test VSAT from VGroup 3, as described in Section Removing Test VSAT
from VGroup 2 (on page 40).

Adding Test VSAT to VGroup 2

Add the test VSAT to VGroup 2, as described in Section Adding a Test VSAT to VGroup1
(on page 41).

December, 2013 43
Proprietary and Confidential
Chapter 5: Testing Active Redundancy

In This Section
Testing Active Redundancy on Satellite Switch ............................................................................. 45
Testing Active Redundancy on Application Switch ........................................................................ 46
Verifying Active Redundancy on NetEnforcer Machine ................................................................. 48
Verifying Active Redundancy System Status ................................................................................. 48
Verifying Bypass (Internal) Unit on AC-502 (QoS2) NetEnforcer Machine ................................... 50

Testing Active Redundancy on Satellite Switch

Perform the Active Redundancy test procedures on the Satellite Switch:
 Verifying Configuration on Satellite Switch (on page 45)
 Verifying Flex-Link Status on Satellite Switch (on page 46)
 Verifying UDLD Configuration on Satellite Switch (on page 46)
 Understanding LEDs Status on Satellite Switch (on page 46)

Verifying Configuration on Satellite Switch

To verify that the Active Redundancy is configured on the Satellite switch:
1. Log on to the Satellite switch (172.17.8.1) via Telnet.
2. In the User Name field, type switch.
3. In the Password field, type $SatCom$.
4. Type show run.
5. Verify that the following configuration lines exist on the global configuration of the
switch port channel 1 and 2:
errdisable recovery cause udld
errdisable recovery interval 30

6. Verify that the following configuration line exists in the Gigabit Ethernet 0/39
interface section (and on each NS QoS primary port connected):
switchoport backup interface gigabitethernet0/40 preemption mode forced
udld port aggressive

7. Verify that the following configuration line exists in the Gigabit Ethernet 0/40
interface section:
udld port aggressive

If the above configuration line does not appear, add it and save the configuration
file.

December, 2013 45
Proprietary and Confidential
Testing Active Redundancy on Application Switch Testing Active Redundancy

Verifying Flex-Link Status on Satellite Switch

To verify the Flex-Link Status on the Satellite switch:
1. Log on to the Satellite switch (172.17.8.1) via Telnet.
2. In the User Name field, type switch.
3. In the Password field, type $SatCom$.
4. Type sh int switchport backup. The output is as follows:
 Active - Up
 Backup - Standby

On any change of the NetEnforcer machine status (e.g., NS1 QoS 1 is set to
Bypass or Inactive), the output of the above command will be:
 Active - Down
 Backup - Up

Verifying UDLD Configuration on Satellite Switch

To verify the UDLD configuration entries on the Satellite switch:
1. Log on to the Satellite switch (172.17.8.1) via Telnet.
2. In the User Name field, type switch.
3. In the Password field, type $SatCom$.
4. Type show udld <interface-id>.

Understanding LEDs Status on Satellite Switch

When the QoS system powers-up after being configured for Active Redundancy, make
note of the LEDs located by the Satellite switch ports.

Port LED Color Link Status Traffic Status

Port 39 Green Up Active
Off Down Non-operational
Port 40 Orange Up Standby
Green Up Active

Testing Active Redundancy on Application Switch

Perform the Active Redundancy test procedures on the Application Switch:
 Verifying Configuration on Application Switch (on page 47)
 Verifying Flex-Link Status on Application Switch (on page 47)

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
46
TECHSUPPORT
Proprietary and Confidential
 Testing Active Redundancy on Application Switch

 Verifying UDLD Configuration on Application Switch (on page 48)

 Understanding LEDs Status on Application Switch (on page 48)

Verifying Configuration on Application Switch

To verify that the Active Redundancy is configured on the Application switch:
1. Log on to the Application switch (172.17.8.2) via Telnet.
2. In the User Name field, type switch.
3. In the Password field, type $SatCom$.
4. Type show run.
5. Verify that the following configuration lines exist in the global configuration of the
switch:
errdisable recovery cause udld
errdisable recovery interval 30

6. Verify that the following configuration line exists in the Gigabit Ethernet 0/10
interface section (and on each NS QoS secondary port connected):
switchoport backup interface gigabitethernet0/11 preemption mode forced
udld port aggressive

7. Verify that the following configuration line exists in the Gigabit Ethernet 0/11
interface section:
udld port aggressive

If the above configuration line does not appear, add it and save the configuration
file.

Verifying Flex-Link Status on Application Switch

To verify the Flex-Link Status on the Application switch:
1. Log on to the Application switch (172.17.8.2) via Telnet.
2. In the User Name field, type switch.
3. In the Password field, type $SatCom$.
4. Type sh int switchport backup. The output is as follows:
 Active - Up
 Backup - Standby

December, 2013 47
Proprietary and Confidential
Verifying Active Redundancy on NetEnforcer Machine Testing Active Redundancy

On any change of the NetEnforcer machine status (e.g., NS1 QoS 1 is set to
Bypass or Inactive), the output of the above command will be:
 Active - Down
 Backup - Up

Verifying UDLD Configuration on Application Switch

To verify the UDLD configuration entries on the Application switch:
1. Log on to the Application switch (172.17.8.2) via Telnet.
2. In the User Name field, type switch.
3. In the Password field, type $SatCom$.
4. Type show udld <interface-id>.

Understanding LEDs Status on Application Switch

When the QoS system powers-up after being configured for Active Redundancy, make
note of the LEDs located by the Application switch ports.

Port LED Color Link Status Traffic Status

Port 10 Green Up Active
Off Down Non-operational
Port 11 Orange Up Standby
Green Up Active

Verifying Active Redundancy on NetEnforcer Machine

To verify the active redundancy on the NetEnforcer machine:
1. Verify that the LED indicating the link between the INTERNAL1 and EXTERNAL1
interfaces on the NetEnforcer machines is green.
2. On the Management PC, open the NetXplorer Server application GUI.
3. On the Navigation pane, select the NS1 QoS1 option, right-click it and select
Configuration. The Configuration screen is displayed.
4. Select the NIC tab.
5. Verify that the link is detected for all interfaces.

Verifying Active Redundancy System Status

To verify the Active Redundancy system status:
1. Log on to the QoS1 NetEnforcer machine via Telnet.
2. In the prompt, type go config view network.
3. Press Enter. The Network status is displayed.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
48
TECHSUPPORT
Proprietary and Confidential
 Verifying Active Redundancy System Status

sysadmin@host-prc:~$ go config view network

==== Network ====
Redundancy Mode active
Bypass Unit Configuration disable
Bypass Unit Detection N/A
System Status active
Cards list :
|Slot |Card Type |SMC State |Card Status
--------------------------------------------
|1 |CC |ON |ACTIVE
--------------------------------------------
Request completed successfully.

4. Verify the following parameters:

 Redundancy Mode is set to active.
 Bypass Unit Configuration is set to disable.
 Bypass Unit Detection is set to N/A.
 System Status is set to active.
5. Close the Telnet window.

Below are the steps that must be performed for the Ac-502 NetEnforcer machine
only.

6. Log on to the QoS2 NetEnforcer machine via Telnet.

7. In the prompt, type go config view network.
8. Press Enter. The Network status is displayed.

sysadmin@host-prc:~$ go config view network

==== Network ====
Redundancy Mode active
Bypass Unit Configuration enable
Bypass Unit Detection primary
System Status active

Cards list :
|Slot |Card Type |SMC State |Card Status
--------------------------------------------
|1 |CC |ON |ACTIVE
--------------------------------------------
Request completed successfully.

9. Verify the following parameters:

 Redundancy Mode is set to active.

December, 2013 49
Proprietary and Confidential
Verifying Bypass (Internal) Unit on AC-502 (QoS2) NetEnforcer Machine Testing Active Redundancy

 Bypass Unit Configuration is set to enable.

 Bypass Unit Detection is set to primary.
 System Status is set to active.
10. Close the Telnet window.
11. Proceed to procedure described in Section Verifying Bypass (Internal) Unit on
AC-502 (QoS2) NetEnforcer Machine (on page 50).

Verifying Bypass (Internal) Unit on AC-502 (QoS2) NetEnforcer

Machine

Perform the procedure described in this section only after switching traffic from
AC-502 QoS1 to AC-502 QoS2 NetEnforcer machine.
Perform this procedure for the SkyEdge system in accordance with the Flex-Links
configuration. For more information, see Section Installing Allot AC-502 and
AC-1400 in SkyEdge System (on page 135).

To verify the Bypass (Internal) Unit on the QoS2 NetEnforcer machine:

1. Issue pings from an external PC (connected to the Application switch) to a PC
behind a VSAT.
2. Perform a switchover from QoS1 to QoS2 NetEnforcer machine by shutting the
Gi0/39 port on the Satellite switch.
3. While traffic is passing through the QoS2 machine, shut down the QoS2 NetEnforcer
machine.
4. Check whether pings are still running between the external PC (connected to the
Application switch) to a PC behind a VSAT.
5. Proceed to procedure described in Section Reverting from Bypass (Internal) Unit
and Resuming Traffic Transmission (on page 50).

Reverting from Bypass (Internal) Unit and Resuming Traffic Transmission

To revert from the Bypass (Internal) unit on the AC-502 QoS2 NetEnforcer machine
and resume traffic transmission on the AC-502 QoS1 NetEnforcer machine:
1. Power up the QoS2 NetEnforcer machine.
2. Check whether pings are still running between the external PC (connected to the
Application switch) to a PC behind a VSAT.
3. Open a telnet session on the QoS2 NetEnforcer machine and type acmon to verify
that traffic is passing through the QoS2 NetEnforcer machine.
4. Open a telnet session on the Satellite switch and open the Gi0/39 port, and then
save the configuration.
5. Open a telnet session on the QoS1 NetEnforcer machine and type acmon to verify
that traffic has resumed passing through the QoS1 NetEnforcer machine.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
50
TECHSUPPORT
Proprietary and Confidential
Chapter 6: Configuring QoS System

In This Section
Recommended QoS Techniques ................................................................................................... 51
Configuring Catalog Entries ........................................................................................................... 52
Defining Policies ............................................................................................................................. 65
Applying Policy Distribution ............................................................................................................ 75

Recommended QoS Techniques

Catalog Definition
The following Objects should be defined:
 Host – VSAT subnet
 Host Group – Group of VSATs that use the same SLA
 QoS – Action item where traffic-shaping (e.g., MIR, CIR, CBR) is defined
 Service – Protocol-based traffic signature used for classifying applications
Other Objects that can be defined include VLANs, TOS, and Time of day.

Classification Level Hierarchy

The following levels should be defined:
 Outbound – NetEnforcer level (all traffic passing through the device)
 MPN – Collection of pipes that receive the same Line-level QoS
 VSAT (subnet) – Pipe-level template defined for one SLA
 Application – VC (Virtual Channel) level defined under a VSAT

Policy Creation at Each Classification Level

A QoS Policy can be applied to various Objects at the following levels:
 NetEnforcer (Outbound) – An MIR can be specified for all Outbound traffic. In a
SkyEdge II network with ACM, this MIR can change dynamically.
 Line (MPN) – This level represents predefined Pipe policies. Its classification is
determined by the Pipe policies defined under it. The Line policy is applied to a QoS
(action) Object.
 Pipe (SLA/VSAT template) – This level’s classification is specified by the IP subnets
that belong to a Host Group. The Host Group catalog Object represents VSATs with
the same SLA. The Pipe policy is applied to a QoS (action) Object.
 VC (Application) – The VC classification is determined by applications or protocols
using a Service. The VC policy is assigned to a QoS (action) Object.

December, 2013 51
Proprietary and Confidential
Configuring Catalog Entries Configuring QoS System

Pipe and VC level policies can be based on other classifications such as VLAN,
ToS, and Time. However, after a connection is established, dynamic changes to its
ToS will not affect the policy for that connection.

Configuring Catalog Entries

The NX Image for version 11.1.0 (and higher) contains the following Catalog Enhanced
Entries:
 Enhanced Line - see Section Defining Enhanced QoS for Lines (on page 55).
 Enhanced Pipe - see Section Defining Enhanced QoS for Pipes (on page 57).
 Enhanced Virtual Channel - see Section Defining Enhanced QoS for Virtual Channels
(on page 60).

Defining VSAT (Subnet)

To configure VSAT subnet:
1. On the Navigation pane, select Catalogs. The Catalogs tree view is displayed.
2. In the Catalogs tree view, select the Host node.
3. Right-click anywhere in the Host table and select New Host List.

Figure 30: New Host List Option

The Host List Entry Properties window is displayed.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
52
TECHSUPPORT
Proprietary and Confidential
 Configuring Catalog Entries

Figure 31: Host List Entry Properties

4. In the Name field, enter the host name (VSAT) and specify a meaningful
Description.
5. Click the Add button. The Add Host Item window is displayed.

Figure 32: Adding Host Item

6. In the Add Host Item dialog box, define the VSAT subnet and click Apply.
7. In the Host List Entry Properties window, click Save.

If a VSAT has multiple subnets behind it, they should be defined at this stage.

Defining VSAT Group (SLA)

This procedure identifies one or more VSATs that receive the same QoS under a Service
Level Agreement (SLA).
To configure VSAT Group SLA:
1. On the Navigation pane, select Catalogs. The Catalogs tree view is displayed.

December, 2013 53
Proprietary and Confidential
Configuring Catalog Entries Configuring QoS System

2. In the Catalogs tree view, select the Host node.

3. Right-click anywhere in the Host table and select New Host Group.

Figure 33: New Host Group Option

The Host Entry Properties window is displayed.

Figure 34: Host Group Entries Properties

4. In the Name field, enter the SLA group name.

5. In the Description field, specify a meaningful description.
6. Click Add. The Add Group Items window is displayed.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
54
TECHSUPPORT
Proprietary and Confidential
 Configuring Catalog Entries

Figure 35: Add Group Items

7. In the Add Group Items window, select all of the Host objects (VSATs) that belong
to this Group / SLA. To select more than one Host object, hold down the <Ctrl>
key.
8. Click OK. Selected items are moved from the Available Catalog Entries list of the
Add Group Items window to the Host Group Entry Properties window.
9. In the Host Group Entry Properties window, click Save.

Defining Enhanced QoS for Lines

To define Enhanced QoS for a Line:
1. On the Navigation pane, select Catalogs. The Catalogs tree view is displayed.
2. In the Catalogs tree view, right-click the Quality of Service option and select
New Line Enhanced QoS from the pop-up menu.

December, 2013 55
Proprietary and Confidential
Configuring Catalog Entries Configuring QoS System

Figure 36: Selecting the New Line Enhanced QoS Option

The Line Enhanced QoS Entry Properties dialog box is displayed.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
56
TECHSUPPORT
Proprietary and Confidential
 Configuring Catalog Entries

Figure 37: Defining Enhanced QoS for a Line

3. Edit the name and description of the entry, if required.

4. From the Line-Based QoS Coverage drop-down list, select the Each Direction
Defined Separately option.
5. In the Inbound section, set the Maximum Bandwidth parameter to in Kbps and
enter the value, as required.

The Maximum Bandwidth value of the Line (MPN) must not exceed the total
bandwidth value allowed by the Allot license (i.e., the Inbound Bandwidth
Limited to (Kbps) value, as described in Section Outbound Configuration
(NetEnforcer Level) (on page 65).

6. In the Outbound section, set the Maximum Bandwidth parameter to Maximum

Allowed.
7. Leave the rest parameters with their default values.
8. Click Save. The new entry is saved to the QoS Catalog.

Defining Enhanced QoS for Pipes

To define QoS for a Pipe:
1. On the Navigation pane, select Catalogs. The Catalogs tree view is displayed.
2. In the Catalogs tree view, right-click the Quality of Service option and select
New Pipe Enhanced QoS from the pop-up menu.

December, 2013 57
Proprietary and Confidential
Configuring Catalog Entries Configuring QoS System

Figure 38: Selecting the New Pipe Enhanced QoS Option

The Pipe Enhanced QoS Entry Properties dialog box is displayed.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
58
TECHSUPPORT
Proprietary and Confidential
 Configuring Catalog Entries

Figure 39: Defining Enhanced QoS for a Pipe

3. Edit the name and description of the entry, if required.

4. From the Pipe-Based QoS Coverage drop-down list, select the Each Direction
Defined Separately option.
5. In the Inbound section:
 Set the Minimum Bandwidth (Kbps) parameter's value, as required.
 Set the Maximum Bandwidth parameter to in Kbps and enter the required
value.

The Maximum Bandwidth value of a Pipe must not exceed the maximum
bandwidth value of the Line (i.e., the Maximum Bandwidth value, as described in
Section Defining Enhanced QoS for Lines (on page 55)).

6. In the Outbound section, set the Maximum Bandwidth parameter to Maximum

Allowed.
7. Select the required type of Priority: Best Effort or Priority (1 Lowest, 4
Highest).

If all priorities between the Pipes or VCs are set to Best Effort, there will be no
actual decision to prioritize one Pipe over another (or one VC over another).
The behavior in this case would be similar to FIFO; meaning that the traffic will not
be managed properly.
Gilat recommends setting real priority values and not assigning everything to Best
Effort.

December, 2013 59
Proprietary and Confidential
Configuring Catalog Entries Configuring QoS System

8. From the If Minimum Pipe Bandwidth is not Allocated drop-down list, select
the following action to be taken if the minimum bandwidth is not allocated:
 Admit by Priority - Selecting this option means accepting the new connection,
but not assigning the minimum bandwidth. The new connection gets bandwidth
per priority.
9. Click Save. The new entry (entries) is saved to the QoS Catalog.

Defining Enhanced QoS for Virtual Channels

The AOS installed on Allot NetEnforcer AC-1400/AC-502 machine has an internal
mechanism that allows setting a separate buffer per a Virtual Channel or a Service. If
the Virtual Channel does not have a Drop Precedence defined in the QoS catalog, the
Drop Precedence of its service is applied to the Virtual Channel.
 To check what service has been recognized for the connection, open a Telnet
connection to the NetEnforcer machine and type the command acstat –if. The
first column is the service.
 To check what Drop Precedence option is used for a service, you need to know what
application is used by the service. The application and service have a father-child
relationship: the Drop Precedence is defined for the application; then, the service
uses the Drop Precedence defined for its application.
For example, The HTTP Service uses the HTTP application. The HTTP application
uses the LOW Drop Precedence. Then, the HTTP Service will use the LOW Drop
Precedence as well.

Generally, for the HTTP, UDP, FTP applications, the Drop Precedence is
predefined as LOW in the Allot database.
In case there are applications that are derived from HTTP, UDP, or FTP and you
suspect that there is no buffer and that there is no effective bandwidth usage, you
will need to configure a Virtual Channel with the exact application and assign to it
the LOW Drop Precedence.
For a list of applications with HIGH drop precedence, see Appendix Applications
with High Drop Precedence (on page 145).
For the Drop Precedence configuration, see step 8 in the procedure below.

To define QoS for a Virtual Channel:

1. On the Navigation pane, select Catalogs. The Catalogs tree view is displayed.
In the Catalogs tree view, right-click the Quality of Service option and select
New Virtual Channel Enhanced QoS from the pop-up menu.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
60
TECHSUPPORT
Proprietary and Confidential
 Configuring Catalog Entries

Figure 40: Selecting the New Virtual Channel Enhanced QoS Option

The Virtual Channel Enhanced QoS Entry Properties dialog box is displayed.

December, 2013 61
Proprietary and Confidential
Configuring Catalog Entries Configuring QoS System

Figure 41: Defining Enhanced QoS for a Virtual Channel

2. Edit the name of the entry, if required.

3. From the Virtual Channel Based QoS Coverage drop-down list, select the Each
Direction Defined Separately option.
4. In the Inbound section:
 Set the Minimum Bandwidth (Kbps) parameter's value, as required.
 Set the Maximum Bandwidth parameter to in Kbps and enter the required
value.

The Maximum Bandwidth value of a Virtual Channel must not exceed the
maximum bandwidth value of a Pipe (i.e., the Maximum Bandwidth value, as
described in Section Defining Enhanced QoS for Pipes (on page 57)).

5. In the Outbound section, set the Maximum Bandwidth parameter to Maximum

Allowed.
6. Select the required type of Priority: Best Effort or Priority (1 Lowest, 4
Highest).

If all priorities between the Pipes or VCs are set to Best Effort, there will be no
actual decision to prioritize one Pipe over another (or one VC over another).
The behavior in this case would be similar to FIFO; meaning that the traffic will not
be managed properly.
Gilat recommends setting real priority values and not assigning everything to Best
Effort.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
62
TECHSUPPORT
Proprietary and Confidential
 Configuring Catalog Entries

7. (Optional) Select the Expedited Forwarding checkbox when the Virtual Channel
is used for jitter or delay-sensitive applications such as VoIP. No buffering is used
with Expedited Forwarding in order to minimize jitter and delay. For all the traffic
that cannot be allocated, the required bandwidth is dropped.
The Expedited Forwarding dialog box is displayed:
 In the Expedited Forwarding Bandwidth field, set the bandwidth value.
 Click Save. The new Expedited Forwarding QoS entry is saved in the QoS
Catalog. The Expedited Forwarding dialog box closes.
8. From the Drop Precedence drop-down list, select the required value (No
Buffering, Low, Medium, High) or leave the default (Application Based).
The Drop Precedence value dictates the order in which packets will be dropped, if
required. If a packet is not transmitted to the network, it will be dropped or
buffered. The Drop Precedence value determines the importance of the packet
before making decision to buffer or not. Packets with higher Drop Precedence
values are discarded before packets with lower Drop Precedence values.
9. From the If Minimum Pipe Bandwidth is not Allocated drop-down list, select
the following action to be taken if the minimum bandwidth is not allocated:
 Admit by Priority - Selecting this option means accepting the new connection,
but not assigning the minimum bandwidth. The new connection gets bandwidth
per priority.
10. Click Save. The new entry (entries) is saved to the QoS Catalog.

Defining RPA Service

This procedure describes how to define the RPA service, i.e., routing the HTTP traffic
from the VSAT to the HPA.

In case you perform an Automatic Protocol Update (APU) from the Allot Website
after a new service is configured, the new service will not overwrite the manual
change as along as Allot does not have the same service name.

To define RPA service:

1. On the Navigation pane, select Catalogs. The Catalogs tree view is displayed.
2. In the Catalogs tree view, select the Service node and right-click it.
3. Select the New Service from the pop-up menu. The Service Entry Properties
window is displayed.

December, 2013 63
Proprietary and Confidential
Configuring Catalog Entries Configuring QoS System

Figure 42: Configuring RPA Service

4. In the Name field, type RPA.

5. From the Application Type drop-down list, select HTTP.
6. In the Ports area, configure the port with the 9876 value for the TCP IP Protocol.
7. Click the Save button.

Defining UDP Dummy Service

This section describes how to configure the dummy UDP service properties entry. This
setting limits the user from exceeding its Outbound SLA that was paid for. In addition,
this setting allows Allot NetXplorer Server recognize the packets added by the Web
Enhance VSAT as UDP DUMMY packets. These packets are sourced at the HPA and
being sent to the VSAT. When the DPS recognizes these packets, it drops them.

In case you perform an Automatic Protocol Update (APU) from the Allot Website
after a new service is configured, the new service will not overwrite the manual
change as along as Allot does not have the same service name.

To define the dummy UDP service properties:

1. On the Navigation pane, select Catalogs. The Catalogs tree view is displayed.
2. In the Catalogs tree view, select the Service node.
3. Right-click anywhere in the Host table and select New Service. The Service
Entry Properties window is displayed.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
64
TECHSUPPORT
Proprietary and Confidential
 Defining Policies

Figure 43: Configuring UPD Service Properties

4. Enter the service name (e.g., UDP Dummy).

5. From the Application Type drop-down list, select Other UDP.
6. In the Ports area, click Add. The Ports Entry Properties screen is displayed.
a. In the IP Protocol area, select UDP.
b. In the Entry Identification Method area, select Port Based.
c. In the Port Number field, enter 9876.
d. Click OK.
7. Click Save. The Service Entry Properties window is no longer displayed.

Defining Policies
Outbound Configuration (NetEnforcer Level)
This procedure describes how to configure the maximum Outbound Bandwidth at the
NetEnforcer level.

December, 2013 65
Proprietary and Confidential
Defining Policies Configuring QoS System

To configure the maximum Outbound Bandwidth level at the NetEnforcer level:

1. On the Navigation pane, select Network. The Network tree view is displayed.
2. In the Network tree view, right-click the NetEnforcer node that you want to
define and select Configuration from the pop-up menu.

Figure 44: Selecting the NetEnforcer Configuration Option

The Configuration screen is displayed.

3. In the Configuration screen, click the Identification & Key tab. The
Identification & Key tab is displayed.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
66
TECHSUPPORT
Proprietary and Confidential
 Defining Policies

Figure 45: Defining Maximum Outbound Bandwidth

Do not modify the Activation Key.

4. In the Bandwidth Capacity Limitations section of the screen, perform either of

the following:
 When using CCM in the Outbound, clear the (Allot Inbound) Max Allowed
checkbox and set Inbound Bandwidth Limited to (Kbps) to the maximum
available Outbound bandwidth, allowed by the Allot license.
 When using ACM, Outbound is defined automatically by the hub DPS. Select
(check) the (Allot Outbound) Max Allowed checkbox.
5. Save the changes.

MPN Configuration (Line Level)

To configure QoS rules of an MPN at the Line level:
1. On the Navigation pane, select Network. The Network tree view is displayed.
2. In the Network tree view, right-click the MPN1 node that you want to define and
select Policy Editor from the pop-up menu.

December, 2013 67
Proprietary and Confidential
Defining Policies Configuring QoS System

Figure 46: Accessing Policy Editor

The Policy Editor screen is displayed.

3. Right-click any existing Line in the Policy (e.g., NS1 QoS 1) window and select the
Insert Line option from the pop-up menu.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
68
TECHSUPPORT
Proprietary and Confidential
 Defining Policies

Figure 47: Inserting New Line

The Line Properties – Insert window is displayed.

Figure 48: Policy Editor (Lines)

4. In the Line Properties – Insert window:

December, 2013 69
Proprietary and Confidential
Defining Policies Configuring QoS System

a. Edit the Name field.

b. Specify a Description.
c. From Quality of Service drop-down list, select a rule (e.g., Line speed) that
was previously defined in the QoS Catalog.
5. Click OK.
6. Save the changes.

SLA Configuration (Pipe Template Level)

To configure QoS rules for an SLA at the Pipe (Template) level:
1. On the Navigation pane, select Network. The Network tree view is displayed.
2. In the Network tree view, right-click the Pipe node that you want to define and
select Policy Editor from the pop-up menu.

Figure 49: Accessing Policy Editor

The Policy Editor screen is displayed.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
70
TECHSUPPORT
Proprietary and Confidential
 Defining Policies

3. In the Policy window, right-click a Pipe entry under the appropriate Line and select
Insert Pipe Template from the pop-up menu.

Figure 50: Inserting Pipe Template

The Pipe Template Properties – Insert window is displayed.

December, 2013 71
Proprietary and Confidential
Defining Policies Configuring QoS System

Figure 51: Policy Editor (Pipe)

4. In the Pipe Template Properties – Insert window, edit the Name field and
specify a Description.
5. In the Conditions section of the screen, select the condition to be edited.
6. In the Quality of Service drop-down list, select a QoS rule previously defined in
the Catalog.
7. Click the Edit button. The Conditions Properties – Edit window is displayed.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
72
TECHSUPPORT
Proprietary and Confidential
 Defining Policies

Figure 52: Editing Conditions

8. In the Conditions Properties – Edit window, from the Internal drop-down list,
select the Host Group (previously defined in the Host Catalog) that represents the
SLA.
9. Click OK in the Conditions Properties – Edit dialog box.
10. Click OK in the Pipe Template Properties – Insert window.
11. Save the changes.

Application Configuration (VC Level)

To configure QoS rules for an Application at the Virtual Channel level:
1. On the Navigation pane, select Network. The Network tree view is displayed.
2. In the Network tree view, right-click the Pipe node that you want to define and
select Policy Editor from the pop-up menu.
The Policy Editor screen is displayed.

December, 2013 73
Proprietary and Confidential
Defining Policies Configuring QoS System

Figure 53: Inserting Virtual Channel

3. In the Policy window, right-click a VC entry under the appropriate Pipe and select
Insert Virtual Channel. The Virtual Channel Properties window is displayed.

Figure 54: Policy Editor (VC)

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
74
TECHSUPPORT
Proprietary and Confidential
 Applying Policy Distribution

4. In the Virtual Channel Properties – Insert window, edit the Name field and
specify a Description.
5. In the Conditions section of the screen, select the condition to be edited.
6. From the Quality of Service drop-down list, select a QoS rule previously defined in
the Catalog.
7. Click the Edit button. The Conditions Properties – Edit window is displayed.

Figure 55: Editing Conditions

8. From the Service drop-down list, select the Protocol (Group) that represents the
Application (defined previously in the Host Catalog).
9. Click OK in the Conditions Properties – Edit window.
10. Click OK in the Virtual Channel Properties – Insert window.
11. Save the changes.

Applying Policy Distribution

The two Allot NetEnforcer machines must contain the same policy definitions. In case
one of the Allot NetEnforcer machines fails, the other one keeps on the system
operation using the same policy data.
This section describes how to apply the policy created for one of the Allot NetEnforcer
machines to the other.

December, 2013 75
Proprietary and Confidential
Applying Policy Distribution Configuring QoS System

Always save configuration on the NetEnforcer machine containing the policy

definitions before distributing the policy to the other NetEnforcer machine.

To apply the policy:

1. In the Network tree view, right-click the NS1 QoS 1 node and select Policy
Distribution from the pop-up menu.

Figure 56: Selecting the Policy Distribution Option

The Policy Distribution window is displayed.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
76
TECHSUPPORT
Proprietary and Confidential
 Applying Policy Distribution

Figure 57: Distributing QoS Policies

2. In the NS1QoS 2 line, select the Distribution checkbox.

3. Click Distribute.
4. Close the Policy Distribution window.

December, 2013 77
Proprietary and Confidential
Chapter 7: System Maintenance

In This Section
Verifying Traffic Status ................................................................................................................... 79
Switching from Active to Bypass Operation Mode ......................................................................... 79
Recovering from Bypass to Active Operation Mode ...................................................................... 80

Verifying Traffic Status

To verify the traffic status:
1. Log on to both NetEnforcer machines via Telnet.
2. In the prompt, type acmon. This command allows viewing the traffic that passes on
each of the NetEnforcer machines.
3. Press Enter.
4. Perform either of the following actions, depending on the system status:
 Switching from Active to Bypass Operation Mode (on page 79)
 Recovering from Bypass to Active Operation Mode (on page 80)

Switching from Active to Bypass Operation Mode

Perform the below procedure to verify that the system operates in the Active
Redundancy mode.
To switch from Active to Bypass mode:
1. Log on to the NetEnforcer machine via Telnet.
2. In the prompt, type go config network-dev_mode system:bypass.
3. Press Enter.
4. Type the command go config view network to verify that the System Status
value has changed from Active to Bypass.
5. Press Enter.

Figure 58: Switching from Active to Bypass Operation Mode

December, 2013 79
Proprietary and Confidential
Recovering from Bypass to Active Operation Mode System Maintenance

6. Verify that the traffic has moved from one NetEnforcer machine to the other, using
the acmon command.

Recovering from Bypass to Active Operation Mode

If after the NetEnforcer machine has been rebooted and its operation mode is
mistakenly appears as Bypass, perform the following procedure.
To recover from Bypass to Active mode:
1. Log on to the NetEnforcer machine via Telnet.
2. In the prompt, type go config network -dev_mode system:active.
3. Press Enter.
4. Type the command go config view network to verify that the System Status
value has changed from Bypass to Active.
5. Press Enter.

Figure 59: Recovering from Bypass to Active Operation Mode

6. Verify that the traffic has moved from one NetEnforcer machine to the other, using
the acmon command.

It takes about 40 seconds for the traffic to recover on the switch being in
back-up/active operation mode and switching back to back-up/standby operation
mode. During this period, the traffic keeps on running on the other NetEnforcer
machine and the sessions are saved.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
80
TECHSUPPORT
Proprietary and Confidential
Chapter 8: Monitoring Allot NetXplorer and
NetEnforcer Machines

In This Section
Monitoring Allot NetEnforcer Bandwidth Limits .............................................................................. 81
Monitoring Tools for Allot NetXplorer Linux Server ........................................................................ 81

Monitoring Allot NetEnforcer Bandwidth Limits

Starting from Allot NetEnforcer software version 12.3, there is a possibility to monitor
the device's actual enforcement.
To monitor the actual enforcement (bandwidth limits) of a NetEnforcer device:
1. Open a Telnet connection to the NetEnforcer machine from Management PC.
2. Log in with username sysadmin password sysadmin.
3. Type the command set_device_bw_limits –show.
The logs are kept on each device under the /opt/allot/logs directory of the
rsyslog.auth.log folder.

Monitoring Tools for Allot NetXplorer Linux Server

The following are tools to be used for collecting statistics from the Allot NetXplorer
Server. The use of any of the following tools is case-dependent.
 Snapshots – for taking the NetXplorer Server snapshots from the
/opt/allot/bin/create_snapshot_logs.sh folder.
 GUI Network Monitoring (on page 81)
 Process Running (on page 83)
 Logs (on page 83)
 Wireshark Sniffer
 VNC (on page 84)

All the collected information must be forwarded to Allot Tech Support upon
opening a case.

Monitoring Processes via NetXplorer Server GUI

NetXplorer Server GUI allows monitoring the processes currently running on the
NetXplorer Server.
To monitor processes via the NetXplorer Server GUI:
1. Connect to the NetXplorer Server GUI.

December, 2013 81
Proprietary and Confidential
Monitoring Tools for Allot NetXplorer Linux Server Monitoring Allot NetXplorer and NetEnforcer Machines

2. To view the processes, from the System toolbar drop-down menu, select
Administration System Monitor. The System Monitor screen with the
Processes tab view is displayed.

Figure 60: Processes Status

3. To view the resources, on the System Monitor screen, select the Resources tab.

Figure 61: Resources Status

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
82
TECHSUPPORT
Proprietary and Confidential
 Monitoring Tools for Allot NetXplorer Linux Server

4. To view the File Systems status, on the System Monitor screen, select the File
Systems tab.

Figure 62: File Systems Status

Process Running
To view the processes from the terminal window of the NetXplorer Server:
1. Run the command top.
2. To verify that the NetXplorer Service is running, run the command service
netxplorer status.
3. To verify that the database is running on the NetXplorer Server, use the command
ps –ax | grep opt.
The following is an example of the command output:

Figure 63: Command Output

Monitoring Processes Using Logs

Important log are located in the /opt/allot/log folder. They are as follows:
 allot_cfg.txt
 allot_ltc.txt
 allot_stc.txt
 converter.log
 nedbg.swKeeper.log

Monitoring Processes via Wireshark Sniffer

Among the rest, the Wireshark sniffer is used for debugging network connectivity on
the NetXplorer Server.

December, 2013 83
Proprietary and Confidential
Monitoring Tools for Allot NetXplorer Linux Server Monitoring Allot NetXplorer and NetEnforcer Machines

To monitor processes via Wireshark sniffer:

1. Connect to the NetXplorer Server GUI.
2. From the Applications toolbar drop-down menu, select Internet Wireshark.
The Wireshark main screen is displayed.

Figure 64: Wireshark Sniffer

Enabling VNC on Allot NetXplorer Linux Server

This section describes how to enable VNC on the Allot NetXplorer Linux Server for
monitoring purposes.
It is NOT recommended to keep the VNC for long periods of time.
Remove the VNC accessibility once the desired remote actions have been
completed.

To enable VNC on the Allot NetXplorer Linux Server:

1. On the terminal window of the NetXplorer Server:
a. Make sure that the iptables service is stopped by typing the command service
iptables stop.
b. Type /etc/sysconfig/vncservers.
c. In the vi editor, replace the number 2 with 0 and remove the # sign next to the
following two lines.
The final result is displayed as follows:

Vncservers = “0:root”
Vncserver [0] = -geometry 800x600 –nolisten tcp –nohttpd -localhost

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
84
TECHSUPPORT
Proprietary and Confidential
 Monitoring Tools for Allot NetXplorer Linux Server

d. Save the changes.

e. To activate the vncserver password, type vncserver, and then press Enter.
 When prompted for password, type $SatCom$.
 When prompted to verify new password, retype the password.
The output of the vncserver command is as follows:

You will require a password to access your desktops.

Password:
Verify:
New 'nxlinux.allot.local:2 (root)' desktop is nxlinux.allot.local:2
Creating default startup script /root/.vnc/xstartup
Starting applications specified in /root/.vnc/xstartup
Log file is /root/.vnc/nxlinux.allot.local:2.log

2. Connect to the NetXplorer Server GUI.

3. On the NetXplorer Server GUI:
a. To view the processes, from the System toolbar drop-down menu, select
Preferences Remote Desktop. The Remote Desktop Preferences
dialog box is displayed.

Figure 65: Remote Desktop Preferences

b. Select the following checkboxes:

 Allow other users to view your desktop
 Allow other users to control your desktop

December, 2013 85
Proprietary and Confidential
Monitoring Tools for Allot NetXplorer Linux Server Monitoring Allot NetXplorer and NetEnforcer Machines

c. Close the Remote Desktop Preferences dialog box.

4. On the Management PC, activate the Ultra VNC Viewer application.
5. Create a new connection by typing the NetXplorer Server IP address (default
172.17.7.1) and session ID (0), for example: 172.17.7.1.
6. Type the password $SatCom$ and continue with remote activity.
7. To stop a session from the NetXplorer Server, type vncserver –kill:x (where
x=session id).
8. When the remote session is completed, unselect the following checkboxes:
 Allow other users to view your desktop
 Allow other users to control your desktop

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
86
TECHSUPPORT
Proprietary and Confidential
Chapter 9: Shutting Linux NetXplorer Server
Service

In This Section
Performing Normal NetXplorer Server Service Shutdown ............................................................. 87
Performing Workaround during NetXplorer Server Service Shutdown or Reset ........................... 87

Performing Normal NetXplorer Server Service Shutdown

This section describes how to perform the normal NetXplorer Server service shutdown.
To shut the NetXplorer Server service:
1. Log on to the NetXplorer Server with the username root and password $SatCom$
or connect to the NetXplorer Server using SSH from the Management PC.
2. Stop the NetXplorer service by typing the command service netxplorer stop.
 If the NetXplorer service does not stop after 5 minutes, check what process IDs
are still running using the command ps -ax | grep opt.
 If the SQL database is still running, remove the processes (each with a new
line), using the command kill -9 <process ID> and press Enter. Apply the
same command for all the process until they are removed.
3. Verify that the NetXplorer Server is no longer running using the command service
netxplorer status.
4. Shut down the NetXplorer Server machine.

Performing Workaround during NetXplorer Server Service

Shutdown or Reset
This section describes how to perform the workaround when there is a problem with
shutting down or resetting the NetXplorer Server machine.

If you are in a middle of the shutdown or reset process, use a hard reboot and wait
until the NetXplorer Server machine goes online.

To perform workaround during NetXplorer Server service shutdown or reset:

1. Log on to the NetXplorer Server with the username root and password $SatCom$
or connect to the NetXplorer Server using SSH from the Management PC.
2. Open a new terminal window.
3. Stop the NetXplorer service by typing the command service netxplorer stop.
 If the NetXplorer service does not stop after 5 minutes, open a new terminal
window and check what process IDs are still running using the command ps -ax
| grep opt.

December, 2013 87
Proprietary and Confidential
Performing Workaround during NetXplorer Server Service Shutdown or Reset Shutting Linux NetXplorer Server Service

 If the SQL database is still running, remove the processes (each with a new
line), using the command kill -9 <process ID> and press Enter. Apply the
same command for all the process until they are removed.
4. Verify that the NetXplorer Server service has stopped by typing the command
service netxplorer stop.
5. To check an expected MAC address, copy and paste the command to a new terminal
window:

ifconfig | sed -n '/^eth0 / {N;N;N;N;N;N;N;p;}' | grep HWaddr | sed

's/^.*HWaddr //' | cut -f3-6 -d':' | sed 's/://g' | sed 's/ //g'

6. Edit the swKeeper.ini file (located in /opt/allot/conf folder) using VI editor and
replace the MAC with output in the args line of every db (stc, ltc, and cfg).
For example: args="-n 67039E45_allot_stc ..."
7. Save the file.
8. Reboot the NetXplorer Server machine.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
88
TECHSUPPORT
Proprietary and Confidential
Appendix A: Troubleshooting
In This Section
Troubleshooting Bypass Mode ...................................................................................................... 89
Troubleshooting Clocks Synchronization Issues ........................................................................... 90
Troubleshooting Network Security Thread..................................................................................... 94

Troubleshooting Bypass Mode

Applying Bypass Configuration
To apply bypass configuration:
1. On the Navigation pane, select NS1 QoS 1.
2. In the NS1 QoS 1 window, right-click MPN1 and select Properties from the
pop-up menu. The Line Properties - Update screen with the Policy tab is
displayed.

Figure 66: Applying Bypass Configuration

3. From the Quality of Service drop-down list, select Ignore QoS.

4. Click OK.

December, 2013 89
Proprietary and Confidential
Changing Redundancy Mode
In case the AC-502 is stuck in the Standalone Redundancy mode and you are not
able to change the Redundancy mode to Active using the NetXplorer Server
application, perform the following actions:
1. Open a Telnet connection to the NetEnforcer machine from Management PC.
2. Log in with username sysadmin password sysadmin.
3. Type the command go config network –redund_mode active.
4. Verify that the Redundancy mode is active by the command go config view
network.

Disabling Network Bypass Unit

In case it is required to disable the Bypass (Internal) unit on the AC502 QoS2
NetEnforcer machine, perform the following:
1. Open a Telnet connection to the NetEnforcer Machine from Management PC.
2. Log in with username sysadmin password sysadmin.
3. Type the command go config network –bypass_unit disable.
4. Verify that the network mode is active by the command go config view network.

Creating Manual Bypass

Prior to disconnecting the cables between the NetEnforcer machines and the
switches, you must reboot both NetEnforcer machines by command ac_halt via
Telnet/Console.

To create manual bypass:

1. Disconnect both NetEnforcer machines from the Application and Satellite switches.
2. Connect the spare short circuit cable between the Satellite and Application
switches.

Troubleshooting Clock Synchronization Issues

Troubleshooting Clock Synchronization between NetXplorer Server and Client
The NetXplorer Server and a NetXplorer Client have a tolerance of 10 minutes time
difference (GMT). The devices may be also located on different time zones.

Daylight savings time may cause an issue with the time zones.

The actions described below must be performed, if you encounter one (or more) of the
following problems during the clock synchronization process:

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
90
TECHSUPPORT
Proprietary and Confidential
 Troubleshooting Clock Synchronization Issues

 Inability to log in to the NetXplorer Server

 Graphs and/or log times are inconsistent
To troubleshoot the clock synchronization between the NetXplorer Server and a
NetXplorer Client:
1. Log in to the Client's machine.
2. Go to the C:\Documents and Settings\<User name>\NMS.log directory and
check the UTC time dump.

Troubleshooting Clock Synchronization between NetXplorer Server and

NetEnforcer Machines
The NetEnforcer and NetXplorer Server have a tolerance of 15 seconds time difference.
If the clocks are not synchronized, the NetXplorer Server will stop collecting data. If the
data collection is stopped, the following alarm/event is received: invalid bucket time
on device NetEnforcer502 (id 208 - Current bucket time is older that current UTC
minus delta).
The NetEnforcer NTP client synchronizes the clocks only during the initialization
process (on boot up). Synchronization can fail if the following occurs:
 The NetXplorer Server is rebooted while the NetEnforcer is already up.
 The NetEnforcer does not manage to synchronize with the NetXplorer Server
because:
 The NetXplorer Server is down.
 The NetXplorer Server has just been booted up along with the NetEnforcer and
it is up, but the NTP daemon (on the Server) takes a few moments before it
becomes active.

Procedure Prerequisites
Prior to troubleshooting the clock synchronization between the NetXplorer Server and
NetEnforcer machines:
1. Verify that the NTP service is running on the NetXplorer Server by using the
command ntpq -p.
 If you receive the ntpq:read:Connection refused error, it means that the NTP
Server is not running on the NetXplorer Server machine.
2. Verify that the NTP process is running on the NetEnforcer machine by using the
command ntpq -p.
Example:
89 ? SL 0:00 /usr/sbin/ntpd -l /usr/local/SWG/logs/ntp.log
# ntpq -p
Remote refid st t when poll reach delay
offset jitter
=====================================================
10.200.200.20 LOCAL(1) 11 u 18d 1024 0
0.000 0.000 4000.00

 If the Status (st) 16 is received, it indicates failure to sync against NTP Server.

December, 2013 91
Proprietary and Confidential
 3. Verify that there is no Windows Firewall enabled on the NetXplorer Server, as it can
block the NTP requests.
 If the Windows Firewall is enabled, the NTPD service is not running on the
NetEnforcer machine.

Initializing NTP Server

To initialize the NTP Server:
1. Using SSH connection, connect to the NetXplorer Server from the Management PC.
2. Run the chkconfig –levels 35 ntpd on command to verify that the ntpd service
has been resumed after a reboot.
3. Reboot the NetXplorer Server machine.
4. After the NetXplorer Server has completed the reboot, run the service ntpd
status command to verify that the ntpd service status is running.
5. Reboot the NetEnforcer machine.

For more information on the NTP, refer to the documentation on

http://ntp.isc.org/bin/view/Main/DocumentationIndex/.

Example:

NE:~# cat /etc/ntp.conf

server 127.127.1.0
fudge 127.127.1.0 stratum 14
driftfile /etc/ntp/drift
restrict default ignore
restrict 127.0.0.1
disable monitor stats
server 172.17.7.1
restrict 172.17.7.1 noquery nomodify notrap nopeer
restrict 127.127.1.0 noquery nomodify notrap nopeer
NE:~# ntpdate 172.17.7.1
18 Jun 15:03:20 ntpdate[608]: no server suitable for synchronization
found
NE:~# ntpdate 172.17.7.1
18 Jun 15:04:49 ntpdate[663]: no server suitable for synchronization
found
NE:~# ntpdate 129.132.2.21
18 Jun 15:07:41 ntpdate[669]: step time server 129.132.2.21 offset
-36.259949 sec
NE:~# date
Sun Jun 18 15:07:45 GMT 2006
NE:~# tcpdump -i eth2 udp port 123
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 68 bytes
15:04:45.019694 IP 10.72.254.2.ntp > 172.17.7.1.ntp: NTPv4 client, strat

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
92
TECHSUPPORT
Proprietary and Confidential
 Troubleshooting Clock Synchronization Issues

0, poll 4, prec -6
15:04:46.019676 IP 10.72.254.2.ntp > 172.17.7.1.ntp: NTPv4 client, strat
0, poll 4, prec -6
15:04:47.019563 IP 10.72.254.2.ntp > 172.17.7.1.ntp: NTPv4 client, strat
0, poll 4, prec -6
15:04:48.019613 IP 10.72.254.2.ntp > 172.17.7.1.ntp: NTPv4 client, strat
0, poll 4, prec -6
4 packets captured
4 packets received by filter
0 packets dropped by kernel

Possible results:
 The NetXplorer Server 172.17.7.1 does not respond to the NetEnforcer NTP
requests (ntpdate 172.17.7.1 fails). No packets of NTP came from the NetXplorer
Server.
 The NTP service on the NetEnforcer works properly, since a manual ntpdate
command to an external NTP Server (129.132.2.21) has completed successfully.

Check connectivity and/or the NTP service on the NetXplorer Server.

Performing Additional Actions on NTP Server

This section describes additional recommended actions for dealing with the clock
synchronization problems.

The assumption is that the stratum on the NTP Server is 16.

To overcome the clock synchronization problems:

1. From the NTP configuration on the NetXplorer Server, remove the NMS Server IP
address 172.17.11.1.
2. Enter the IP address 127.127.1.0 of a fake NTP Server, and then click OK.
3. Edit the ntp.conf file on the NetXplorer Server with stratum 6 (using fake IP
127.127.1.0):
4. Save the ntp.conf file.
5. Restart the NTP service by the command service ntpd restart.
6. Restart the NTP service on the NetEnforcer machine:
 Type the command cd /etc/rc.d to complete the synchronization process on
the NetEnforcer machine's side.

December, 2013 93
Proprietary and Confidential
  Type the command ps –ef | grep ntp to check that the service is running.
 Type the command rc.ntp stop to stop NTP.
 Type the command ps –ef | grep ntp to verify that the service is stopped.
 Type the command rc.ntp start to start NTP.
7. Wait for five minutes for the clock synchronization process to be completed.

Troubleshooting Network Security Thread

In case of a network security thread, there is a risk of unauthorized access from a
user's Data VLAN to the Management VLAN. This may harm the network operation by
rebooting network elements, corrupting, or deleting important network files.
The sections, Network Security Guidelines (on page 94) and Configuring Network
Access Policy (on page 94), describe how to prevent such scenario by blocking users'
access to the network via the Data VLAN.

Network Security Guidelines

The unauthorized network access thread may originate from users behind the VSATs or
by users behind the backhaul network on the Hub side.
 To prevent users behind the VSATs from accessing the network management
VLAN:
 Routing between the Management PC (or any other Data and Management
VLAN PC on the network) and any VSAT IP address is absolutely forbidden. If the
routing is required for troubleshooting, it can be temporally enabled and
disabled right after the debugging actions are completed.
 To prevent users behind the backhaul network on the Hub side from accessing the
network:
 Perform the actions described in Section Configuring Network Access Policy
(on page 94). This policy should be applied to any active Allot NetEnforcer
machines in the network (per Network Segment) and should be distributed to
the standby Allot NetEnforcer machines.

Configuring Network Access Policy

To configure the network access policy:
1. Define properties of the Access Block service group (on page 95).
2. Define a Host list of restricted elements (on page 95).
3. Define policy for the Access Block service group (on page 96).
4. Test Access Block policy regulation (on page 97).

If more than one Network Segment used, perform the above actions for the active
Allot NetEnforcer machines located in the Network Segments 2 and 3 as well.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
94
TECHSUPPORT
Proprietary and Confidential
 Troubleshooting Network Security Thread

Defining Properties of the Access Block Service Group Entry

This section describes how to define properties of the Access Block service group.
To define properties of the Access Block service group:
1. On the Navigation pane, select Catalogs. The Catalogs tree view is displayed.
2. In the Catalogs tree view, select the Service node, right-click it, and select New
Service Group. The Service Group Entry Properties window is displayed.

Figure 67: Defining Service Group Entry Properties

3. In the Name field, enter Access Block.

4. In the Description field, enter Access Block.
5. In the Service Entry Name area, click Add to select the following service entries:
 Telnet
 SSH
 VNC
 RDP
6. Click Save. The Service Entry Properties window is no longer displayed.

Defining Host List of Restricted Elements

This section describes how to define a Host list of the hub elements that must not be
exposed to an external thread.
To define a Host list of restricted elements:
1. On the Navigation pane, select Catalogs. The Catalogs tree view is displayed.
2. In the Catalogs tree view, select the Host node, right-click it, and select New
Host List. The Host List Entry Properties window is displayed.

December, 2013 95
Proprietary and Confidential
 Figure 68: Defining Host List of Restricted Elements

3. In the Name field, enter Restricted Elements.

4. In the Description field, enter Restricted Elements.
5. Click Add to add IP addresses of the hub elements that must not be exposed to an
external thread (DPS, Management PC, etc.).

Any hub element with data VLAN must be defined by its IP address in the Host list.

6. Click Save. The Host List Entry Properties window is no longer displayed.

Defining Policy for the Access Block Service Group

This section describes how to define a policy for the Access Block service group.
To define a policy for the Access Block service group:
1. On the Navigation pane, select Network. The Network tree view is displayed.
2. In the Network tree view, access the Policy Editor screen.
3. Right-click any existing Line and select the Insert Line option from the pop-up
menu. The Line Properties window is displayed.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
96
TECHSUPPORT
Proprietary and Confidential
 Troubleshooting Network Security Thread

Figure 69: Defining Policy for the Access Block Service Group

4. Edit the Name field (e.g., Access Block).

5. Specify a Description (e.g., Access Block).
6. From the Service drop-down list, select a rule (i.e., Access Block) that was
previously defined in the Service Group Catalog (on page 95).
7. From the Internal drop-down list, select Restricted Elements that were
previously defined in the Host List Catalog (on page 95).
8. From the Actions drop-down list, select Drop.
9. Click OK.
10. Save the policy changes and distribute it to the standby Allot NetEnforcer machine.

Testing Policy Regulation

To test the Access Block policy regulation:
1. Send a ping from a PC connected to the Application switch to the Management PC
data VLAN (172.24.x.x).
2. Open a VNC or an RDP connection to the Management PC and verify that it is
inaccessible.

December, 2013 97
Proprietary and Confidential
Appendix B: Adding New Allot NetEnforcer
Machine
To add a new Allot NetEnforcer machine:
1. Insert the new device into the hub.
2. Configure the IP address of the new machine. For a detailed procedure, refer to the
Section Configuring IP Address (on page 18).
3. Connect the cables to the new machine.
4. Confirm IP connectivity between the NetXplorer Server and the new Allot
NetEnforcer machine.
5. On the desktop of the Allot NetXplorer server machine, double-click the NetXplorer
icon. The NetXplorer Logon window is displayed.
6. In the User Name field, enter admin.
7. In the Password field, enter $SatCom$.
8. Click Log On. The NetXplorer application opens.
9. Right-click the Network node and select New NetEnforcer. The NetEnforcer
Properties – New dialog box is displayed.

Figure 70: Adding New Allot NetEnforcer Machine

10. In the NetEnforcer Name field, enter the new machine name.
11. In the Password field, enter allot (default).
12. In the IP address field, enter the NetEnforcer Management IP address.

December, 2013 99
Proprietary and Confidential
 13. Verify that the Collector option is set to Short-Term Collector.
14. Click Save. The new NetEnforcer is added to the Navigation tree.
15. Define policies, as required.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
100
TECHSUPPORT
Proprietary and Confidential
Appendix C: Deleting Allot NetEnforcer Machine
In This Section
Deleting Allot NetEnforcer Machine from NetXplorer Server Configuration ................................ 101
Activating Internal Bypass Unit for AC-502 NetEnforcer Machine ............................................... 104

Deleting Allot NetEnforcer Machine from NetXplorer Server

Configuration
This section describes how to delete a NetEnforcer machine from the NetXplorer Server
configuration, in case the Production department should prepare one device for
shipment instead of two (for non-redundant configuration).
To delete a NetEnforcer machine:
1. Log in to the NetXplorer Server application.
2. Right-click the NS1 QoS 2 to be deleted (usually, it is the secondary device of each
model), and then select Delete from the pop-up menu.

December, 2013 101

Proprietary and Confidential
 Figure 71: Deleting Allot NetEnforcer Machine

3. Right-click the remained NS1 QoS 1 and select Configuration from the pop-up
menu.
4. On the Networking tab, from the Redundancy Mode drop-down list, select
Standalone.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
102
TECHSUPPORT
Proprietary and Confidential
 Deleting Allot NetEnforcer Machine from NetXplorer Server Configuration

Figure 72: Configuring Standalone Redundancy Mode

5. Save the changes. The NetEnforcer machine reboots.

6. Open a Telnet connection to the NetEnforcer machine and change the redundancy
mode to Active by the go config network -dev_mode system:active command.
7. Verify that the network config status has been changed accordingly by the go
config view network command. The following output is displayed:

==== Network ====

Redundancy Mode standalone
Bypass Unit Configuration disable
Bypass Unit Detection N/A
System Status active
Cards list:
|Slot |Card Type |SMC State |Card Status
--------------------------------------------
|1 |CC |ON |ACTIVE
--------------------------------------------

8. Reboot the NetEnforcer machine by the ac_reboot command.

9. Open a Telnet connection to the NetEnforcer machine and change the redundancy
mode to Standalone by the go config network -redund_mode standalone
command.
10. Reboot the device by the ac_reboot command.

December, 2013 103

Proprietary and Confidential
Activating Internal Bypass Unit for AC-502 NetEnforcer
Machine
If a standalone AC-502 NetEnforcer machine is shipped to Gilat customers without a
secondary AC-502 NetEnforcer machine (redundant NetEnforcer machine), there is a
need to activate the internal Bypass unit.
To activate an internal Bypass unit for AC-502 NetEnforcer machine:
1. Log in to the NetXplorer Server application.
2. Right-click the NS1 QoS 1 (standalone) and select Configuration from the pop-up
menu.
3. On the Networking tab, select the checkbox next to the Enable Bypass Unit
option.

Figure 73: Enabling Internal Bypass Unit

4. Save the changes. The Reboot prompt is displayed.

5. Click Yes to reboot the NetEnforcer machine.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
104
TECHSUPPORT
Proprietary and Confidential
Appendix D: Loading a New License Key
To load a new License Key:
1. On the Navigation pane, select Network. The Network tree view is displayed.
2. Right-click NS1 QoS1 or NS2 QoS2 and select Configuration from the pop-up
menu. Configuration of the selected Allot NetEnforcer machine is displayed.
3. Click the Identification & Key tab. The Identification & Key tab is displayed.

Figure 74: Loading a New License Key

4. In the Activation Key field, enter the new key.

5. Save the changes.

December, 2013 105

Proprietary and Confidential
Appendix E: Changing IP Address of Allot
NetXplorer Linux Server
This section describes how to change the IP address of Allot NetXplorer Server running
Linux operating system.
To change IP address of Allot NetXplorer Linux Server:
1. Log on to the Allot NetXplorer Server machine with user name root and password
$SatCom$.
2. Stop the NetXplorer Service by running the command service netxplorer stop.
3. On the NetXplorer Server machine application GUI, go to System
Administrator Network.
4. Deactivate the ETH 0 interface:
a. In the Network Configuration screen, select the checkbox next to the ETH 0
nickname.
b. Click Deactivate.
c. Click OK.

Figure 75: Network Configuration - 1

5. Set the new IP address for the ETH 0 interface:

a. In the Ethernet Device screen, select the checkbox next to the Activate
device when computer starts option for the ETH 0 interface.

December, 2013 107

Proprietary and Confidential
 b. Set the IP Address to 172.17.7.1 and Subnet mask to 255.255.0.0.
c. Click OK.

Figure 76: Network Configuration - 2

6. Open a terminal window on the NetXplorer Server and type the command service
network restart.
7. Make sure the new IP address of ETH 0 interface has changed by the command
ifconfig eth0.
8. Edit the swKeeper.ini file in the /opt/allot/conf folder.
 Change the hostname IP address under a task-java line.
9. Save and close the file.
10. Edit the Hosts file under /etc to the new NetXplorer Server IP address.
11. Restart the NetXplorer Server machine.
12. Open a Telnet connection to the AC-502/1400 NetEnforcer machines and change
the IP address of the Time Server by typing the go config network –ips ts
<NetXplorer ip address> command (for example: go config ips –ts
172.17.7.1).
13. Press Enter.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
108
TECHSUPPORT
Proprietary and Confidential
 Activating Internal Bypass Unit for AC-502 NetEnforcer Machine

14. Verify that the IP address has been changed by typing the go config view ips
command.
15. Edit the /etc/ntp.conf file and change the default NetXplorer Server IP address
172.17.14.1 (SkyEdge) or 172.17.7.1 (SkyEdge II) to the updated NetXplorer IP
address.

Figure 77: Changing IP Address of Allot NetXplorer Linux Server

16. Save and exit the file.

17. On the NetEnforcer machine, run the following commands to restart the NTP
service:

Command Purpose
cd /etc/rc.d
ps –ef | grep ntp ) Checks that the NTPservice is running.
rc.ntp stop (stop ntp) Checks that the NTP service stopped.
ps –ef | grep ntp
rc.ntp start Starts the NTP service

18. Wait 5 minutes and exit the NetEnforcer machine.

19. On the command prompt of the Management PC, type the command javaws –
uninstall to remove the Java application.
20. Open an Internet browser and enter the new IP address of the NetXplorer Server
machine.
21. Re-install the Java application, and then launch the NetXplorer Server application.

December, 2013 109

Proprietary and Confidential
Appendix F: Upgrading Allot NetXplorer Server
Firmware
This section explains how to upgrade the Allot NetXplorer Server firmware in case it is
not recognized by the Allot NetXplorer Server machine (i.e., indicated the Offline
status) after a sequence of reboots.

After the system has been successfully upgraded, perform the system monitoring
for the next 24 hours by covering all of the upgraded components in terms of
network performance (for example: Throughput, Latency etc.), compared to
previous system version prior to the upgrade operation.

In This Section
Verifying Firmware Version .......................................................................................................... 111
Upgrading Firmware ..................................................................................................................... 111

Verifying Firmware Version

This section explains how to verify the firmware versions of BIOS, BMC, and FRUSDR
on the Allot NetXplorer Server machine (S3420GP).
The firmware versions must be as listed below (at least):
 BIOS - 0050
 BMC - 1.24
 FRUSDR - 20
To verify the firmware version:
1. Power up the NetXplorer Server machine.
2. While the NetXplorer Server machine is starting up, press F2, and then enter the
BIOS set-up. The BIOS screen is displayed.
3. On the BIOS screen, select the Main tab.
4. On the Main tab, select System BIOS and verify the version is at least
xxxxxx0050.
5. On the Server Management tab, select the System Information section.
6. In the System Information section, verify that the BMC version is at least 1.24.
7. If both versions (System BIOS and BMC) are lower that the stated above, proceed
to firmware upgrade (on page 111).

Upgrading Firmware
This section explains how to upgrade the firmware on the Allot NetXplorer Server
machine.

December, 2013 111

Proprietary and Confidential
 To upgrade firmware:
1. Insert a USB with an appropriate firmware file (for Gross Point – GPFW from
\\gna2\shared\pituach\540\SW modules\ServerFarm\Software\Allot\GPFW) to the
NetXplorer Server Machine.
2. Power up the NetXplorer Server machine.
3. While the NetXplorer Server machine is starting up, press F2, and then enter the
BIOS set-up.
4. On the BIOS screen, select the Boot Manager tab.
5. On the Boot Manager tab, select Internal EFI Shell and press Enter.
6. Wait until you see a Shell prompt.
7. Verify that fs0 is displayed in the device mapping table.
8. On the Shell prompt:
a. Type the command fs0:.
b. Type command cd GPFW.
c. Type the command startup.nsh, and then press Enter.
d. Press any key to continue.
9. Select 3 to update both SDR and FRU.
10. Select 6 to other chassis.
11. Select 4 for other chassis fast ramp.
12. For Does the system have chassis intrusion?,select n.
13. For Is a fan connected to the CPU connector?, select n.
14. For Is a fan connected to the sys fan1 connector?, select n.
15. For Is a fan connected to the sys fan2 connector?, select n.
16. For Is a fan connected to the sys fan3 connector?, select n.
17. For Is a fan connected to the sys fan4 connector?, select n.
18. For Would you like to update the chassis info area of the FRU?, select n.
19. For Would you like to update the product info area of the FRU?, select n.
20. Wait until the FRUSDR firmware update completes. BIOS is automatically updated.
21. Remove a USB from the NetXplorer Server machine.
22. Reboot the NetXplorer Server machine for the firmware upgrade to take effect.
23. If RAID has not been yet created, proceed to Section Defining RAID (on page 113).
24. Continue with the CentOS Kick-Start Image installation.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
112
TECHSUPPORT
Proprietary and Confidential
Appendix G: Defining RAID
This section explains how to define the RAID on the Allot NetXplorer Server machine, in
case the RAID indicates the Offline status while the Allot NetXplorer Server is starting
up.
To define RAID:
1. Power up the NetXplorer Server machine.
2. While the NetXplorer Server machine is starting up, press F2, and then enter the
BIOS set-up.
3. On the BIOS screen, select the Advanced tab.
4. On the Advanced tab, select Mass Storage Controller Configuration (or SATA
Controller Configuration).

Figure 78: Selecting Mass Storage Controller Configuration

5. Select Onboard SATA Controller (or Configure SATA as RAID) Enabled.

Figure 79: Enabling Onboard SATA Controller

6. Press F10 and then Enter.

7. On the prompt, select Yes to save and reboot.
8. After the NetXplorer Server machine completes the reboot sequence, press Ctrl+E
to verify / configure the RAID. The Management Menu screen is displayed.

December, 2013 113

Proprietary and Confidential
 Figure 80: Configuring RAID

9. Select Configure New Configuration.

10. On the Proceed prompt, select Yes. The PORT # screen is displayed.

Figure 81: Configuring RAID Ports

11. To change the ports' status from Ready to Online, highlight the ports # 0 and # 1
and press the space bar.
12. Press F10. The Select Configurable Array(s) screen is displayed.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
114
TECHSUPPORT
Proprietary and Confidential
 Upgrading Firmware

Figure 82: Selecting Configurable Array(s)

13. Press the space bar.

14. When the SPAN-1 array appears on the screen, press F10. The Virtual Drive(s)
Configured screen is displayed.

Figure 83: Configuring Virtual Drive(s)

15. On the Virtual Drive 0 part of the screen, select Accept and press Enter.
16. Press Esc.
17. On the prompt, select Yes to save the configuration, and then press Esc twice.
18. On the Management Menu screen, select Initialize and press Enter.
19. On the Virtual Drive 0 screen, press the space bar. The marking has changed from
white to yellow.
20. Press F10 to initialize, and then select Yes on the prompt.
21. Press Enter. The Initialization process is started.

December, 2013 115

Proprietary and Confidential
 Figure 84: Starting Initialization Process

22. Wait until the Initialization process completes, and then press Esc three times to
exit the Initialize menu.
23. On the prompt, select Exit Yes.
24. To exit the RAID set-up, press Ctrl+Alt+Delete.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
116
TECHSUPPORT
Proprietary and Confidential
Appendix H: Upgrading NetAccounting
Application on NetXplorer Linux Server
To upgrade the NetAccounting application on a NetXplorer Linux Server machine, the
old version of the NetAccounting application must be uninstalled and the new version of
NetAccounting application may then be installed.
To install the new version of the NetAccounting application, use the rpm –ev
<accounting file name.rpm> command.

December, 2013 117

Proprietary and Confidential
Appendix I: Upgrading and Downgrading Allot
NetEnforcer

After the system has been successfully upgraded, perform the system monitoring
for the next 24 hours by covering all of the upgraded components in terms of
network performance (for example: Throughput, Latency etc.), compared to
previous system version prior to the upgrade operation.

In This Section
Upgrade and Downgrade Prerequisites ....................................................................................... 119
Upgrading Allot NetEnforcer Software Version ............................................................................ 119
Downgrading Allot NetEnforcer Software Version ....................................................................... 120
Troubleshooting Upgrade/Downgrade of NetEnforcer Software Version .................................... 121

Upgrade and Downgrade Prerequisites

Before performing the upgrade / downgrade, verify that:
 The NetEnforcer software version you are about to upgrade/downgrade to is lower
or equal to the software version of the NetXplorer Server.
For example, NetXplorer version is 11.1 and NetEnforcer version is 11.2, and you
are about to downgrade the NetEnforcer to version 11.1; or NetXplorer version is
11.1 and NetEnforcer version is 10.2.1, and you are about to upgrade the
NetEnforcer to version 11.1.
In any case, to avoid the software mismatch, the upgrade/downgrade process
should be performed when the NetEnforcer is not configured on the NetXplorer
Server.
If the NetEnforcer has already been added to the NetXplorer Server, and the
software version of the NetEnforcer is higher than the software version of the
NetXplorer, refer to Section Downgrading Allot NetEnforcer Software Version
(on page 120).
 The NetEnforcer software version is on an accessible FTP server.

Upgrading Allot NetEnforcer Software Version

To upgrade Allot NetEnforcer software version:
1. On the Management PC, open a Telnet connection to one of the Allot NetEnforcer
machines.
2. At the user login prompt, type sysadmin.
3. At the password prompt, type sysadmin.
4. Type mkdir <version name>.
5. Type cd <version name>.

December, 2013 119

Proprietary and Confidential
 6. Access the FTP server from the NetEnforcer console and type ftp <FTP Server IP
Address>.
7. Copy the files in the bin mode (after logging on, type: bin).
8. Copy the version files using the get or mget commands. Usually, there are two
version files (for example, ne-instl.sh/ac1k-instl.sh or ac1k-11.1.1-35.tgz).
9. When the download finishes, type bye. This closes the FTP server. Leave a Telnet
session open.
10. To change the file permissions, type chmod u+x ac1k-instl.sh.
11. To run the installation script, type ./ac1k-instl.sh.
12. The upgrade procedure could take up to 10 minutes and then the unit reboots. The
new key prompt is displayed.

During the upgrade, a new key may be required. For example, when upgrading
from version 10.2.1 to 11.1.1, a new key is required.

13. Perform either of the following:

 If the new version requires a new key, type go config key [key license] and
press Enter.
 Otherwise, press Enter and continue with the operation.

In case, the NetEnforcer machine keeps rebooting after the software version
upgrade, perform the procedure in Troubleshooting Allot NetEnforcer after
Upgrade/Downgrade (on page 121).

Downgrading Allot NetEnforcer Software Version

Make sure that the NetEnforcer machine is not connected to the system and is not
recognized by the NetXplorer Server (i.e., the NetEnforcer has not yet been added
to the NetXplorer Server).

To downgrade the NetEnforcer software version:

1. Log on to the NetXplorer Server application and remove the NetEnforcer machine.
2. Connect the NetEnforcer machine to the Console.
3. Type the command pre_downgrade to downgrade from AOS 11.2 to a previous
version. The script removes catalog entries that cannot be downgraded and warns
about possible hardware incompatibilities.
4. Go to the /home/sysadmin directory and make sure that it contains the
installation package ac1k-xxx.tgz and ac1k-instl.sh files.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
120
TECHSUPPORT
Proprietary and Confidential
 Troubleshooting Upgrade/Downgrade of NetEnforcer Software Version

5. Reinstall the software version by using the command ./ac1k-instl.sh –e. This
action restores the default configuration of the machine with its default IP address
22.22.22.22.
After the installation process completes, the following message is displayed: The
installation of vh-11.1.1-35.tgz [version number] finished
successfully. After the installation completes, reboot the NetEnforcer machine
by the command: ac_reboot.

In case, the NetEnforcer machine keeps rebooting after the software version
downgrade, perform the procedure in Troubleshooting Allot NetEnforcer after
Upgrade/Downgrade (on page 121).

6. After the NetEnforcer machine completes the reboot sequence, add a new license
key for the relevant software version by the command go config key <key
provided by Allot>.
7. Verify that the new key has been correctly added using the command go config
view key.
8. Log on to the NetXplorer Server application and add a new NetEnforcer machine
(on page 99).
9. Perform the same procedure for the second NetEnforcer machine.

Troubleshooting Upgrade/Downgrade of NetEnforcer

Software Version
To troubleshoot the NetEnforcer machine in case it constantly reboots after upgrade or
downgrade:
1. Connect the NetEnforcer machine to the Console.
2. On the Reboot prompt, log in with user name root. For password, contact the Gilat
TechSupport representative for opening a case with Allot. Once the remote
connectivity to the problematic NetEnforcer machine is provided, the Allot
representative performs the following steps:
a. Type the command killall crond swKeeper vhKeeper.
b. Go to the /home/sysadmin directory and make sure that it contains the
installation package ac1k-xxx.tgz and ac1k-instl.sh files.
c. Reinstall the software version by using the command ./ac1k-instl.sh –e.
This action restores the default configuration of the machine with its default IP
address 22.22.22.22.
d. After the installation process completes, the following message is displayed:
The installation of vh-12.3.1-32.tgz [version number] finished
successfully.

December, 2013 121

Proprietary and Confidential
 3. Reboot the NetEnforcer machine by the command ac_reboot.
4. Login with user name sysadmin and password sysadmin.
5. Configure the IP address, as described in Section Configuring IP Address
(on page 18).

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
122
TECHSUPPORT
Proprietary and Confidential
Appendix J: Moving Database Contents from
AC-402/802/804 to AC-1400/AC-502 NetEnforcer
Machine (and Vice Versa)
This procedure is performed on the NetXplorer Server Linux machine in case you need
to replace the AC-402/802/804 database (NE_DB) with the AC-1400/AC-502 database
(AOS_DB).

Prior to opening a new database, make sure that the relevant NetEnforcer
machine (AC-402/802/804/1400/502) is connected to the NetXplorer Server.
Otherwise, the NetXplorer Server will not recognize the NetEnforcer machines.

To move database contents from AC-402/802/804 to AC-1400/AC-502 NetEnforcer

machine:
1. Log in to the NetXplorer Server with the username root and password $SatCom$ or
connect to the NetXplorer Server using SSH from the Management PC.
2. Stop the NetXplorer service by typing the command service netxplorer stop.
 If the NetXplorer service does not stop after 5 minutes, check what process IDs
are still running using the command ps -ax | grep opt.
 If the SQL database is still running, remove the processes (each with a new
line), using the command kill -9 <process ID> and press Enter. Apply the
same command for all the process until they are removed.
3. Verify that the NetXplorer Server is no longer running using the command service
netxplorer status.
4. Go to the cd /tmp/NXServer_post_install/DB_files folder and compress the
database using the command:
 For compressing the AC-402/802/804 database, type ./Comp_NX_NE_DB.sh
and press Enter.
 For compressing the AC-1400/502 database, type ./Comp_NX_AOS_DB.sh and
press Enter.

Since the NetXplorer service has been manually stopped before, the script may
indicate a failure while trying to stop the NetXplorer service.
Do not reboot the NetXplorer Server upon the script completion.

5. Upon script completion, open the required database:

 For opening the AC-402/802/804 database, type ./Open_NX_NE_DB.sh
 For opening the AC-1400/502 database, type ./Open_NX_AOS_DB.sh
6. Upon the script completion, restart the NetXplorer Server Linux machine using the
command init 6 and press Enter.

December, 2013 123

Proprietary and Confidential
 7. After the NetXplorer Server has completed the reboot sequence, verify that both
the NetXplorer service and database are running using the commands:
 service netxplorer status - shows whether the NetXplorer Server is running
and the process ID number.
 ps -ax | grep opt - shows several SQL process IDs.
8. Operate the NetXplorer Server application from the Management PC.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
124
TECHSUPPORT
Proprietary and Confidential
Appendix K: Upgrading Allot NetXplorer Software
Version on Linux

For upgrading Allot NetXplorer Server version from 11.2 to 12.2, follow detailed
instructions in Chapter 3 - Upgrade Procedures of the NX Installation and
Admin Guide R9 (12.2) and/or Chapter 5 - Software Upgrade of the
NX-SMP12.2 Release Notes v2r15 that can be found in \\gna2\pituach\540\SW
modules\ServerFarm\Software\Allot\Allot_NX_Server_12.2.0-B7.
Upgrade the NetXplorer Server software version from 11.2 to 12.2 in two phases:
 From version 11.2 to 12.1
 From version 12.1 to 12.2

Before upgrading the NetXplorer Server machine, make sure that the db folder is
backed up on external device (Management PC or removable drive).

Make sure that the following ports are opened in the RAR:
 TCP/80 HTTP
 TCP/3873 Catalog Interaction with the Server
 TCP/443 SSL
 TCP/1098 The RMI service bind address
 TCP/1099 JNP server bind address
 TCP/4446 RMI Object ports
 TCP/4457 Alarms
 TCP/50010 Alarms
 UDP/161 SNMP
 UDP/162 SNMP Trap
 UDP/123 NTP
 TCP/123 NTP

To upgrade the NetXplorer Server on Linux:

1. On the cmd prompt, type service netxplorer stop to stop the NetXplorer
service.
2. Download the new version of NetXplorer Server from Allot website to the
Management PC.
3. Connect via SSH from the Management PC to the NetXplorer Server machine.
4. From the Management PC, open an FTP connection and get the <
netxplorer-XXX-X.i386.rpm> package.
5. Upgrade the Java JDK software to the most recent version with no dependencies
(i.e., U option) by entering the following command:
rpm -U <JDK filename> -–nodeps.

December, 2013 125

Proprietary and Confidential
 There are two hyphens ("-") before the last parameter.
Use the exact Java name, including the correct update number (e.g., rpm –U
jdk-6u20-linux-amd64.rpm --nodeps).

6. To upgrade the NetXplorer software, use the U option and type rpm -Uvh
<filename>.rpm (e.g.,rpm –Uvh netxplorer-12.2.0-7.i386.rpm).
7. When the upgrade process is finished, start the NetXplorer service.
 Connect via SSH from the Management PC to the NetXplorer Server machine.

Wait until you receive an OK message. It may take several minutes.

8. Verify that the NetXplorer Server is up by typing ps –ef | grep /opt/allot.

If the NetXplorer service is not activated within 20 minutes, contact Allot Technical
Support at support@allot.com.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
126
TECHSUPPORT
Proprietary and Confidential
Appendix L: Upgrading Satellite / Application
Switch Configuration
To upgrade configuration of the Satellite and Application switches while applying the
Flex-Link mechanism, follow the links below:
 \\gna2\pituach\540\SW modules\HUB Architecture SE & SEII\HUB Architecture SE
II\6.5P7\Switch Configuration\Cisco 2960G\Installation\Allot Flex and Udld
Update
 \\gna2\pituach\540\SW modules\HUB Architecture SE & SEII\HUB Architecture SE
II\6.5P7\Switch Configuration\Cisco 2960S\Installation\Allot Flex and Udld
Update

December, 2013 127

Proprietary and Confidential
Appendix M: Installing Patches after Upgrade to
Version 11.2.200-B2 on AC-1400

The procedures described in this section are relevant for the SkyEdge II system
only.

In This Section
Installing Script for Fixing Extra Space on Telnet Prompt on AC-1400 ....................................... 129
Installing Script for Fixing Switchover on AC-1400 ...................................................................... 130
Verifying AC-1400 Operation after Running Post-Upgrade Script ............................................... 130

Installing Script for Fixing Extra Space on Telnet Prompt on

AC-1400
This section describes how to install a script that fixes an extra space on Telnet prompt
when logging in to the AC-1400 machine via Telnet.

The script must be installed on all AC-1400 machines with software version
11.2.200-B2 ONLY.

To install a script for fixing the extra space on a Telnet prompt when logging in to the
AC-1400:
1. From the Repository folder (\\gna2\shared\pituach\540\SW
modules\ServerFarm\Software\Allot\AC-1400\AOS_11_2_200-B2\Telnet_Prompt
_fix\), download the xg-gilat.sh script to the FTP shared folder on the
Management PC.
2. Open a Telnet connection to the NetEnforcer AC-1400 and open an FTP session to
the Management PC.
3. Download the xg-gilat.sh script to the /home/sysadmin directory of the
NetEnforcer device.
4. Close the FTP session.
5. On the NetEnforcer AC-1400:
 Run the command chmod +x xg-gilat.sh and press Enter.
 Run the command sudo /home/sysadmin/xg-gilat.sh and press Enter.
6. Log off the NetEnforcer AC-1400.
7. Perform steps 2 - 6 for the other NetEnforcer AC-1400 device (must be with
software version 11.2.200-B2).

December, 2013 129

Proprietary and Confidential
Installing Script for Fixing Switchover on AC-1400
This section describes how to install a script xg-fix-bw.sh on the Allot NetEnforcer
AC-1400. This script fixes the switchover of the command set_device_bw_limits –
external <value> that has affected the device’s Outbound (Gilat’s Inbound) instead
of the device’s Inbound (Gilat’s Outbound) path.

The patch must be installed only on software version 11.2.200-B2. There is no

need to install this patch on former software versions.
The new DPS syntax that supports Allot post-upgrade patch is available in
SkyEdge II versions 6.5P2 (build 06.05.02.13) and 6.5P3 (build 06.05.03.02).

To install a script for fixing switchover of the command on AC-1400:

1. From the Repository folder (\\gna2\shared\pituach\540\SW
modules\ServerFarm\Software\Allot\AC-1400\AOS_11_2_200-B2\BW_command
_fix_on_AOS), download the xg-fix-bw.sh script to the FTP shared folder on the
Management PC.
2. Open a Telnet connection to the NetEnforcer AC-1400 and open an FTP session to
the Management PC.
3. Download the xg-fix-bw.sh script to the /home/sysadmin directory of the
NetEnforcer device.
4. Close the FTP session.
5. On the NetEnforcer AC-1400:
 Run the command chmod +x xg-fix-bw.sh and press Enter.
 Run the command sudo /home/sysadmin/xg-fix-bw.sh and press Enter.
6. Log off the NetEnforcer AC-1400.
7. Perform steps 2 - 6 for the other NetEnforcer AC-1400 device (must be with
software version 11.2.200-B2).

Verifying AC-1400 Operation after Running Post-Upgrade

Script
This section describes how to verify the AC-1400 operation after running the
post-upgrade scripts. The verification test must be done for every NetEnforcer
AC-1400 device with software version 11.2.200_B2 that Gilat is shipping out to
customers.
To verify the AC-1400 operation after running the post-upgrade scripts:
1. On the SkyEdge II NMS, disable QoS on DPS (on page 24).
a. From the QoS Server installed drop-down list, select No.
b. Save and commit the configuration changes.
c. Reboot the DPS.
2. Start an FTP Download session from a PC behind a VSAT to another PC that is
connected to the Application switch (can be an FTP session to the Management PC
or another Server).

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
130
TECHSUPPORT
Proprietary and Confidential
 Verifying AC-1400 Operation after Running Post-Upgrade Script

3. Download a file that weights at least 100 MB (so that the download will not end
before the test completes).
4. Log in to the NetEnforcer AC-1400 device and run the command acmon.
The command output shows the current traffic that is passing through the device’s
Inbound (Gilat’s Outbound) and Outbound (Gilat’s Inbound) path.
5. Log in to the NetEnforcer AC-1400 device and run a repetitive command
set_device_bw_limits (every few seconds).
For example:

set_device_bw_limits –external 2000

set_device_bw_limits –external 4000
set_device_bw_limits –external 3000
set_device_bw_limits –external 5000
set_device_bw_limits –external 2000

6. Make a note that the bandwidth remains steady and is limited by the limit stated in
command (see above example). For example, if you run the command
set_device_bw_limits –external 2000, then the bandwidth should not exceed
this speed. If changing the bandwidth to a different value, you should see a change
in the Inbound value stated in the acmon script.
7. On the NetXplorer Server application GUI, open a graph view per the NetEnforcer
device to monitor bandwidth statistics.
8. Log in to the Application switch and shut port 10.
9. Perform steps 2 - 8 for the other NetEnforcer AC-1400 device.
10. Log in to the Application switch and shut port 10.
11. Enable QoS on DPS as described in Section Enabling QoS on DPS (on page 24).

December, 2013 131

Proprietary and Confidential
Appendix N: Installing Patches after Upgrade to
Version 12.2.3_B26 on AC-502

The procedures described in this section are relevant for the SkyEdge II system
only.

In This Section
Installing Script for Fixing Extra Space on Telnet Prompt on AC-502 ......................................... 133
Installing Script for Fixing Links Status on AC-502 ...................................................................... 134

Installing Script for Fixing Extra Space on Telnet Prompt on

AC-502
This section describes how to install a script that fixes an extra space on Telnet prompt
when logging in to the AC-502 machine via Telnet.

The script must be installed on all AC-502 machines with software version
12.2.3_B26 ONLY.
The new DPS syntax that supports Allot post-upgrade patch is available in
SkyEdge II versions 6.5P2 (build 06.05.02.13) and 6.5P3 (build 06.05.03.02).

To install a script for fixing the extra space on a Telnet prompt when logging in to the
AC-502:
1. From the Repository folder (\\gna2\shared\pituach\540\SW
modules\ServerFarm\Software\Allot\AC-502\AC502-AOS12.2.3-B26\Telnet_Prom
pt_fix\), download the xg-gilat.sh script to the FTP shared folder on the
Management PC.
2. Open a Telnet connection to the NetEnforcer AC-502 and open an FTP session to the
Management PC.
3. Download the xg-gilat.sh script to the /home/sysadmin directory of the
NetEnforcer device.
4. Close the FTP session.
5. On the NetEnforcer AC-502:
 Run the command chmod +x xg-gilat.sh and press Enter.
 Run the command sudo /home/sysadmin/xg-gilat.sh and press Enter.
6. Log off the NetEnforcer AC-502.
7. Perform steps 2 - 6 for the other NetEnforcer AC-502 device (must be with software
version 12.2.3_B6).

December, 2013 133

Proprietary and Confidential
Installing Script for Fixing Links Status on AC-502
This section describes how to install a script that fixes the links status, when the
External 2 and Internal 2 links are down.

The script must be installed on all AC-502 machines with software version
12.2.3_B26 only.
There is no need to install this script on the newer software versions of AC-502
NetEnforcer machines.

To install a script for fixing switchover of the command on AC-1400:

1. From the Repository folder (\\gna2\pituach\540\SW
modules\ServerFarm\Software\Allot\AC-502\AC502-AOS12.2.3-B26\FixforAC502
ver12_2_3-B26NICdown\), download the xg-50x-fix.sh script to the FTP shared
folder on the Management PC.
2. Open a Telnet connection to the NetEnforcer AC-502 and open an FTP session to the
Management PC.
3. Download the xg-50x-fix.sh script to the /home/sysadmin directory of the
NetEnforcer device.
4. Close the FTP session.
5. On the NetEnforcer AC-502:
 Run the command +x xg-50x-fix.sh and press Enter.
 Run the command sudo /home/sysadmin/xg-50x-fix.sh and press Enter.
 Reboot the NetEnforcer AC-502 by using the command ac_reboot.
6. Log off the NetEnforcer AC-502.
7. Perform steps 2 - 6 for the other NetEnforcer AC-502 device (must be with software
version 12.2.3_B6).

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
134
TECHSUPPORT
Proprietary and Confidential
Appendix O: Installing Allot AC-502 and AC-1400
in SkyEdge System
In This Section
Procedure Overview..................................................................................................................... 135
Installing and Configuring Server Farm of Version 5.X.X ............................................................ 135
Installing and Configuring Server Farm of Version 15.X.X .......................................................... 139

Procedure Overview
To support Allot AC-502/AC-1400 devices and NetXplorer Server operation based on
the Active-Active Redundancy concept in SkyEdge system, the Cisco 2950 switch type
must be replaced with the Cisco 2960 switch type as follows:
 Replace the Satellite switch with the Cisco 2960 24 ports.
 In a system with Server Farm of version 5.X.X, use a new switch Cisco 2960 24
ports.
 In a system with Server Farm of version 15.X.X, replace the SF CID Extension
switch with Cisco 2960 24 ports.

For information on how to convert the database contents that have been running
on Windows NetXplorer Server machine to Linux NetXplorer Server machine, see
Migrating Allot NetXplorer Server from Windows to Linux (TS) Reference Guide,
DC-002866(X).

Installing and Configuring Server Farm of Version 5.X.X

For the SkyEdge system with Server Farm of version 5.X.X, perform the following
actions:
1. Keep the Management ports of NetEnforcer machines on the Application Switch
connected to ports Fa0/21 and Fa0/22.
2. Disconnect two External ports of NetEnforcer machines from the CID Switch and
connect them to the ports 21 and 22 on the QoS Switch.
3. Connect the QoS Switch to the port Fa0/4 (VLAN 16 and 17) on the Application
Switch.
4. Connect the port 7 on the QoS Switch to the port 15 (VLAN 24/Trunk) on the CID
Switch.
5. Configure Flex links on the port 21 of the QoS Switch.
6. Configure Flex links on the port 13 of the Satellite Switch.
7. Connect the NetXplorer Server machine to the port 23 on the Application Switch.

December, 2013 135

Proprietary and Confidential
 If there is no available port on the Application switch to connect the NetXplorer on
VLAN 17, connect the NetXplorer Server to port 2 on the QoS switch and configure
it accordingly.

Server Farm Network Architecture for Version 5.X.X

Figure 85: Server Farm Network Architecture for Version 5.X.X

Preparing QoS System for Server Farm 5.X.X Installation

Below you can find the wiring preparations for installing QoS system with Server Farm
of version 5.X.X that supports operation of Allot AC-502 and AC-1400 machines.
Table 2: Application Switch 24 Ports
Port Connected to Device Port Type Before the
Number Change
Fa0/4 Spare IPE2 data / QoS 16, 17/Trunk Spare IPE2 data
Switch P. Gi0/23
Fa0/15 Spare Port/Free QoS 2 External
Fa0/21 QoS 1 Mng 17 No change
Fa0/22 QoS 2 Mng 17 No change
Fa0/23 NetXplorer Server 17/Access New Port

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
136
TECHSUPPORT
Proprietary and Confidential
 Installing and Configuring Server Farm of Version 5.X.X

Table 3: Satellite Switch 24 Ports

Port Connected to Device Port Type Before the
Number Change
Fa0/13 QoS 1 Internal 24/Trunk QoS 1 External
Fa0/15 QoS 2 Internal 24/Trunk QoS 2 External

Table 4: QoS Switch 24 Ports

Port Number Connected to Device Port Type
Fa0/7 CID P.15 24/Trunk
Fa0/21 QoS 1 External 24/Trunk
Fa0/22 QoS 2 External 24/Trunk
Fa0/23 Application Switch P.4 16, 17, 23/Trunk

Configuring QoS Switch

To configure the QoS switch:
1. To configure the QoS switch global configuration with UDLD errdisable state, use
the following commands:

errdisable recovery cause udld

errdisable recovery interval 30

2. To configure the QoS switch port Fa0/7 connected to the CID port 15, use the
following example:

interface FastEthernet0/7
description CID App P.15
switchport trunk allowed vlan 24-25,29-1001
switchport mode trunk
switchport nonegotiate

3. To configure the QoS switch port Fa0/21 connected to the External port of QoS 1
(Primary), use the following example:

interface FastEthernet0/21
description NS1 QoS 1 Ext_Flex
switchport backup interface FastEthernet0/22 preemption mode forced
switchport trunk allowed vlan 24-25,29-1001
switchport mode trunk
switchport nonegotiate
udld port aggressive

4. To configure the QoS switch port Fa0/22 connected to the External port of QoS 2
(Secondary), use the following example:

December, 2013 137

Proprietary and Confidential
 interface FastEthernet0/22
description NS1 QoS 2 Ext
switchport trunk allowed vlan 24-25,29-1001
switchport mode trunk
switchport nonegotiate
udld port aggressive

5. To configure the QoS switch port Fa0/23 connected to the Application switch P.4,
use the following example:

interface FastEthernet0/23
description Application Switch P.4
switchport trunk allowed vlan 16,17,23
switchport mode trunk
switchport nonegotiate

6. Save the configuration using the wr command.

Configuring Satellite Switch

To configure the Satellite switch:
1. To configure the Satellite switch global configuration with UDLD errdisable state,
use the following commands:

errdisable recovery cause udld

errdisable recovery interval 30

2. To configure the Satellite switch port Fa0/13 connected to the Internal port of QoS
1 (Primary), use the following example:

interface FastEthernet0/13
description NS1 QoS 1 Int_Flex
switchport backup interface FastEthernet0/15 preemption mode forced
switchport trunk allowed vlan 24-25,29-1001
switchport mode trunk
switchport nonegotiate
udld port aggressive

3. To configure the Satellite switch port Fa0/15 connected to the Internal port of QoS
2 (Secondary), use the following example:

interface FastEthernet0/15
description NS1 QoS 2 Int
switchport trunk allowed vlan 24-25,29-1001
switchport mode trunk
switchport nonegotiate
udld port aggressive

4. Save the configuration using the wr command.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
138
TECHSUPPORT
Proprietary and Confidential
 Installing and Configuring Server Farm of Version 15.X.X

Configuring Application Switch

To configure the Application switch:
1. To configure the Application switch port Fa0/4 connected to the QoS switch port
Fa0/23, use the following example:

interface FastEthernet0/4
description Spare/IPE 2 Data / QoS switch P.23
switchport trunk allowed vlan 16,17,23
switchport mode trunk
switchport nonegotiate
no shutdown

2. To configure the Application switch port Fa0/23 connected to the Management

port Eth0 of NetXplorer Server, use the following example:

interface FastEthernet0/23
description QoS Mng PC
switchport access vlan 17
switchport mode access

3. Save the configuration using the wr command.

Installing and Configuring Server Farm of Version 15.X.X

For the SkyEdge system with Server Farm of version 15.X.X, perform the following
actions:
1. Keep the Management ports of NetEnforcer machines on the Application Switch and
connect them to the ports 30 and 31 on the Satellite Switch.
2. Configure Flex links on the port 20 of the CID Ext Switch.
3. Configure Flex links on the port 13 of the Satellite Switch.
4. Connect the NetXplorer Server machine to the port 23 of the Application Switch.

December, 2013 139

Proprietary and Confidential
Server Farm Network Architecture for Version 15.X.X

Figure 86: SkyEdge Server Farm Network Architecture - Version 15.X.X

Preparing QoS System for Server Farm 15.X.X Installation

Below you can find the wiring preparations for installing QoS system with Server Farm
of version 15.X.X that supports operation of Allot AC-502 and AC-1400 machines.
Table 5: Application Switch 24 Ports
Port Connected to Device Port Type Before the
Number Change
Fa0/15 Spare Port/Free QoS 2 External
Fa0/21 QoS 1 Mng 17/Access No change
Fa0/22 QoS 2 Mng 17/Access No change
Fa0/23 NetXplorer Server 17/Access New port

Table 6: Satellite Switch 24 Ports

Port Connected to Device Port Type Before the
Number Change
Fa0/13 QoS 1 External 24/Trunk QoS 1 External
Fa0/15 QoS 2 External 24/Trunk QoS 2 External

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
140
TECHSUPPORT
Proprietary and Confidential
 Installing and Configuring Server Farm of Version 15.X.X

Configuring Satellite Switch

To configure the Satellite switch:
1. To configure the Satellite switch global configuration with UDLD errdisable state,
use the following commands:

errdisable recovery cause udld

errdisable recovery interval 30

2. To configure the Satellite switch port Fa0/13 connected to the Internal port of QoS
1 (Primary), use the following example:

interface FastEthernet0/13
description NS1 QoS 1 Int_Flex
switchport backup interface FastEthernet0/15 preemption mode forced
switchport trunk allowed vlan 24-25,29-1001
switchport mode trunk
switchport nonegotiate
udld port aggressive

3. To configure the Satellite switch port Fa0/15 connected to the Internal port of QoS
2 (Secondary), use the following example:

interface FastEthernet0/15
description NS1 QoS 2 Int
switchport trunk allowed vlan 24-25,29-1001
switchport mode trunk
switchport nonegotiate
udld port aggressive

4. Save the configuration using the wr command.

Configuring CID Extension Switch

To configure the CID Extension Switch:
1. To configure the CID Ext switch global configuration with UDLD errdisable state,
use the following commands:

errdisable recovery cause udld

errdisable recovery interval 30

2. To configure the CID Ext switch port Fa0/20 connected to the External port of QoS
1 (Primary), use the following example:

interface FastEthernet0/20
description NS1 QoS 1 Ext_Flex
switchport backup interface FastEthernet0/21 preemption mode forced
switchport trunk allowed vlan 24-25,29-1001
switchport mode trunk

December, 2013 141

Proprietary and Confidential
 switchport nonegotiate
udld port aggressive

3. To configure the Satellite switch port Fa0/21 connected to the External port of QoS
2 (Secondary), use the following example:

interface FastEthernet0/21
description NS1 QoS 2 Ext
switchport trunk allowed vlan 24-25,29-1001
switchport mode trunk
switchport nonegotiate
udld port aggressive

4. Save the configuration using the wr command.

Configuring Application Switch

To configure the Application switch:
1. Configure the port Fa0/23 connected to the Management port Eth0 of NetXplorer
Server, use the following example:

interface FastEthernet0/23
description QoS Mng PC
switchport access vlan 17
switchport mode access

2. Save the configuration using the wr command.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
142
TECHSUPPORT
Proprietary and Confidential
Appendix P: Verifying Bandwidth Changes from
DPS to NetEnforcer AC-502/1400
The DPS updates the NetEnforcer machine with the available bit rate every 2 seconds.
To verify bandwidth changes:
1. On the Management PC, open a Telnet connection to one of the Allot NetEnforcer
machine.
2. At the user login prompt, enter sysadmin.
3. At the password prompt, enter sysadmin.
4. To verify that the NetEnforcer has correctly enforced the bandwidth:
 Type the set_device_bw_limits -show command. The output displays the
momentary bandwidth provided by the DPS to the NetEnforcer machine. The
output is displayed in bytes.
5. To view the bandwidth log changes that the NetEnforcer uses to enforce the
bandwidth:
a. Go to the cd /opt/allot/logs directory.
b. View the rsyslog.auth.log file.

December, 2013 143

Proprietary and Confidential
Appendix Q: Applications with High Drop
Precedence
 Mercura
 KaZaA
 Gnutella
 eDonkey
 WinMX
 Winny1
 BitTorrent
 Direct Connect
 Manolito
 Ares
 SoulSeek
 Hotline
 SoftEther
 FileTopia
 EarthStation
 Napster
 AudioGalaxy
 ExoSee
 Furthur
 Hopster
 Freenet
 Mute
 Share
 Waste
 Qnext
 Ants
 POCO
 100BAO
 Kamun
 Real Link
 SouGood
 KuGoo
 Baidu
 Kuro

December, 2013 145

Proprietary and Confidential
  Thunder
 100GP2P
 iMesh
 Aimini
 NewWinny
 Maze
 Other
 NNTP
 BitTorrent Enc
 BitTorrent Tracker
 eDonkey Enc
 Pando
 Gnutella SSL
 BitTorrent-Torrent
 RapidShare
 MegaUpload
 BitTorrentDNA
 BitTorrentDHT
 VaGaa
 Ares Control

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
146
TECHSUPPORT
Proprietary and Confidential
Appendix R: Activating Scheduled Reports
Sending by Mail
In This Section
Procedure Overview..................................................................................................................... 147
Configuring Permanent Route on Customer's RAR..................................................................... 147
Configuring Permanent Route on Windows-Based NetXplorer Server ....................................... 148
Configuring Permanent Route on Linux-Based NetXplorer Server ............................................. 148
Configuring Mail Server Properties .............................................................................................. 148
Scheduling Mobile Analytics Reports on NetXplorer Server........................................................ 151

Procedure Overview
Perform the actions described herein in order to enable a customer to send the
scheduled reports by mail to Gilat Technical Support personnel:
1. Configure a customer's RAR to allow sending mails from the NetXplorer Server
machine (172.17.7.1) via the RAR to the customer's Intranet network.
2. On the Windows-based (on page 148) or Linux-based NetXplorer Server machine
(on page 148), configure a permanent route to the RAR VLAN 17 interface
(172.17.255.254) for the Gilat mail server IP address.
3. Configure the mail server properties on the NetXplorer Server application and
schedule reports.

A customer should route the Intranet NetXplorer Server reports to the Internet link.
This action is under a customer's responsibility.

Configuring Permanent Route on Customer's RAR

To configure a permanent route on a customer's RAR:
1. Access a customer's RAR configuration.
2. Type the following commands:

-Ip route 62.0.4.252 255.255.255.255 [INTRATNET IP of the customer router]

-ip nat outside source static 172.17.7.1 [Free INTRATNET IP of the RAR]
-add-route

-ip access-list extended INTRANET

-permit ip host 62.0.4.252 host [Free INTRATNET IP of the RAR]
-permit ip host 62.0.4.252 host 172.17.7.1

December, 2013 147

Proprietary and Confidential
 -ip access-list extended app_permissions
-permit ip host 172.17.7.1 host 62.0.4.252
-permit ip host 62.0.4.252 host 172.17.7.1

Configuring Permanent Route on Windows-Based NetXplorer

Server
To configure a permanent route on the Windows-based NetXplorer Server machine:
1. Access a customer's NetXplorer Server machine via RDP.
2. Open the cmd window.
3. Type the command: route add -p 62.0.4.252 (mail.gilat.com public IP)
mask 255.255.255.255 172.17.255.254.

Configuring Permanent Route on Linux-Based NetXplorer

Server
To configure a permanent route on the Linux-based NetXplorer Server machine:
1. Open an SSH connection to a customer's NetXplorer Server machine.
2. On the NetXplorer Server machine, double-click the System icon and select
Administrator Network.
3. In the Network window, click Edit.
4. Select the Route tab.
5. Click Add.
6. Define the route as follows:
ADDRESS0=62.0.4.252
MASK=255.255.255.255
GATEWAY0=172.17.255.254

7. Click OK.
8. Verify the new routing table by typing the commands:
 # route –n
 # netstat –nr

Configuring Mail Server Properties

To configure the mail server properties on the NetXplorer Server machine:
1. Log in to the NetXplorer Server application.
2. In the Navigation pane, right-click the Network node and select Configuration
from the pop-up menu. The Network screen with the Servers tab is displayed. The
Servers tab includes the parameters that enable the SMTP server to send reports
and handle alarm actions.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
148
TECHSUPPORT
Proprietary and Confidential
 Configuring Mail Server Properties

Figure 87: Servers Definitions

3. Configure the following parameters:

Parameter Description
SMTP Server IP Address The IP address and Port of the SMTP server that is used
and Port Address for emailing alarms and reports.
Enable SMTP Server Select this box to require the SMTP Server listed in the
Authorization field above to be authorized. Authorization details are
entered in the following fields.
SMTP User Name The user name defined for the SMTP server.
SMTP Password The password to be used for the defined SMTP username.
Confirm Password The password to be used for the defined SMTP username.
(When assigning a password, the password is entered
again here for confirmation.)
‘From’ Email Address for The Email address that will be shown as the source of any
Dispatched Alarms & notifications of Alarms or Events.
Reports
Allowed Hosts Defines those hosts that will be allowed to access the NX
server.

4. In the Network screen, select the SNMP tab. The SNMP tab includes parameters
that enable secure communications between NetXplorer and the NetEnforcers or
Service Gateways. Secure communications can be configured to include
authentication and/or encryption.

December, 2013 149

Proprietary and Confidential
 Upon saving any changes made in this SNMP panel, all NetEnforcer or Service
Gateway SNMP agents MUST have the same user name, passphrase for
authentication (if relevant), and passphrase for encryption (if relevant) as indicated
in the panel. If not, SNMP communications will not be successful.

SNMP must be enabled on the individual NetEnforcer or Service Gateways as well

as on the network.

Figure 88: Network SNMP Definitions

5. Configure the following parameters:

Parameter Description
SNMP v3 User Name The user name defined for the SNMP Server.
Security Level The level of security for communications between the
NetXplorer and NetEnforcer or Service Gateways:
Authentication Only, No Privacy: Implements authentication
without requiring encryption.
No Authentication, No Privacy: Implements neither
authentication nor encryption.
Passphrase for The passphrase for authentication, entered twice for
Authentication / confirmation purposes.
Confirm Authentication NOTE: These parameters are enabled only if the selected
Passphrase security level includes authentication.
Passphrase for The passphrase for encryption, entered twice for
Encryption / Confirm confirmation purposes.
Encryption Passphrase NOTE: These parameters are enabled only if the selected
security level includes encryption (Privacy).

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
150
TECHSUPPORT
Proprietary and Confidential
 Scheduling Mobile Analytics Reports on NetXplorer Server

Parameter Description
IP Target for Receipt of The Application Server where SNMP traps are to be sent. The
SNMP Traps current server can be selected or the IP address of another
server can be entered.
SNMP Timeout The SNMP timeout may be entered, in milliseconds.
NX Agent This field lists any NMS units that the NetXplorer will send
specific external traps to, as selected in Event Types
Configuration.

6. Save the configuration.

Scheduling Mobile Analytics Reports on NetXplorer Server

For more information, refer to NetXplorer Centralized, Proactive Management

of All Network Traffic Operation Guide, P/N D357102 R9, Allot
Communications LTD.

To schedule reports on the NetXplorer Server machine:

1. In the toolbar, click Actions and select New Report Entry New Report.
OR
2. In the Navigation pane, select Reports and right-click User Defined Reports.
Select New Report from the pop-up menu. The Report Identity dialog of the
Report Definition Wizard is displayed.

December, 2013 151

Proprietary and Confidential
 Figure 89: Report Definition Wizard - New Report

3. Enter the name of the report and a brief description of the report in the designated
fields, and click Next. The Report Topic dialog of the Report Definition Wizard is
displayed.
4. Select Network entity and click Next. The Report Subject dialog of the Report
Definition Wizard is displayed.
5. In the Report Term area, select Mobile.
6. In the Report Subject area, select the topic of the report.
7. Click Next. The first configuration tab of the Report Definition Wizard relevant for
your selected Mobile Analytics Report is displayed.
8. Click Next to continue to each configuration dialog until you reach the Schedule
dialog.
9. In the Schedule Details area, select a time for this report to be consistently
generated on an hourly, daily, weekly or monthly basis; a specific date and time for
this report to be generated, or to leave the report unscheduled at this time.
10. Select a Report format (JPG, PNG, CSV, XML, HTML or PDF) from the drop-down
menu.
11. Specify an email for the report to be sent to.

Allot NetXplorer and Allot NetEnforcer (AC-1400 and AC-502) FOR GILAT PRODUCTION AND
152
TECHSUPPORT
Proprietary and Confidential
 Scheduling Mobile Analytics Reports on NetXplorer Server

12. Click Next. The Report Definition Summary dialog of the Report Definition
Wizard is displayed.
13. Click Save. The scheduling information is saved and the new report definition is
added to the list of available customized reports.

December, 2013 153

Proprietary and Confidential
Appendix S: References
 NetXplorer Centralized, Proactive Management of All Network Traffic
Operation Guide, P/N D357102 R9, Allot Communications LTD.
 NX Installation and Admin Guide R9 (12.3), Allot Communications LTD.
 NX-SMP12.2 Release Notes v2r 15, Allot Communications LTD.
 NX-SMP12 3 Release Notes v2 r9, Allot Communications LTD.

December, 2013 155

Proprietary and Confidential