WNG R2.1 Product Guides

PRODUCT GUIDES
Alcatel-Lucent 9900
WIRELESS NETWORK GUARDIAN | RELEASE 2.1
PRODUCT GUIDES
Alcatel-Lucent Proprietary This document contains proprietary information of Alcatel-Lucent and is not to be disclosed or used except in accordance with applicable agreements. Copyright 2010 Alcatel-Lucent. All rights reserved.
Alcatel-Lucent assumes no responsibility for the accuracy of the information presented, which is subject to change without notice. Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. Copyright 2010 Alcatel-Lucent. All rights reserved.
Disclaimers
Alcatel-Lucent products are intended for commercial uses. Without the appropriate network design engineering, they must not be sold, licensed or otherwise distributed for use in any hazardous environments requiring fail-safe performance, such as in the operation of nuclear facilities, aircraft navigation or communication systems, air traffic control, direct life-support machines, or weapons systems, in which the failure of products could lead directly to death, personal injury, or severe physical or environmental damage. The customer hereby agrees that the use, sale, license or other distribution of the products for any such application without the prior written consent of Alcatel-Lucent, shall be at the customer's sole risk. The customer hereby agrees to defend and hold Alcatel-Lucent harmless from any claims for loss, cost, damage, expense or liability that may arise out of or in connection with the use, sale, license or other distribution of the products in such applications. This document may contain information regarding the use and installation of non-Alcatel-Lucent products. Please note that this information is provided as a courtesy to assist you. While Alcatel-Lucent tries to ensure that this information accurately reflects information provided by the supplier, please refer to the materials provided with any non-Alcatel-Lucent product and contact the supplier for confirmation. Alcatel-Lucent assumes no responsibility or liability for incorrect or incomplete information provided about non-Alcatel-Lucent products. However, this does not constitute a representation or warranty. The warranties provided for Alcatel-Lucent products, if any, are set forth in contractual documentation entered into by Alcatel-Lucent and its customers. This document was originally written in English. If there is any conflict or inconsistency between the English version and any other version of a document, the English version shall prevail.
When printed by Alcatel-Lucent, this document is printed on recycled paper.
Preface
The 9900 Wireless Network Guardian is a GUI-based system that is designed to manage data flows, and monitor network activities and demands for network resources.
About the guides

Table 1 describes the guides that are in this document.
Table 1 Product guides
Guide 9900 Wireless Network Guardian System Planning, Installation, and Upgrade Guide Description Contains information about:
planning and system architecture hardware installation and maintenance software maintenance and upgrades commissioning 9900 WNG system management interfaces configuration procedures network performance reporting and management network anomaly reporting and management security monitoring and administration user account administration and security database administration
9900 Wireless Network Guardian User Guide
Contains information about:
9900 Wireless Network Guardian System Administration and Security Guide
Contains information about:
Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 July 2010 3HE 06049 AAAA TQZZA
iii
Preface
Conventions used in this guide

Table 2 lists the conventions that are used throughout this guide.
Table 2 Documentation conventions
Convention Italics Key+Key KeyKey Description Identify a variable Type the appropriate consecutive keystroke sequence. Type the appropriate simultaneous keystroke sequence. Press the Return key. An em dash in a table cell indicates there is no information. A right arrow graphic following the menu label indicates that a cascading submenu results from selecting a menu item. Example hostname CTRL+G CTRLG HelpAbout
Important information
The following conventions are used to indicate important information:
Danger Danger indicates that the described activity or situation
may result in serious personal injury or death; for example, high voltage or electric shock hazards.
Warning Warning indicates that the described activity or situation
may, or will, cause equipment damage or serious performance problems.

Caution Caution indicates that the described activity or situation may, or will, cause service interruption.
Note Note provides important information that is, or may be, of special interest.
Acronyms and initialisms

The expansions and optional descriptions of most acronyms and initialisms appear in the glossary.
Procedures with options or substeps

When there are options in a procedure, they are identified by letters. When there are substeps in a procedure, they are identified by roman numerals.
iv
Preface
Procedure 1 Example of options in a procedure

At step 1, you can choose option a or b. At step 2, you must do what the step indicates. 1 This step offers two options. You must choose one of the following: a b 2 This is one option. This is another option.
You must perform this step.
Procedure 2 Example of substeps in a procedure

At step 1, you must perform a series of substeps within a step. At step 2, you must do what the step indicates. 1 This step has a series of substeps that you must perform to complete the step. You must perform the following substeps: i ii iii 2 This is the first substep. This is the second substep. This is the third substep.
You must perform this step.
Measurement conventions
Measurements in this guide are expressed in metric units and follow the Systeme International dUnites standard for abbreviation of metric units. If imperial measurements are included, they appear in brackets following the metric unit. Table 3 lists the measurement conventions used in this document but not covered by SI.
Table 3 Bits and bytes conventions
Measurement bit kilobit gigabit byte kilobyte megabyte (1 of 2) Symbol b kb Gb byte kbyte Mbyte
Preface
Measurement gigabyte (2 of 2)
Symbol Gbyte
Multiple PDF file search

You can use Adobe Reader, Release 6.0 or later, to search multiple PDF files for a term. Adobe Reader displays the results in a panel. The results are grouped by PDF file.
Note The PDF files that you search must be in the same folder.
Procedure 3 To search multiple PDF files for a term

1 2 3 4 5 6 Open the Adobe Reader. Choose EditSearch from the Adobe Reader main menu. The Search panel appears. Enter the term to search for. Select the All PDF Documents in radio button. Choose the folder in which to search using the drop-down menu. Select the following search criteria, if required:
Whole words only Case-Sensitive Include Bookmarks Include Comments
Click on the Search button. Adobe Reader displays the search results. You can expand the entries for each file by clicking on the + symbol.
Note After you click on a hyperlink, you can right-click and choose Previous View from the contextual menu to return to the location of the previous hyperlink.
Contact information
If you have questions or comments about this documentation, please contact: documentation.feedback@alcatel-lucent.com
vi
Contents
Preface
ix
About the guides ....................................................................................... ix Conventions used in this guide........................................................................ x Important information.................................................................. x Acronyms and initialisms............................................................... x Procedures with options or substeps ................................................. x Procedure 1 Example of options in a procedure.................................. xi Procedure 2 Example of substeps in a procedure ................................ xi Measurement conventions ............................................................ xi Multiple PDF file search.............................................................................. xii Procedure 3 To search multiple PDF files for a term ........................... xii Contact information .................................................................................. xii
vii
Contents
Planning, Installation, and Upgrade Guide

Planning and system architecture
1 9900 WNG system architecture
1.1 1.2 1.3
1-1
1.4 1.5
9900 WNG overview..................................................................... 1-2 9900 WNG Detector and Central ...................................................... 1-2 9900 WNG Detector .................................................................. 1-4 9900 WNG Central.................................................................... 1-4 9900 WNG hardware .................................................................... 1-5 9900 WNG Detector hardware...................................................... 1-5 9900 WNG Central hardware ....................................................... 1-6 Detecting hardware failures........................................................ 1-6 9900 WNG software ..................................................................... 1-6 Detecting software problems....................................................... 1-7 9900 WNG external user interfaces .................................................. 1-7
9900 WNG planning

2.1 2.2 2.3 2.4
2-1
2.5
2.6
Planning overview....................................................................... 2-2 9900 WNG Central and Detector server planning .................................. 2-2 9900 WNG Central planning ........................................................... 2-2 9900 WNG Detector planning.......................................................... 2-3 Processing data ....................................................................... 2-3 Tapping into the network ........................................................... 2-4 Estimating 9900 WNG Detectors needed ......................................... 2-5 Network technology ................................................................. 2-5 Determine location to view network activity .................................... 2-6 CDMA network activity .............................................................. 2-6 UMTS network activity .............................................................. 2-8 Geographic configuration for 9900 WNG Detectors ............................ 2-10 IP addresses and port numbers planning ........................................... 2-11 9900 WNG Central interfaces...................................................... 2-11 9900 WNG Detector interfaces .................................................... 2-11 Additional interfaces ............................................................... 2-11 Site preparation planning ............................................................. 2-12 9900 WNG server and rack hardware specifications ........................... 2-12 Rack-mount requirements ......................................................... 2-13 Power requirements ................................................................ 2-13 Cabling requirements............................................................... 2-14 Environmental requirements ...................................................... 2-15
viii
Contents
Hardware installation
3 Safety and regulatory specifications
3.1 3.2
3-1
3.3
Safety hazards ........................................................................... 3-2 Signal words........................................................................... 3-2 General hazard statements ......................................................... 3-3 Product use and safety guidelines .................................................... 3-3 Heed safety instructions ............................................................ 3-3 System power on and off............................................................ 3-4 Hazardous conditions, devices, and cables ...................................... 3-4 ESD and ESD protection ............................................................. 3-4 ESD and handling boards ............................................................ 3-4 Installing or removing jumpers..................................................... 3-4 Equipment handling practices...................................................... 3-4 Safety steps ........................................................................... 3-5 Cooling and airflow .................................................................. 3-5 Power supply.......................................................................... 3-5 Power cord warnings................................................................. 3-6 Equipment rack anchoring .......................................................... 3-6 Regulatory specifications .............................................................. 3-6 Product Safety Compliance ......................................................... 3-6 Product EMC Compliance - Class A Compliance ................................. 3-6
9900 WNG Detector and Central server installation

4.1 4.2 4.3 4.4
4-1
4.5
4.6
9900 WNG Detector and Central server installation overview ................... 4-2 Required hardware................................................................... 4-2 Power requirements .................................................................... 4-3 AC power supplies.................................................................... 4-3 DC power supplies.................................................................... 4-4 Receiving the shipment ................................................................ 4-5 Procedure 4-1 To inspect a 9900 WNG package ................................ 4-6 Installing the 9900 WNG server in a rack ............................................ 4-6 Prerequisites .......................................................................... 4-6 Rack installation...................................................................... 4-7 Procedure 4-2 To install the 9900 WNG in a 4-post rack ...................... 4-7 Procedure 4-3 To install the 9900 WNG in a 2-post rack ..................... 4-11 Grounding a DC-powered server ..................................................... 4-15 Prerequisites and safety precautions ............................................ 4-16 Procedure 4-4 To prepare the ground wire .................................... 4-16 Procedure 4-5 To ground the server............................................. 4-16 Connecting the cables ................................................................. 4-17 9900 WNG Central external ports................................................. 4-18 9900 WNG Detector external ports ............................................... 4-18 Cable connections................................................................... 4-19 Procedure 4-6 To connect cables for a 9900 WNG Detector ................ 4-19 Procedure 4-7 To connect cables for a 9900 WNG Central server .......... 4-20 Connecting power cables .......................................................... 4-20
ix
Contents
Powering up, powering down, and resetting 9900 WNG components

5.1 5.2 5.3 5.4
5-1
Powering up and down the 9900 WNG Central and Detector overview......... 5-2 Powering up the 9900 WNG Central and Detector .............................. 5-2 Powering down the 9900 WNG Central and Detector........................... 5-2 Powering up and down the 9900 WNG Central ..................................... 5-2 Procedure 5-1 To power up 9900 WNG Central ................................. 5-2 Procedure 5-2 To power down the 9900 WNG Central ........................ 5-3 Powering up and down a 9900 WNG Detector ...................................... 5-4 Procedure 5-3 To power up a 9900 WNG Detector ............................. 5-4 Procedure 5-4 To power down the 9900 WNG Detector....................... 5-5 Powering up, powering down, or resetting the 9900 WNG Detector or Central using the BMC device .................................................. 5-5 Procedure 5-5 To power up, power down, or reset a 9900 WNG Detector or Central using the BMC device.................................. 5-5
Commissioning
6 License requirements
6.1
6-1
6.2 6.3
Licensing overview ...................................................................... 6-2 License limit exceeded.............................................................. 6-2 License expiration.................................................................... 6-2 Retrieving license expiration data................................................. 6-3 Obtaining a license file................................................................. 6-3 Procedure 6-1 To obtain the host identifier of 9900 WNG Central .......... 6-3 Installing the license file on the 9900 WNG Central ............................... 6-3 Procedure 6-2 To install a new license on the 9900 WNG Central........... 6-4
Mandatory configuration procedures

7.1 7.2
7-1
Mandatory configuration procedures overview ..................................... 7-2 Mandatory configuration procedures................................................. 7-2 Procedure 7-1 To perform the prerequisites to configure the management interface and BMC LAN on a 9900 WNG server ............ 7-2 Procedure 7-2 To configure the management interface and BMC LAN on the 9900 WNG Central and Detector ............................... 7-3 Procedure 7-3 To provision the 9900 WNG Central ............................ 7-5 Procedure 7-4 To provision the 9900 WNG Detector server .................. 7-6
Contents
Hardware maintenance
8 Replacing CRUs
8.1 8.2 8.3 8.4
8-1
CRU overview ............................................................................ 8-2 Replacing hardware precautions...................................................... 8-2 Electrostatic discharge precautions ............................................... 8-3 Replacing a power supply.............................................................. 8-3 Procedure 8-1 To replace the power supply .................................... 8-3 Replacing a hard disk drive ............................................................ 8-4 Procedure 8-2 To replace a hard disk drive ..................................... 8-5
Software maintenance and upgrades

9 Managing software
9.1 9.2 9.3
9-1
9.4
9900 WNG software upgrade overview .............................................. 9-2 Software upgrade CLI commands ..................................................... 9-2 Software repositories................................................................... 9-3 Configuring the 9900 WNG Central server as the software repository ....... 9-4 Procedure 9-1 To configure the 9900 WNG Central as the software repository........................................................................ 9-4 Displaying the enabled software repository ..................................... 9-4 Procedure 9-2 To display the enabled software repository................... 9-4 Software upgrades and updates ...................................................... 9-5 Upgrading software .................................................................. 9-5 Procedure 9-3 To upgrade software on the 9900 WNG Central and Detector using the 9900 WNG Central repository ......................... 9-6 Procedure 9-4 To upgrade software on the 9900 WNG Central and Detector using an external software repository ........................... 9-7 Procedure 9-5 To upgrade software on the 9900 WNG Central and Detector using a USB removable hard drive as the software repository........................................................................ 9-8 Displaying software packages ...................................................... 9-9 Procedure 9-6 To display the software packages that are in the software repository ............................................................ 9-9
xi
Contents
User Guide
9900 WNG overview
10 9900 WNG system
10.1 10.2 10.3
10-1
9900 WNG overview.................................................................... 10-2 Key 9900 WNG functions ........................................................... 10-2 Key 9900 WNG benefits ............................................................ 10-3 9900 WNG Detector and Central ..................................................... 10-4 9900 WNG Detector ................................................................. 10-6 9900 WNG Central................................................................... 10-6 9900 WNG external user interfaces ................................................. 10-7
11 9900 WNG new features

11.1
11-1
9900 WNG Release 2.1 features...................................................... 11-2
Configuration procedures
12 Optional configuration procedures
12.1 12.2
12-1
Optional configuration procedures overview ...................................... 12-2 9900 WNG Detector optional configuration procedures.......................... 12-2 Specifying the 9900 WNG Detector deployment mode ........................ 12-2 Procedure 12-1 To specify the 9900 WNG Detector deployment mode ............................................................................ 12-3 Configuring the RNC load threshold .............................................. 12-3 Procedure 12-2 To configure an RNC load threshold ......................... 12-4 Configuring CDMA RNC-to-PCF IP address mapping ............................ 12-4 Procedure 12-3 To configure RNC-to-PCF IP address mapping .............. 12-5 Configuring UMTS RNC-to-SAI mapping .......................................... 12-5 Procedure 12-4 To configure RNC-to-SAI mapping ............................ 12-6 Specifying the mobile IP address range.......................................... 12-7 Procedure 12-5 To specify the mobile IP address range ..................... 12-7 Modifying the anomaly event throttle rate ..................................... 12-8 Procedure 12-6 To modify the anomaly event throttle rate................. 12-8 Adding subnets to a whitelist ..................................................... 12-8 Procedure 12-7 To add subnets to a whitelist ................................. 12-8 Modifying the mobile dormancy timeout value................................. 12-9 Procedure 12-8 To modify the mobile dormancy timeout value .......... 12-10 Specifying the VLANs from which packets are captured .................... 12-10 Procedure 12-9 To include, exclude, clear, and show VLAN IDs to process ........................................................................ 12-10
xii
Contents
12.3
Disabling the reporting of specific anomaly events.......................... Procedure 12-10 To disable the reporting of an anomaly event .......... Specifying the intensity level for reporting anomaly events ............... Procedure 12-11 To specify the intensity level for a reported anomaly event ............................................................... Adding a detector to a 9900 WNG system ..................................... Procedure 12-12 To add a 9900 WNG Detector .............................. Copying files from a 9900 WNG Detector...................................... Procedure 12-13 To copy 9900 WNG Detector configuration files to another 9900 WNG Detector............................................... Deleting a 9900 WNG Detector.................................................. Procedure 12-14 To delete a 9900 WNG Detector........................... 9900 WNG Central optional configuration tasks................................. Adding entries to the application map table ................................. Procedure 12-15 To configure the application map table ................. Enabling the security event manager feed.................................... Procedure 12-16 To enable the security event manager feed ............ Loading a saved login banner ................................................... Procedure 12-17 To load a saved login banner .............................. Generating a public key .......................................................... Procedure 12-18 To generate and display a public key ....................
12-11 12-11 12-12 12-13 12-14 12-14 12-15 12-15 12-15 12-16 12-16 12-16 12-18 12-20 12-21 12-21 12-21 12-21 12-22
Internal and external interfaces

13 Interfaces overview
13.1 13.2
13-1
Interfaces overview.................................................................... 13-2 Logging in to 9900 WNG interfaces .................................................. 13-3
14 CLI
14.1
14-1
CLI overview ............................................................................ 14-2 Accessing the 9900 WNG Central and Detector................................. 14-2 CLI roles, privileges, and modes .................................................. 14-3 CLI timeout........................................................................... 14-5 Logging in to the CLI................................................................... 14-6 Logging in to the CLI on the 9900 WNG Central ................................ 14-6 Procedure 14-1 To log in to the CLI on the 9900 WNG Central from a Windows or UNIX platform using SSH....................................... 14-6 Procedure 14-2 To log in to the CLI on the 9900 WNG Central from the GUI.......................................................................... 14-7 Accessing the CLI on the 9900 WNG Detector .................................. 14-7 Procedure 14-3 To log in to the CLI on the 9900 WNG Detector ............ 14-8 Changing modes and target servers ................................................. 14-8 Procedure 14-4 To change your mode on the 9900 WNG Central or Detector ........................................................................ 14-8 Procedure 14-5 To change target servers at the same mode................ 14-9 Procedure 14-6 To change your mode and target server................... 14-10 CLI command syntax ................................................................. 14-12
xiii
14.2
14.3
14.4
Contents
14.5
14.6
CLI navigation tips ................................................................... Displaying available commands ................................................. Using shortcuts .................................................................... Scrolling through commands .................................................... Paging through the CLI output .................................................. CLI commands ........................................................................
14-12 14-12 14-13 14-14 14-14 14-14
15 PC client installation
15.1 15.2 15.3
15-1
PC client installation overview....................................................... 15-2 PC client installation .................................................................. 15-2 Provisioning your PC ................................................................ 15-2 Procedure 15-1 To provision your PC............................................ 15-2 Launching the GUI client.............................................................. 15-3 Procedure 15-2 To launch the GUI client ....................................... 15-3 Deployment by Java Web Start ................................................... 15-3
16 GUI
16.1 16.2 16.3
16-1
GUI overview............................................................................ 16-2 Menu-based and dynamic navigation............................................. 16-2 Logging in to the GUI .................................................................. 16-2 Procedure 16-1 To log in to the GUI............................................. 16-2 GUI components ........................................................................ 16-2 GUI menus ............................................................................ 16-4 9900 WNG status indicators ....................................................... 16-4 Navigation menu and views in the workspace panel .......................... 16-6 Common features and functions ..................................................... 16-6 Sorting functions .................................................................... 16-6 Export functions ..................................................................... 16-7 Calendar and time widget ......................................................... 16-7 Using the whois query .............................................................. 16-7 Configuring the language on the GUI ............................................... 16-8 Procedure 16-2 To display the current language resource file.............. 16-8 Procedure 16-3 To install a language resource file ........................... 16-9 Configuring preference settings ..................................................... 16-9 Procedure 16-4 To change the default data retrieval settings .............. 16-9 Procedure 16-5 To change the default event reporting settings.......... 16-10 Procedure 16-6 To modify subscriber report preferences ................. 16-11 Procedure 16-7 To configure Network Graph preferences ................. 16-12 Procedure 16-8 To reset default configuration settings.................... 16-12
16.4
16.5 16.6
17 9900 WNG Central webpage

17.1
17-1
9900 WNG Central webpage .......................................................... 17-2 Procedure 17-1 To access the 9900 WNG Central webpage ................. 17-2
18 BMC
18.1
18-1
BMC....................................................................................... 18-2
xiv
Contents
19 SNMP
19.1 19.2 19.3 19.4
19-1
SNMP interface ......................................................................... 19-2 Configuring SNMPv1/v2c .............................................................. 19-3 Procedure 19-1 To specify the NMS servers and configure SNMPv1/v2c settings .......................................................... 19-3 Configuring SNMPv3 .................................................................... 19-5 Procedure 19-2 To configure SNMPv3 settings ................................. 19-5 SNMP user accounts.................................................................... 19-7 Procedure 19-3 To create an SNMP user account ............................. 19-8 Procedure 19-4 To create a n SNMP group ..................................... 19-8 Procedure 19-5 To delete an SNMP user account ............................. 19-8 Procedure 19-6 To delete an SNMP group ...................................... 19-8 Procedure 19-7 To display SNMP user accounts ............................... 19-8 Managing SNMP components.......................................................... 19-9 Procedure 19-8 To update SNMP location information ....................... 19-9 Procedure 19-9 To update the SNMP agent contact .......................... 19-9 Deleting SNMP components ......................................................... 19-10 Procedure 19-10 To delete IP addresses from an SNMP server ............ 19-10 Procedure 19-11 To delete an SNMP community ............................ 19-10 Procedure 19-12 To delete an SNMP host..................................... 19-11 Procedure 19-13 To delete an SNMP view .................................... 19-11 Configuring SNMP for anomaly, trend, and congestion alerts ................. 19-11 Procedure 19-14 To configure SNMP for anomaly, trend, and congestion alerts ............................................................ 19-11 SNMP commands...................................................................... 19-12 SNMP SET ........................................................................... 19-12 SNMP GET........................................................................... 19-12 SNMP TRAP ......................................................................... 19-12 SNMP MIBs ............................................................................. 19-15 Procedure 19-15 To access the SNMP MIBs ................................... 19-15
19.5 19.6
19.7 19.8
19.9
20 Motive API
20.1 20.2 20.3
20-1
20.4
Motive API ............................................................................... 20-2 Motive API security..................................................................... 20-3 Motive API user accounts ............................................................. 20-3 Procedure 20-1 To create a Motive API user account......................... 20-3 Procedure 20-2 To delete a Motive API user account......................... 20-3 Procedure 20-3 To display Motive API user accounts ......................... 20-4 Motive API CLI commands............................................................. 20-4 Adding Motive API subnets ......................................................... 20-4 Procedure 20-4 To add Motive API subnets..................................... 20-4 Deleting Motive API subnets ....................................................... 20-5 Procedure 20-5 To delete Motive API subnets ................................. 20-5 Displaying statistics and log files ................................................. 20-5 Procedure 20-6 To display Motive API statistics ............................... 20-6 Procedure 20-7 To display Motive API log file ................................. 20-6
xv
Contents
GUI components
21 Dashboard view
21.1 21.2 21.3
21-1
21.4 21.5
21.6
21.7
9900 WNG Central Dashboard View overview...................................... 21-2 Dashboard features ................................................................. 21-2 Dashboard View components ......................................................... 21-2 Dashboard elements ................................................................ 21-4 Plotting elements in the Dashboard View .......................................... 21-5 Maximum number of element plots .............................................. 21-5 Plotting procedures ................................................................. 21-5 Procedure 21-1 To plot an element in the dashboard ........................ 21-5 Procedure 21-2 To configure mandatory parameters for element charts ........................................................................... 21-5 Dashboard View components and controls ......................................... 21-8 Element display controls ........................................................... 21-9 Axes controls......................................................................... 21-9 Configuring optional properties for dashboard elements ........................ 21-9 Procedure 21-3 To configure optional preferences for intensity tables.......................................................................... 21-10 Procedure 21-4 To configure optional properties for element charts.... 21-11 Modifying chart display properties ................................................ 21-12 Right-click customization options .............................................. 21-12 Configuring chart display properties ........................................... 21-12 Procedure 21-5 To configure chart display properties ..................... 21-13 Moving a dashboard chart to a new dashboard .................................. 21-13 Procedure 21-6 To move an chart to a new dashboard..................... 21-13
22 Real-time Events views

22.1 22.2
22-1
22.3
22.4
Real-time Events overview ........................................................... 22-2 Common features and components in the Real-time Events View .......... 22-2 Real-time Events common components.......................................... 22-2 Anomaly Events view .................................................................. 22-5 Anomaly Events view components................................................ 22-6 Event Details in the Anomaly Events view ...................................... 22-7 Filtering Anomaly Events........................................................... 22-8 Procedure 22-1 To filter Anomaly Events....................................... 22-8 Working in the Anomaly Events view............................................. 22-9 Performance Events view ........................................................... 22-10 Performance Events view components ........................................ 22-10 Configuring a Performance Events filter ...................................... 22-11 Procedure 22-2 To filter Performance Events ............................... 22-11 Working in the Performance Events view ..................................... 22-11 Anomaly History view................................................................ 22-12 Anomaly History menu components and functions........................... 22-12 Filtering Anomaly History records .............................................. 22-12 Procedure 22-3 To filter Anomaly History records .......................... 22-13 Anomaly History view components ............................................. 22-14 Working in the Anomaly History view .......................................... 22-14
xvi
Contents
23 Forensic View
23.1 23.2 23.3 23.4
23-1
Forensic View overview ............................................................... 23-2 Generating Forensic View reports ................................................ 23-2 Forensic View menu components .................................................... 23-2 Forensic View tab ................................................................... 23-2 Historic View tab .................................................................... 23-3 Forensic View reports ................................................................. 23-3 Forensic reports components...................................................... 23-4 Working in the Forensic View ........................................................ 23-5 Operations in the Forensic Events Details panel ............................... 23-5 Querying data in the Forensic Events Details panel ........................... 23-6 Opening the Mobile Flow view .................................................... 23-6
24 Topology view
24.1 24.2 24.3 24.4 24.5
24-1
Topology view overview............................................................... 24-2 Element Tables view................................................................... 24-2 Working in the Element Tables ................................................... 24-5 Network Graph view ................................................................... 24-6 Opening the Network Graphs view ............................................... 24-6 Network Graph components and controls ....................................... 24-7 Working in the Network Graphs view ............................................... 24-8 Display functions .................................................................... 24-8 Operations in the Network Graph view ........................................ 24-10 Provisioning operations using the Network Element tables ................... 24-11 Naming convention................................................................ 24-11 Bulk provisioning NE groups from the Element Tables ...................... 24-11 Procedure 24-1 To provision NEs in bulk using the Network Element table........................................................................... 24-11 Searching for NEs using the Network Element table......................... 24-12 Procedure 24-2 To search for NEs using the Network Element table .... 24-12
25 Network Forensics view

25.1 25.2
25-1
25.3 25.4
Network Forensic view overview .................................................... 25-2 Hop reports .......................................................................... 25-2 Network Element reports .......................................................... 25-2 Network Forensic view menu components ......................................... 25-2 Generating a Network Forensic report........................................... 25-3 Procedure 25-1 To generate a network forensic report ...................... 25-3 History tab ........................................................................... 25-4 Network Forensic reports components ............................................. 25-4 Network Forensic concise report components .................................. 25-5 Network Forensic detailed report components................................. 25-5 Working in the Network Forensic view.............................................. 25-7 Export functions ..................................................................... 25-7 Sort functions for table data ...................................................... 25-7 Operations in the Network Forensic view ....................................... 25-7
xvii
Contents
26 System View
26.1 26.2 26.3
26-1
26.4 26.5
System View overview................................................................. 26-2 System View menu icons .............................................................. 26-2 System Events view .................................................................... 26-2 System Events components ........................................................ 26-3 System Events display preferences ............................................... 26-4 Procedure 26-1 To filter system events......................................... 26-5 System History view ................................................................... 26-5 Working in the System View .......................................................... 26-6 Operations............................................................................ 26-6
27 Mobile Flow view

27.1
27-1
27.2 27.3 27.4
Mobile Flow records overview........................................................ 27-2 Mobile Flow menu and query form components................................ 27-2 Generating Mobile Flow reports .................................................. 27-2 Procedure 27-1 To generate a Mobile Flow report ............................ 27-2 Mobile Flow record components ..................................................... 27-3 Event Details panel ................................................................. 27-5 Working in the Mobile Flow view .................................................... 27-7 Operations in the Mobile Flow Event Details panel ............................ 27-7 Opening Network Forensic reports from the Path tab......................... 27-8 Considerations regarding Mobile Flow measurements............................ 27-8 RTT measurements (in the Performance tab) .................................. 27-8 Throughput measurement (in the Performance tab) .......................... 27-8
28 CLI view
28.1
28-1 29-1
CLI view.................................................................................. 28-2
29 Subscriber view
29.1 29.2 29.3 29.4 29.5 29.6 29.7 29.8 29.9 29.10 29.11 29.12
Subscriber overview ................................................................... 29-2 Subscriber menu components ........................................................ 29-2 Subscriber view components ...................................................... 29-3 Active Reports and Historic Reports tabs........................................ 29-3 Characteristics of subscriber reports ............................................... 29-4 Generating subscriber reports ....................................................... 29-4 Acquiring subscriber IDs ............................................................ 29-4 Procedure 29-1 To configure and generate a subscriber report ............ 29-5 Components of subscriber reports................................................... 29-7 Statistics tab ............................................................................ 29-8 Top Applications tab................................................................... 29-8 Top Servers tab....................................................................... 29-10 Anomaly Events tab.................................................................. 29-11 Flow/Session tab ..................................................................... 29-11 Plots in the Flow/Session tab ................................................... 29-13 Flow Details button ............................................................... 29-14 Path tab components ................................................................ 29-14 Path panel interactions with Graphics view and Forensic reports......... 29-15 Billing tab ............................................................................. 29-15
xviii
Contents
Browser-based reporting and management

30 Browser-based reporting overview
30.1 30.2 30.3
30-1
30.4 30.5
30.6
Browser-based reporting overview .................................................. 30-2 Legacy reports ....................................................................... 30-2 Generating a browser-based report ................................................. 30-2 Procedure 30-1 To generate a browser-based report......................... 30-2 Input parameters page components................................................. 30-3 Report controls ...................................................................... 30-4 Filters ................................................................................. 30-4 Time parameter fields.............................................................. 30-4 Time zones ........................................................................... 30-5 Lag period to current time ........................................................ 30-5 Impact of daily summarization on early morning queries..................... 30-6 Report presentation page............................................................. 30-6 Tool tips .............................................................................. 30-6 Navigation icons on the presentation page ..................................... 30-6 Report types ............................................................................ 30-7 Time-series charts .................................................................. 30-7 Stacked area charts................................................................. 30-8 Cumulative distribution function charts ......................................... 30-9 Pie charts........................................................................... 30-10 Table reports ...................................................................... 30-11 Exporting reports..................................................................... 30-12 Export icons on the presentation page ........................................ 30-12 Exporting graphical reports to an Excel or a CSV file ....................... 30-13
31 Configuring browser-based reports

31.1 31.2 31.3 31.4
31-1
31.5 31.6 31.7
Browser-based reports parameters overview ...................................... 31-2 Network resource usage reports ..................................................... 31-2 Description of network resource usage reports ................................ 31-2 Parameters overview for network resource usage reports ................... 31-4 Network statistics reports ............................................................ 31-5 Description of network statistics reports........................................ 31-5 Parameters overview for network statistics reports........................... 31-8 Network elements reports .......................................................... 31-10 Description of network element reports ...................................... 31-10 Parameters overview for network element reports ......................... 31-22 Common configuration options for network reports ......................... 31-24 Hop reports ........................................................................... 31-25 Description of hop reports ....................................................... 31-26 Parameters overview for hop reports .......................................... 31-27 Security reports ...................................................................... 31-28 Description of security reports.................................................. 31-28 Subscriber reports.................................................................... 31-29 Description of subscriber reports ............................................... 31-30 Parameters overview for subscriber reports .................................. 31-35
xix
Contents
31.8
31.9 31.10
Applications reports ................................................................. Description of applications reports............................................. Parameters overview for applications reports................................ Configuring application parameters............................................ Devices reports ....................................................................... Description of device reports ................................................... Parameters overview for device reports ...................................... Troubleshooting ......................................................................
31-36 31-36 31-40 31-40 31-41 31-42 31-46 31-47
32 Subscriber Group Manager

32.1 32.2 32.3 32.4 32.5 32.6
32-1
Subscriber Group Manager overview ................................................ 32-2 Interactions with web-based subscriber reports ............................... 32-2 Subscriber Group Manager page components ...................................... 32-2 Creating a subscriber group .......................................................... 32-3 Procedure 32-1 To create a subscriber group.................................. 32-3 Searching for a subscriber ............................................................ 32-4 Procedure 32-2 To search for a subscriber ..................................... 32-4 Changing the subscriber group view ................................................ 32-4 Procedure 32-3 To change the subscriber group view ........................ 32-4 Importing subscriber data ............................................................ 32-5 Procedure 32-4 To import subscriber data ..................................... 32-5
Network anomaly reporting and management

33 Threat detection and network anomaly events
33.1 33.2 33.3 33.4 33.5 33.6
33-1
33.7
Threat detection and network anomalies overview .............................. 33-2 Threat detection in a CDMA network ............................................... 33-2 Inputs and outputs .................................................................. 33-3 Threat detection in a UMTS network................................................ 33-3 Inputs and outputs .................................................................. 33-5 High-level workflow to investigate an anomaly event ........................... 33-5 Procedure 33-1 To investigate an anomaly event ............................. 33-5 Network anomaly events.............................................................. 33-6 Wireless attack events ................................................................ 33-7 Signaling attacks from a single source ........................................... 33-7 Battery attacks from a single source............................................. 33-8 Distributed battery attacks ........................................................ 33-9 RNC overloads ..................................................................... 33-10 Single source mobile floods...................................................... 33-11 Distributed mobile floods ........................................................ 33-12 ICMP router discovery abuses ................................................... 33-13 Port scans and unwanted source events.......................................... 33-14 Horizontal port scan events ..................................................... 33-14 Vertical port scan events ........................................................ 33-15 Unwanted source .................................................................. 33-16
xx
Contents
33.8
33.9
Abusive subscriber events .......................................................... High-usage subscriber events ................................................... High signaling subscriber event ................................................. Always-active subscriber ......................................................... Peer-to-peer mobile traffic events............................................. Specifying the threshold values for anomaly events............................ Procedure 33-2 To specify the threshold values for an anomaly event ..........................................................................
33-17 33-17 33-18 33-19 33-20 33-21 33-21
System Administration and Security Guide

Security and user account administration
34 Security overview
34.1
34-1 35-1
Security overview ...................................................................... 34-2
35 Managing licenses
35.1 35.2
Viewing the current license status .................................................. 35-2 Procedure 35-1 To view licensing information using the CLI ................ 35-2 Viewing license violation system events............................................ 35-2
36 User account management

36.1
36-1
36.2
User account management overview................................................ 36-2 Roles .................................................................................. 36-2 Privileges ............................................................................. 36-2 Passwords............................................................................. 36-3 Managing user accounts ............................................................... 36-4 Creating a user account ............................................................ 36-5 Procedure 36-1 To create a user account with CLI, GUI, and Reports roles ............................................................................. 36-5 Changing passwords................................................................. 36-5 Procedure 36-2 To change the password for another user................... 36-6 Procedure 36-3 To change your password using the CLI ..................... 36-6 Procedure 36-4 To change your password using the GUI ..................... 36-6 Modifying privileges................................................................. 36-7 Procedure 36-5 To modify the privileges for a role ........................... 36-7 Modifying the name of an account ............................................... 36-7 Procedure 36-6 To modify the name of an account........................... 36-8
xxi
Contents
36.3
Setting the password timeout ..................................................... 36-8 Procedure 36-7 To reset the default timeout for all passwords ............ 36-8 Procedure 36-8 To reset the default timeout for a specific password ..... 36-8 Setting the idle timeout............................................................ 36-9 Procedure 36-9 To set the idle timeout for user accounts................... 36-9 Disconnecting users ................................................................. 36-9 Procedure 36-10 To disconnect one or all users from active GUI sessions ......................................................................... 36-9 Deleting user accounts ........................................................... 36-10 Procedure 36-11 To delete a user account ................................... 36-10 Monitoring user accounts ........................................................... 36-10 Displaying user accounts ......................................................... 36-11 Procedure 36-12 To display CLI, GUI, and Reports roles that are on the 9900 WNG Central ...................................................... 36-11 Procedure 36-13 To display user accounts with a pattern ................. 36-12 Displaying idle timeouts.......................................................... 36-12 Procedure 36-14 To display the idle timeout for the GUI and Reports roles ................................................................. 36-12
System monitoring and administration

37 Monitoring the 9900 WNG Central and Detector
37.1 37.2 37.3
37-1
37.4
37.5
Monitoring the 9900 WNG system.................................................... 37-2 Monitoring the 9900 WNG using log files ........................................... 37-2 Procedure 37-1 To view 9900 WNG log files using CLI ........................ 37-3 Sample log reports .................................................................. 37-3 Monitoring GUI reports and queries ............................................... 37-10 Subscriber Report ................................................................. 37-11 Network Forensic Element Report.............................................. 37-11 Network Forensic Hop Report ................................................... 37-11 Mobile Flow Query ................................................................ 37-12 Measuring system performance .................................................... 37-12 show stats .......................................................................... 37-13 show memory ...................................................................... 37-16 show system........................................................................ 37-17 show backhaul ..................................................................... 37-18 show compressionStatus ......................................................... 37-18 show top ............................................................................ 37-18 Monitoring a remote 9900 WNG Central and Detector using the BMC ....... 37-29 Procedure 37-2 To monitor a 9900 WNG Detector or Central remotely using the BMC .................................................... 37-30 Displaying the health status of the 9900 WNG Detector or Central ....... 37-31 Procedure 37-3 To display the health status of the 9900 WNG Detector or Central ......................................................... 37-31 Displaying the sensor status of the 9900 WNG Central or Detector ....... 37-31 Procedure 37-4 To display the sensor status of the 9900 WNG Central or Detector ......................................................... 37-32
xxii
Contents
38 System events
38.1 38.2 38.3 38.4 38.5 38.6 38.7 38.8 38.9 38.10 38.11 38.12 38.13 38.14
38-1
System events overview............................................................... 38-2 Viewing system events ............................................................. 38-2 System Event types ................................................................. 38-2 License Violation system event ...................................................... 38-2 Link Down system event .............................................................. 38-3 Clearing a Link Down event........................................................ 38-3 Process Down system event .......................................................... 38-3 Process Start system event ........................................................... 38-4 CPU Usage system event .............................................................. 38-4 Disk Usage system event .............................................................. 38-4 Exceptions for the 9900 WNG Central root partition .......................... 38-5 Memory Usage system event ......................................................... 38-5 No Packet system event............................................................... 38-6 Packet Drop system event ............................................................ 38-6 Line rate threshold system event.................................................... 38-6 Queue Usage system event ........................................................... 38-7 Hardware Failure system event ...................................................... 38-8 Swap Usage system event............................................................. 38-8
Database administration
39 Backup and restore
39.1
39-1
39.2
39.3
39.4 39.5
Backup and restore overview ........................................................ 39-2 Recommended frequency of full database backups ........................... 39-2 Restoring backup data.............................................................. 39-3 Location of backup and restore files ............................................. 39-3 Accessing SCP locations ............................................................ 39-3 Backup filename format ........................................................... 39-3 Backing up 9900 WNG Central files.................................................. 39-4 Procedure 39-1 To back up 9900 WNG Central files .......................... 39-4 Incremental backups of the reports database .................................. 39-5 Procedure 39-2 To perform an incremental backup of the reports database ........................................................................ 39-5 Restoring 9900 WNG Central files ................................................... 39-5 Procedure 39-3 To restore 9900 WNG Central files ........................... 39-5 Incrementally restoring report database files .................................. 39-6 Procedure 39-4 To restore reports database increments .................... 39-6 Backing up 9900 WNG Detector files ................................................ 39-7 Procedure 39-5 To backup a 9900 WNG Detector ............................. 39-7 Restoring 9900 WNG Detector files.................................................. 39-7 Procedure 39-6 To restore a 9900 WNG Detector ............................. 39-7
Glossary
Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 July 2010 3HE 06049 AAAA TQZZA xxiii
Contents
Index
xxiv
PLANNING, INSTALLATION, AND UPGRADE GUIDE
Alcatel-Lucent 9900
PLANNING, INSTALLATION, AND UPGRADE GUIDE
Disclaimers
Alcatel-Lucent License Agreement

SAMPLE END USER LICENSE AGREEMENT
1. LICENSE
1.1 Subject to the terms and conditions of this Agreement, Alcatel-Lucent grants to Customer and Customer accepts a nonexclusive, nontransferable license to use any software and related documentation provided by Alcatel-Lucent pursuant to this Agreement ("Licensed Program") for Customer's own internal use, solely in conjunction with hardware supplied or approved by Alcatel-Lucent. In case of equipment failure, Customer may use the Licensed Program on a backup system, but only for such limited time as is required to rectify the failure. Customer acknowledges that Alcatel-Lucent may have encoded within the Licensed Program optional functionality and capacity (including, but not limited to, the number of equivalent nodes, delegate workstations, paths and partitions), which may be increased upon the purchase of the applicable license extensions. Use of the Licensed Program may be subject to the issuance of an application key, which shall be conveyed to the Customer in the form of a Supplement to this End User License Agreement. The purchase of a license extension may require the issuance of a new application key.
1.2
1.3
2. PROTECTION AND SECURITY OF LICENSED PROGRAMS

2.1 Customer acknowledges and agrees that the Licensed Program contains proprietary and confidential information of Alcatel-Lucent and its third party suppliers, and agrees to keep such information confidential. Customer shall not disclose the Licensed Program except to its employees having a need to know, and only after they have been advised of its confidential and proprietary nature and have agreed to protect same. All rights, title and interest in and to the Licensed Program, other than those expressly granted to Customer herein, shall remain vested in Alcatel-Lucent or its third party suppliers. Customer shall not, and shall prevent others from copying, translating, modifying, creating derivative works, reverse engineering, decompiling, encumbering or otherwise using the Licensed Program except as specifically authorized under this Agreement. Notwithstanding the foregoing, Customer is authorized to make one copy for its archival purposes only. All appropriate copyright and other proprietary notices and legends shall be placed on all Licensed Programs supplied by Alcatel-Lucent, and Customer shall maintain and reproduce such notices on any full or partial copies made by it.
2.2
3. TERM
3.1 This Agreement shall become effective for each Licensed Program upon delivery of the Licensed Program to Customer.
iii
3.2
Alcatel-Lucent may terminate this Agreement: (a) upon notice to Customer if any amount payable to Alcatel-Lucent is not paid within thirty (30) days of the date on which payment is due; (b) if Customer becomes bankrupt, makes an assignment for the benefit of its creditors, or if its assets vest or become subject to the rights of any trustee, receiver or other administrator; (c) if bankruptcy, reorganization or insolvency proceedings are instituted against Customer and not dismissed within 15 days; or (d) if Customer breaches a material provision of this Agreement and such breach is not rectified within 15 days of receipt of notice of the breach from Alcatel-Lucent. Upon termination of this Agreement, Customer shall return or destroy all copies of the Licensed Program. All obligations of Customer arising prior to termination, and those obligations relating to confidentiality and nonuse, shall survive termination.
3.3
4. CHARGES
4.1 Upon shipment of the Licensed Program, Alcatel-Lucent will invoice Customer for all fees, and any taxes, duties and other charges. Customer will be invoiced for any license extensions upon delivery of the new software application key or, if a new application key is not required, upon delivery of the extension. All amounts shall be due and payable within thirty (30) days of receipt of invoice, and interest will be charged on any overdue amounts at the rate of 1 1/2% per month (19.6% per annum).
5. SUPPORT AND UPGRADES

5.1 Customer shall receive software support and upgrades for the Licensed Program only to the extent provided for in the applicable Alcatel-Lucent software support policy in effect from time to time, and upon payment of any applicable fees. Unless expressly excluded, this Agreement shall be deemed to apply to all updates, upgrades, revisions, enhancements and other software which may be supplied by Alcatel-Lucent to Customer from time to time.
6. WARRANTIES AND INDEMNIFICATION

6.1 Alcatel-Lucent warrants that the Licensed Program as originally delivered to Customer will function substantially in accordance with the functional description set out in the associated user documentation for a period of 90 days from the date of shipment, when used in accordance with the user documentation. Alcatel-Lucent's sole liability and Customer's sole remedy for a breach of this warranty shall be Alcatel-Lucent's good faith efforts to rectify the nonconformity or, if after repeated efforts Alcatel-Lucent is unable to rectify the nonconformity, Alcatel-Lucent shall accept return of the Licensed Program and shall refund to Customer all amounts paid in respect thereof. This warranty is available only once in respect of each Licensed Program, and is not renewed by the payment of an extension charge or upgrade fee.
iv
6.2
ALCATEL-LUCENT EXPRESSLY DISCLAIMS ALL OTHER WARRANTIES, REPRESENTATIONS, COVENANTS OR CONDITIONS OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, WARRANTIES OR REPRESENTATIONS OF WORKMANSHIP, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, DURABILITY, OR THAT THE OPERATION OF THE LICENSED PROGRAM WILL BE ERROR FREE OR THAT THE LICENSED PROGRAMS WILL not INFRINGE UPON ANY THIRD PARTY RIGHTS. Alcatel-Lucent shall defend and indemnify Customer in any action to the extent that it is based on a claim that the Licensed Program furnished by Alcatel-Lucent infringes any patent, copyright, trade secret or other intellectual property right, provided that Customer notifies Alcatel-Lucent within ten (10) days of the existence of the claim, gives Alcatel-Lucent sole control of the litigation or settlement of the claim, and provides all such assistance as Alcatel-Lucent may reasonably require. Notwithstanding the foregoing, Alcatel-Lucent shall have no liability if the claim results from any modification or unauthorized use of the Licensed Program by Customer, and Customer shall defend and indemnify Alcatel-Lucent against any such claim. Alcatel-Lucent Products are intended for standard commercial uses. Without the appropriate network design engineering, they must not be sold, licensed or otherwise distributed for use in any hazardous environments requiring fail safe performance, such as in the operation of nuclear facilities, aircraft navigation or communication systems, air traffic control, direct life-support machines, or weapons systems, in which the failure of products could lead directly to death, personal injury, or severe physical or environmental damage. The Customer hereby agrees that the use, sale, license or other distribution of the Products for any such application without the prior written consent of Alcatel-Lucent, shall be at the Customer's sole risk. The Customer also agrees to defend and hold Alcatel-Lucent harmless from any claims for loss, cost, damage, expense or liability that may arise out of or in connection with the use, sale, license or other distribution of the Products in such applications.
6.3
6.4
7. LIMITATION OF LIABILITY
7.1 IN NO EVENT SHALL THE TOTAL COLLECTIVE LIABILITY OF ALCATEL-LUCENT, ITS EMPLOYEES, DIRECTORS, OFFICERS OR AGENTS FOR ANY CLAIM, REGARDLESS OF VALUE OR NATURE, EXCEED THE AMOUNT PAID UNDER THIS AGREEMENT FOR THE LICENSED PROGRAM THAT IS THE SUBJECT MATTER OF THE CLAIM. IN NO EVENT SHALL THE TOTAL COLLECTIVE LIABILITY OF ALCATEL-LUCENT, ITS EMPLOYEES, DIRECTORS, OFFICERS OR AGENTS FOR ALL CLAIMS EXCEED THE TOTAL AMOUNT PAID BY CUSTOMER TO ALCATEL-LUCENT HEREUNDER. NO PARTY SHALL BE LIABLE FOR ANY INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, WHETHER OR not SUCH DAMAGES ARE FORESEEABLE, AND/OR THE PARTY HAD BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. The foregoing provision limiting the liability of Alcatel-Lucent's employees, agents, officers and directors shall be deemed to be a trust provision, and shall be enforceable by such employees, agents, officers and directors as trust beneficiaries.
7.2
8. GENERAL
8.1 Under no circumstances shall either party be liable to the other for any failure to perform its obligations (other than the payment of any monies owing) where such failure results from causes beyond that party's reasonable control. This Agreement constitutes the entire agreement between Alcatel-Lucent and Customer and supersedes all prior oral and written communications. All amendments shall be in writing and signed by authorized representatives of both parties. If any provision of this Agreement is held to be invalid, illegal or unenforceable, it shall be severed and the remaining provisions shall continue in full force and effect. The Licensed Program may contain freeware or shareware obtained by Alcatel-Lucent from a third party source. No license fee has been paid by Alcatel-Lucent for the inclusion of any such freeware or shareware, and no license fee is charged to Customer for its use. The Customer agrees to be bound by any license agreement for such freeware or shareware. CUSTOMER ACKNOWLEDGES AND AGREES THAT THE THIRD PARTY SOURCE PROVIDES NO WARRANTIES AND SHALL HAVE NO LIABILITY WHATSOEVER IN RESPECT OF CUSTOMER'S POSSESSION AND/OR USE OF THE FREEWARE OR SHAREWARE. Alcatel-Lucent shall have the right, at its own expense and upon reasonable written notice to Customer, to periodically inspect Customer's premises and such documents as it may reasonably require, for the exclusive purpose of verifying Customer's compliance with its obligations under this Agreement. All notices shall be sent to the parties at the addresses listed above, or to any such address as may be specified from time to time. Notices shall be deemed to have been received five days after deposit with a post office when sent by registered or certified mail, postage prepaid and receipt requested. If the Licensed Program is being acquired by or on behalf of any unit or agency of the United States Government, the following provision shall apply: If the Licensed Program is supplied to the Department of Defense, it shall be classified as "Commercial Computer Software" and the United States Government is acquiring only "restricted rights" in the Licensed Program as defined in DFARS 227-7202-1(a) and 227.7202-3(a), or equivalent. If the Licensed Program is supplied to any other unit or agency of the United States Government, rights will be defined in Clause 52.227-19 or 52.227-14 of the FAR, or if acquired by NASA, Clause 18-52.227-86(d) of the NASA Supplement to the FAR, or equivalent. If the software was acquired under a contract subject to the October 1988 Rights in Technical Data and Computer Software regulations, use, duplication and disclosure by the Government is subject to the restrictions set forth in DFARS 252-227.7013(c)(1)(ii) 1988, or equivalent. Customer shall comply with all export regulations pertaining to the Licensed Program in effect from time to time. Without limiting the generality of the foregoing, Customer expressly warrants that it will not directly or indirectly export, reexport, or transship the Licensed Program in violation of any export laws, rules or regulations of Canada, the United States or the United Kingdom.
8.2
8.3
8.4
8.5
8.6
8.7
8.8
vi
8.9
No term or provision of this Agreement shall be deemed waived and no breach excused unless such waiver or consent is in writing and signed by the party claimed to have waived or consented. The waiver by either party of any right hereunder, or of the failure to perform or of a breach by the other party, shall not be deemed to be a waiver of any other right hereunder or of any other breach or failure by such other party, whether of a similar nature or otherwise.
8.10 This Agreement shall be governed by and construed in accordance with the laws of the Province of Ontario. The application of the United Nations Convention on Contracts for the International Sale of Goods is hereby expressly excluded.
vii
viii
Planning and system architecture
1 9900 WNG system architecture 2 9900 WNG planning 2-1
1-1
9900 WNG system architecture
1.1 9900 WNG overview
1-2 1-2
1.2 9900 WNG Detector and Central 1.3 9900 WNG hardware 1.4 9900 WNG software 1-5 1-6
1.5 9900 WNG external user interfaces
1-7
1-1
1.1
9900 WNG overview

The 9900 WNG monitors wireless data subscriber traffic and network signaling traffic to identify behaviors that threaten the performance of wireless data networks.
1.2
9900 WNG Detector and Central

The main components of the 9900 WNG system include:
9900 WNG Central 9900 WNG Detector

Figure 1-1 shows the 9900 WNG Detector and Central in a wireless network.
Figure 1-1 9900 WNG components in a wireless network
The connections between the 9900 WNG and other NEs in a wireless data CDMA network are shown in Figure 1-2.
1-2
1 9900 WNG system architecture Figure 1-2 Network architecture for a CDMA environment
NMS
9900 WNG Central
9900 WNG Detector Servers
GGSN External Sources
AAA
RNC
BTS
SGSN GGSN AAA AAA

21186
RNC BTS
The 9900 WNG supports UMTS networks. The connections between the 9900 WNG and other network elements in a UMTS network are shown in Figure 1-3.
Figure 1-3 Network architecture for a UMTS environment
1-3
9900 WNG Detector

Table 1-1 describes the 9900 WNG Central based on the location.
Table 1-1 9900 WNG Detector
Location CDMA environment Description In the network, a 9900 WNG Detector observes mirrored IP traffic between the AAA server and the PDSN, and between the HA and the PDSN. The 9900 WNG Detector monitors wireless traffic and reports anomalous behaviors to the 9900 WNG Central. The 9900 WNG Detector supports CDMA and UMTS technology at the same time. Wireless network The 9900 WNG Detector comprises purpose-designed hardware and software that monitors IP sessions and detects anomalous behaviors, registered to the individual subscriber level. The 9900 WNG Detector observes IP traffic mirrored from the packet core, as well as RADIUS traffic, interprets network events and states, and identifies anomalous traffic flow. The 9900 WNG Detector reports anomalies to the 9900 WNG Central to alert operators to take appropriate action. The 9900 WNG Detector identifies wireless specific anomaly events and notifies the 9900 WNG Central over a secure tunnel. All communication for configuration, bootstrap, and alarm reporting from the 9900 WNG Detector to the 9900 WNG Central component is through a SSL connection. The 9900 WNG Detector provides the following functionality:

UMTS environment
supports up to two million packets per second or up to 4 Gb/s, whichever is lower supports up to one million subscriber sessions supports up five million simultaneous flows tracks information from the subscriber registration activities to associate the dynamically assigned IP address with the user device identification and network path infers loads across the wireless data network by watching signaling and data traffic detects wireless 3G/4G network anomaly behavior using proprietary algorithms monitors individual subscriber session behavior (Mobile Flow records) monitors mobile-to-mobile and Internet-to-mobile traffic
In the UMTS environment, the 9900 WNG Detector observes mirrored IP traffic on two interfaces: between the AAA Server and the SGSN (Serving GPRS Service Node) and between the SGSN and the GGSN (Gateway GPRS Service Node). It is expected that an available Ethernet port from each of these interfaces is available from a switch or router within the Service Providers network. To avoid congestion on the capture ports, the capture port speed shall match or exceed the snooped interface. The 9900 WNG Detector snoops the path to the mirrored AAA Server for information regarding active mobile IP data sessions and reports anomalous behavior to the 9900 WNG Central. The 9900 WNG Detector supports CDMA technology and Universal Mobile Telecommunications System (UMTS) technology at the same time.
9900 WNG Central

Table 1-2 describes the 9900 WNG Detector based on the location.
1-4
1 9900 WNG system architecture Table 1-2 9900 WNG Central

Location CDMA environment Wireless network Description The 9900 WNG Central has an EMS and also supports a northbound system log and SNMP interface to network management systems, if required. The 9900 WNG Central comprises hardware and software with which to manage a set of 9900 WNG Detectors. The 9900 WNG Central handles correlation and northbound reporting functions, and helps identify unwanted traffic on the network. The 9900 WNG Central uses application software to process anomaly event streams from the 9900 WNG Detector, generate alarms, generate daily and on-demand network usage reports, and report to northbound network and security operations platforms. The 9900 WNG Central collects event data and mobile flow records generated from multiple 9900 WNG Detectors that are deployed throughout a providers network and stores the information in a database. The 9900 WNG Central provides the following functionality:

UMTS environment
configures and manages 9900 WNG Detectors in the system as well as itself supports up to 10 Detectors provides GUI and CLI capabilities collects, stores, and reports event data and notifications from the Detectors provides a status display of the 9900 WNG system and provides the ability to relay status and alarm information on external and internal interfaces as needed by the configuration provides the WSP with a user-friendly means of observing, recording, and interpreting the alarms and reports on anomaly status downloads software upgrades to the Detectors manages events at an aggregated average rate of 2500 events per second manages servers at a peak rate of 10 000 events per second
The 9900 WNG Central has an EMS and also supports a northbound system log and Simple Network Management Protocol (SNMP) interface to the Network Management Systems (NMS), if required.
1.3
9900 WNG hardware

The following sections describe the hardware requirements for the 9900 WNG Detector and Central.
9900 WNG Detector hardware

The 9900 WNG Detector hardware is located in a NOC, security operations center, or central office. The major hardware components of the 9900 WNG Detector include:
Multi-core server 32GB RAM, 667 MHZ DIMMS. six hot-swappable 2.5 SAS HDD media storage, with at least 146GB space per
HDD
4 x 1Gbps Gigabit Ethernet NIC Up to four SFP modules (optical or copper) BMC
1-5
Dual DC, 600W power supplies or Dual AC power supplies 32 Gb memory server (TIGH2U)
The 9900 WNG Detector is a NEBS-3 and ETSI certified product that is suited for a host of applications in the Telecom Central Office and industrial environment.
9900 WNG Central hardware

The 9900 WNG Central hardware is located in the NOC, security operations center, or the central office. The major hardware components of the 9900 WNG Central include:
Multi-core server 32GB RAM, 667 MHZ DIMMS six hot-swappable 2.5 SAS HDD media storage, with at least 146GB space per
HDD CD-ROM and/or DVD-ROM BMC Dual DC, 600W power supplies or Dual AC power supplies
Detecting hardware failures

Hardware Failure system events can be used to determine when a disk should be replaced. See section 38.13 for more information.
1.4
9900 WNG software

Table 1-3 describes the 9900 WNG software.
Table 1-3 9900 WNG software
Software Red Hat Enterprise Linux MySQLTM database AdventNet SNMP 9900 WNG application software Description The 9900 WNG Central and 9900 WNG Detector software use the Red Hat Enterprise Linux operating system, version 5.1 or later. The 9900 WNG Central software uses the MySQL database. The 9900 WNG Central software uses AdventNet SNMP to report to the northbound network and security operations platform. The 9900 WNG application software
Performs traffic analysis Runs a CLI Hosts a GUI Processes anomaly event streams from the 9900 WNG Detector Generates alarms Produces reports Reports to northbound network and security operations platforms
1-6
Detecting software problems

You can use system events to determine software problems. See chapter 38 for more information.
1.5
9900 WNG external user interfaces

Figure 1-4 shows the components of the 9900 WNG and the associated interfaces.
Figure 1-4 9900 WNG external interfaces
1-7
1-8
9900 WNG planning
2.1 Planning overview
2-2 2-2
2.2 9900 WNG Central and Detector server planning 2.3 9900 WNG Central planning 2.4 9900 WNG Detector planning 2-2 2-3 2-11
2.5 IP addresses and port numbers planning 2.6 Site preparation planning 2-12
2-1
2 9900 WNG planning
2.1
Planning overview
You must consider the following before for you use the 9900 WNG in your network:
evaluate the current network capacity for optimum use of the 9900 WNG determine the appropriate physical location of the 9900 WNG Central and
Detector identify the necessary equipment for 9900 WNG implementation
2.2
9900 WNG Central and Detector server planning

The 9900 WNG uses two servers, as described in Table 2-1.
Table 2-1 9900 WNG Central and Detector
Server 9900 WNG Central Description Provides all of the external user interfaces (webpage, GUI, CLI), northbound SNMP NMS interface, and has a large disk and database to collect events from all of the 9900 WNG Detectors. Monitors and analyzes packets that are received from one or more tap points in the wireless access network. The 9900 WNG Detector generates anomaly events and status events that are sent to the 9900 WNG Central server to be used for real-time anomaly reporting and network awareness reports.
9900 WNG Detector
2.3
9900 WNG Central planning

The 9900 WNG Central can be located in the NOC, security center, or a central office. The location for the 9900 WNG Central can be determined by:
co-location with one or more 9900 WNG Detectors in a geographic cluster where it is accessible for physical maintenance needs AC and DC power supply options are available other locations, as determined by organizational requirements the Central management port must be connected to a LAN that is accessible for remote monitoring because the user interfaces are on the 9900 WNG Central
The 9900 WNG Central supports the following:
average rate feed of 2000 events/s from all 9900 WNG Detectors peak rate feed of 10000 events/s from all 9900 WNG Detectors
2-2
2 9900 WNG planning
2.4
9900 WNG Detector planning

The following figures show a simple network configuration for CDMA and UMTS. The 9900 WNG Detectors can be located at specific points in the network to collect different types of network data.
Figure 2-1 Typical network configuration for a CDMA environment
Internet
AAA HA Home network PDSN PDSN PDSN HA Roaming network PDSN AAA
21188
Figure 2-2 Typical network configuration for a UMTS environment
Internet
GGSN Home network SGSN SGSN SGSN
GGSN Roaming network SGSN
21187
Processing data
Table 2-2 describes the data that is processed by the 9900 WNG Detectors based on the network type.
2-3
2 9900 WNG planning Table 2-2 Data collection by the 9900 WNG Detector
Network 3GPP2/CDMA Data collected
All incoming/outgoing subscriber data traffic Simple IP MIP: IP-IP tunneled Signaling traffic to relate IP traffic to subscriber/device/network elements MIP signaling traffic AAA accounting records (A11 signaling traffic) All incoming/outgoing subscriber data traffic mobile IP (MIP): IP-IP tunneled (GTP-U packets between SGSN and GGSN) Signaling traffic to relate IP traffic to subscriber/device/network elements AAA accounting records (GTP-C signaling packets between SGSN and GGSN)
3GPP/UMTS
Tapping into the network

The 9900 WNG Detector passively monitors IP packets for 3GPP2/CDMA and 3GPP/UMTS networks as follows:
3GPP2/CDMA networks PDSN and Home Agent PDSN and AAA (accounting records only) (A11 interface to PDSN) 3GPP/UMTS networks SGSN and GGSN
Tap feeds are mirrored from a router or switch at the tap points, and sent to the 9900 WNG Detector. Tap feeds that lose packets reduce the accuracy of the 9900 WNG Detector. This out-of-band capability of the 9900 WNG Detector means that any downtime is not service affecting to the network. The 9900 WNG Detector can support four 1 Gb/s tap ports or one 10 Gb/s tap port. The 9900 WNG Detector can be configured with optical or copper SFPs (or a mix) tap ports to support 1000TX (copper), and 1000SX (multimode optical) physical tapping points. If the number of tap feeds is greater than the number of ports available on the 9900 WNG Detector, you can use an external aggregator to condense multiple taps into the ports on the 9900 WNG Detector.
Note Aggregated feeds that are mapped on a single tap port must not exceed the maximum line rate of the port, or packets are lost.
2-4
2 9900 WNG planning
Estimating 9900 WNG Detectors needed

To determine the number of required 9900 WNG Detectors, consider the following factors:
geographic placement of tapping points to feed the 9900 WNG Detector number of tapping points required to analyze the entire wireless network traffic
to capture all PDSN-to-HA and PDSN-to-AAA (accounting links) and PDSN A11 interface in a CDMA environment, and SGSN-to-GGSN links in a UMTS environment. anticipated number of simultaneous active subscriber sessions to observe at one 9900 WNG Detector and also collectively in the entire network as an appropriate product license is required. See chapter 6 for more information. anticipated traffic rate fed into one 9900 WNG Detector for analysis. In some cases, the captureVLAN CLI command can be used to restrict the number of packets fed into a 9900 WNG Detector by filtering the packet feed to only include the appropriate VLAN traffic that the Detector needs to analyze. the data rate of the events that are generated by one 9900 WNG Detector to the 9900 WNG Central must not exceed the data connection link for the management connection between the 9900 WNG Detector and 9900 WNG Central. The eventrate CLI command can be used to provide traffic limiting on this management link to match the physical link to provide smoothing of event feed to the 9900 WNG Central. Estimating exact rules of deployment based on the above considerations depends on several factors and may change from deployment to deployment, the nature of traffic analyzed in the wireless network, and anticipated rate of traffic growth. Contact your Alcatel-Lucent technical support representative for support in planning your network deployment.
9900 WNG Detector specifications
The 9900 WNG Detector supports the following:
up to four capture ports that can aggregate packets for analysis from traffic taps
(unidirectional or bidirectional). A 9900 WNG Detector is equipped with either four ports with a maximum line rate of 1 Gb/s, or one port with a maximum line rate of 10 Gb/s. maximum packet processing of 2 million packets per second up to 1 million simultaneous active subscriber data sessions monitored up to 2 million simultaneous active flows monitored
Network technology
The 9900 WNG Detector supports both CDMA and UMTS technologies.
2-5
2 9900 WNG planning
CDMA
The 9900 WNG Detector supports CDMA technology as per the 3GPP2 standards. This includes 1xRTT, EV-DO rev 0, and EV-DO rev A. The Detector can be used to analyze both MobileIP and SimpleIP sessions by decoding MobileIP signaling (PDSN-to-HA link) and AAA/RADIUS accounting records (PDSN-to-AAA link). The mode in which the Detector operates can be set with the deploymentMode command to process MobileIP only, SimpleIP only, or both MobileIP and SimpleIP sessions.
UMTS
In a UMTS environment, the Detector monitors the GPRS Tunneling Protocol (GTP) messages (GTP-C and GTP-U packets) across the Gn interface between the Serving GPRS Service Node (SGSN) and the Gateway GPRS Service Node (GGSN).
Determine location to view network activity

The location at which a Detector taps the network affects the type of data collected. The following are options for Detector placement:
Southbound of the HA (CDMA) Northbound of the PDSN (CDMA) Southbound of the GGSN (UMTS) Northbound of the SGSN (UMTS)
For 3GPP2/CDMA networks, the PDSN-AAA accounting records and optionally the A11 interface must be tapped and fed to the 9900 WNG Detector.
CDMA network activity

You can collect different types of data by installing the 9900 WNG Detector southbound of the HA or northbound of the PDSN in a CDMA network.
Southbound of the HA
Figure 2-3 shows a 9900 WNG Detector installed southbound of the HA in a CDMA network.
2-6
2 9900 WNG planning Figure 2-3 Southbound of the HA (CDMA)
Placement southbound of the HA provides the following features and advantages:
One 9900 WNG Detector can handle higher traffic loads from a larger section of
the wireless service provider network (that is, several PDSNs) subject to the limits of the Detector specifications given earlier in this section of the document. The ability to observe the wireless service provider's own roaming subscribers' traffic when the subscribers are served by a foreign PDSN on a roaming partner network. The support for MobileIP only subscribers. SimpleIP traffic is not seen when deployed southbound of Home Agent. The ability to report on inter-PDSN traffic, which s includes inter-PDSN handoff reports and session state tracking capability across PDSNs.
Note When deployed southbound of the Home Agent, a separate tap or feed must be provided for the AAA/RADIUS accounting records and, optionally, for the A11 interface.
Northbound of the PDSN
Figure 2-4 shows a 9900 WNG Detector installed northbound of the PDSN in a CDMA network.
2-7
2 9900 WNG planning Figure 2-4 Northbound of the PDSN (CDMA)
Placement of the 9900 WNG Detector northbound of the PDSN provides the following features and advantages:
useful in large wireless networks where the amount of network traffic exceeds the
capacity of one 9900 WNG Detector support can be provided for both MobileIP and SimpleIP data sessions served by the PDSN observation of all PDSN-to-AAA/RADIUS accounting records can be provided on the same tap point near the PDSN analyzes traffic for subscribers from roaming partners as they roam onto the network served by the PDSN
Note 1 Deploying northbound of the PDSN results in the
appearance of a new session when a subscriber roams inter-PDSN. The HA handoff report is not applicable in this configuration.
Note 2 The placement of the 9900 WNG Detector should be such
that one 9900 WNG Detector sees the MobileIP signaling or the AAA/RADIUS accounting signaling or both that corresponds to the bearer traffic that it observes. Optionally, the A11 interface may also be processed.
UMTS network activity

You can collect different types of data by installing the 9900 WNG Detector southbound of the GGSN or northbound of the SGSN in a UMTS network.
2-8
2 9900 WNG planning
Southbound of the GGSN (UMTS)
Figure 2-5 shows a 9900 WNG Detector installed southbound of the GGSN in a UMTS network.
Figure 2-5 Southbound of the GGSN (UMTS)
Placement southbound of the GGSN provides the following features and advantages:
one 9900 WNG Detector can support higher traffic loads from a larger section of
the wireless service provider network (several SGSNs) subject to the limits of the 9900 WNG Detector specifications ability to observe subscriber traffic when the subscriber is served by a SGSN on a roaming partner network. provides reports for inter-SGSN traffic, which includes inter-SGSN handoff reports and session state tracking capacity across SGSNs
Northbound of the SGSN
Figure 2-6 shows a 9900 WNG Detector installed northbound of the SGSN in a UMTS network.
2-9
2 9900 WNG planning Figure 2-6 Northbound of the SGSN (UMTS)
Placement of the 9900 WNG Detector northbound of the SGSN provides the following features and advantages:
useful in large wireless networks where the amount of network traffic exceeds the
capacity of one 9900 WNG Detector
analyzes traffic for subscribers from roaming partners as they roam onto the
network served by the SGSN
Geographic configuration for 9900 WNG Detectors

If multiple PDSNs for CDMA technology or multiple SGSNs for UMTS technology are co-located (geographic cluster), it is possible to configure a 9900 WNG Detector to serve multiple PDSNs or SGSNs, subject to the limits of the detector specifications given earlier in this document. If PDSNs or SGSNs are not co-located, the options are to deploy one detector at each PDSN or SGSN location or to backhaul the mirrored traffic to a common shared detector. Equipping a detector for each of these PDSNs or SGSNs (even though not fully utilizing the bandwidth and session capacity of the 9900 WNG Detector) may be preferred when compared with the cost of backhaul of the mirrored traffic to a shared 9900 WNG Detector.
2-10
2 9900 WNG planning
2.5
IP addresses and port numbers planning

This section describes the IP addresses and port numbers that you need to configure the 9900 WNG.
Note DHCP is not used to obtain IP addresses to ensure correct and secure operation.
9900 WNG Central interfaces

The 9900 WNG Central uses the following IP addresses:
management interface IP address for providing GUI access, remote console

access, Web-based Report access
BMC (remote management) IP address is required for out-of-band management

functions. This allows access to the 9900 WNG Central and Detectors for remote console and remote power cycle functions.
9900 WNG Detector interfaces

The 9900 WNG Detector uses the following IP addresses:
management interface IP address to provide an interface to 9900 WNG Central

from the 9900 WNG Detector. BMC (remote management) IP address is required for out-of-band management functions, which allows access to the 9900 WNG Central and Detectors for remote console and remote power cycle.
Additional interfaces
In addition to configuring the IP addresses of the 9900 WNG Central and Detector, the following IP addresses should be known in order to provide configuration for other features:
IP address of NTP server for obtaining clock/time synchronization IP address of SNMP network management server so that the 9900 WNG system
events can be reported to an external SNMP management server. SNMP reporting is optional. port numbers are required for accessing the 9900 WNG Central. The <central IP> in the following example is the address that is given to the 9900 WNG Central management port. The BMC IP address is the out-of-band management port that is used for remote console and remote power cycle.
IN: allow in from <ext> to <central IP> TCP port 22,80,443,3306,52802,52806 allow in from <ext> to <central IP> UDP port 161 allow in from <ext> to <BMC> TCP port 80,443 allow in from <ext> to <BMC IPs> TCP port 623 allow in from <ext> to <BMC IPs> UDP port 623 OUT: Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 July 2010 3HE 06049 AAAA TQZZA
[for snmp]
2-11
2 9900 WNG planning
allow out from <central IP> to <ext> UDP port 162 [for snmp] allow out from <central IP> to <ext> UDP port 123 [for NTP] <ext> = your external network/mask or specific IP <central IP> = IP of eth0 on 9900 WNG Central <BMC> = IPs of all the BMC modules in central and detector
2.6
Site preparation planning

This section describes site preparation considerations for the 9900 WNG system.
9900 WNG server and rack hardware specifications

The 9900 WNG Central and 9900 WNG Detectors can be rack-mounted, depending on the customers equipment configuration. A 19-inch or 23-inch rack is recommended. The assembly hardware (for example, mounting brackets, bolts, and nuts) and rack mount kit are included with the 9900 WNG or as orderable items, depending on the rack used. For ordering information, contact your Alcatel-Lucent technical support representative.
Table 2-3 Server dimensions
Dimension Height Width Depth Front clearance Side clearance Rear clearance Weight (base model) Value 3.45 inches (87.6 mm) 17.14 inches (435.3 mm) AC server: 21.25 inches (540 mm) DC server: 21.38 inches (543 mm) 2.0 inches (76 mm) 1.0 inches (25 mm) 3.6 inches (92 mm) 35.0 lbs (15.8 kg)
An additional clearance of 1.5 inches (38 mm) is required behind the server for cable bend allowance.
External disk array specifications
Table 2-4 describes the dimensions of the external disk array that is included with the 9900 WNG Central.
Table 2-4 External disk array dimensions
Dimension Height Width Depth (1 of 2) Value 3.39 inches (87.6 mm) 17.66 inches (435.3 mm) 21.26 inches (540 mm)
2-12
2 9900 WNG planning
Dimension Front clearance Rear clearance Weight (base model) (2 of 2)
Value 30 inches (760 mm) 24 inches (620 mm) 59.55 lbs (15.8 kg)
Rack-mount requirements
The 9900 WNG Central and Detectors, and the external disk array that must be mounted in a customer-supplied rack.
19 racks supported are 2-post and 4-post racks with Electronic Industry
Association (EIA) Universal and EIA wide hole spacing.
23 racks supported are 2-post and 4-post racks with EIA Universal, EIA wide
and European Telecommunications Standards Institute (ETSI) hole spacing. The rack mount kits can be installed in 2-post racks with equipment mounting posts from 3 to 5 inches deep. The rack mount kits can be installed in 4-post racks with front equipment mounting rail to rear equipment mounting rail distance not exceeding 24 inches. Mounting hardware for 19 racks is included. Mounting extension plates for 23 racks are included. These extension plates allow the 19" rack mount system to be installed in a 23 frame.
Power requirements
Depending on the customer needs, the power supply is either DC (600 W) or AC. The AC and DC versions can be used in either an operations data center or a central office. Typically, data centers use the AC version and a central office uses the DC version. The power supply (AC or DC) is redundant and is supplied on separate power buses. Table 2-5 describes the power requirements.
2-13
2 9900 WNG planning Table 2-5 Power requirements

Component DC power supply 9900 WNG Central and Detectors Description
Maximum continuous output power: 604 W Maximum continuous current output @ -48VDC: 12.6 A Peak power: 680 W Peak current @ -48V: 14.2 A Chassis input voltage range: -40.0 to -60.0 V Power supply: two hot swappable 600W power supplies Number of power feeds: two pairs Supplied DC power cable assemblies: Two 1-ft cables Two 14-ft cables The power supply shuts down when input drops below 36 VDC and powers back up when DC input returns to >36 VDC. Input voltage range: -36 to -72 VDC Power consumption: 530 W Current at -48 VDC: 11 A
External disk array
AC power supply (optional) 9900 WNG Central and Detectors
Maximum continuous power: 604 W Maximum continuous current output @ 110VAC: 5.5 A Maximum continuous current output @ 220VAC: 2.75 A Peak Power: 680 W Peak current @ 110VAC: 6.2 A Peak current @ 220VAC: 3.1 A Chassis input voltage range: 100-127 V or 200-240 V Power supply: Two hot swappable 600 W AC power supplies Number of power feeds: 2 pairs Supplied AC power cable assembly: Two 6-foot US AC 110 V power cords Input voltage range: 90 to 264 VAC Power consumption: 530 W
External disk array Power distribution center Power distribution center
A power distribution unit is not required. However, if present, the fuse recommendation is 20A.
Cabling requirements
The following describes the cabling requirements:
Supplied: Power cables for the 9900 WNG Central and 9900 WNG Detector, and
an SAS cable to connect the external disk array to the 9900 WNG Central Supplied equipment ground cables: The DC chassis provides two threaded studs for chassis enclosure grounding. A single 45 standard barrel #14 -10 AWG conductor/-6 AWG barrel must be used for proper safety grounding.
2-14
2 9900 WNG planning
Optional: Fiber optic cables: Multi-mode fiber with LC connectors.

These optional cables are available from Alcatel-Lucent. Ethernet cables: Shielded cat5e or better cables are recommended, grounded at both ends. For 1 GbE connections, Cat6 cable is recommended. The optional cables are available from Alcatel-Lucent.
Environmental requirements
Consider the following environmental requirements when are choosing a location for your 9900 WNG equipment.
Locating the equipment
The system is designed to operate in a typical office environment. Choose a site that is:
clean, dry, and free of airborne particles (other than normal room dust) well-ventilated and away from sources of heat including direct sunlight and
radiators
away from sources of vibration or physical shock isolated from strong electromagnetic fields produced by electrical devices in regions that are susceptible to electrical storms, we recommend you plug your
system into a surge suppressor and disconnect telecommunication lines to your modem during an electrical storm provided with a properly grounded wall outlet (AC) or appropriate power connections DC) provided with sufficient space to access the power supply cords
Temperature
The temperature in which the server operates when installed in an equipment rack must not go below 5C (41F) or rise above 35C (95F). Extreme fluctuations in temperature can cause a variety of problems in your server.
Ventilation
The equipment rack must provide sufficient airflow to the front of the server to maintain proper cooling. The rack must also include ventilation sufficient to exhaust a maximum of 1200 BTU/h for the server. The rack selected and the ventilation provided must be suitable to the environment in which the server is to be used.
2-15
2 9900 WNG planning
2-16
Hardware installation
3-1 4-1
4 9900 WNG Detector and Central server installation
5 Powering up, powering down, and resetting 9900 WNG components 5-1
Safety and regulatory specifications
3.1 Safety hazards
3-2 3-3
3.2 Product use and safety guidelines 3.3 Regulatory specifications 3-6
3-1
3.1
Safety hazards
Hazard statements describe the safety risks relevant while performing tasks on Alcatel-Lucent products during deployment and/or use. Failure to avoid the hazards may have serious consequences.
Signal words
The signal words that identify the hazard severity levels are described in Table 3-1.
Table 3-1 Signal words for hazard severity
Signal word DANGER WARNING CAUTION Description Indicates an imminently hazardous situation (high risk) which, if not avoided, results in death or serious injury. Indicates a potentially hazardous situation (medium risk) which, if not avoided, could result in death or serious injury. Indicates a potentially hazardous situation (low risk) which, if not avoided, may result in personal injury or property damage, such as service interruption or damage to equipment or other materials.
3-2
General hazard statements

General hazard statements provide information about hazards that may arise in the course of your work, but are not necessarily related to a specific procedure.
Danger This equipment generates high leakage current. This can lead to high voltages with respect to ground for accessible parts of the installation. Contact with these parts can cause serious health effects, possibly including death, even hours after the event.
This equipment is only suited for permanent connection. Before connecting the power supply, establish a grounding connection.
Caution Components can be damaged by static discharges.
The following rules must be followed when handling any module containing semiconductor components:
wear conductive or antistatic working clothes (for example, a coat

made of 100% cotton) wear the grounded wrist strap wear shoes with conductive soles on a conductive floor surface or conductive workmat leave the modules in their original packaging until ready for use ensure that there is no difference in potential between yourself, the workplace, and the packaging before removing, unpacking, or packing a module hold the module only by the grip without touching the connection pins, tracks, or components place modules removed from the equipment on a conductive surface test or handle the module only with grounded tools on grounded equipment handle defective modules exactly like new ones to avoid causing further damage
3.2
Product use and safety guidelines

The 9900 WNG was evaluated for use in a Telecommunication Central Office environment.
Heed safety instructions

Before working with the 9900 WNG Central or Detector, whether you are using this guide or any other resource as a reference, pay close attention to the safety instructions. You must adhere to the assembly instructions in this guide to ensure and maintain compliance with existing product certifications and approvals. Use only the described, regulated components specified in this guide. Use of other products components voids the UL listing and other regulatory approvals of the product and most likely result in noncompliance with product regulations in the regions in which the product is sold.
Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 July 2010 3HE 06049 AAAA TQZZA 3-3
System power on and off

The power button does not turn off the system AC power. To remove power from system, you must unplug the AC power cord from the wall outlet. Make sure the AC power cord is unplugged before you open the chassis, add, or remove any components.
Hazardous conditions, devices, and cables

Hazardous electrical conditions may be present on power, telephone, and communication cables. Turn off the 9900 WNG Central or Detector and disconnect the power cord, telecommunications systems, networks, and modems attached to the 9900 WNG Central or Detector before opening it. Otherwise, personal injury or equipment damage can result.
ESD and ESD protection

ESD can damage disk drives, boards, and other parts. We recommend that you perform all procedures in this chapter only at an ESD workstation. If one is not available, provide some ESD protection by wearing an antistatic wrist strap attached to chassis ground any unpainted metal surface on the 9900 WNG Central or Detector when handling parts.
ESD and handling boards

Always handle boards carefully. They can be extremely sensitive to ESD. Hold boards only by their edges. After removing a board from its protective wrapper or from the 9900 WNG Central or Detector, place the board component side up on a grounded, static free surface. Use a conductive foam pad if available but not the board wrapper. Do not slide board over any surface.
Installing or removing jumpers

A jumper is a small plastic encased conductor that slips over two jumper pins. Some jumpers have a small tab on top that you can grip with your fingertips or with a pair of fine needle nosed pliers. If your jumpers do not have such a tab, take care when using needle nosed pliers to remove or install a jumper; grip the narrow sides of the jumper with the pliers, never the wide sides. Gripping the wide sides can damage the contacts inside the jumper, causing intermittent problems with the function controlled by that jumper. Take care to grip with, but not squeeze, the pliers or other tool you use to remove a jumper, or you may bend or break the pins on the board.
Equipment handling practices

Reduce the risk of personal injury or equipment damage:
Conform to local occupational health and safety requirements when moving and
lifting equipment. Use mechanical assistance or other suitable assistance when moving and lifting equipment. To reduce the weight for easier handling, remove any easily detachable components.
3-4
A microprocessor and heat sink can be hot if the system has been running. Also,
there can be sharp pins and edges on some board and chassis parts. Contact should be made with care. Consider wearing protective gloves. Danger of explosion if the battery is incorrectly replaced. Replace only with the same or equivalent type recommended by the equipment manufacturer. Dispose of used batteries according to manufacturers instructions.
Safety steps
Whenever you remove the chassis covers to access the inside of the system, follow these steps:
Turn off all peripheral devices connected to the system. Turn off the system by pressing the power button. Unplug all AC power cords from the system or from wall outlets. Label and disconnect all cables connected to I/O connectors or ports on the back of the system. Provide electrostatic discharge (ESD) protection by wearing an antistatic wrist strap attached to chassis ground of the systemany unpainted metal surfacewhen handling components. After you have completed the safety steps, remove the system covers. To do this:
Unlock and remove the padlock from the back of the system if a padlock has been
installed.
Remove and save all screws from the covers. Remove the covers. Cooling and airflow
For proper cooling and airflow, always reinstall the chassis covers before turning on the system. Operating the system without the covers in place can damage system parts. To install the covers:
Check first to make sure you have not left loose tools or parts inside the system. Check that cables, add-in boards, and other components are properly installed. Attach the covers to the chassis with the screws removed earlier, and tighten them
firmly. Insert and lock the padlock to the system to prevent unauthorized access inside the system. Connect all external cables and the AC power cords to the system.
Power supply
The power supply in this product contains no user-serviceable parts. There may be more than one supply in this product. Refer servicing only to qualified personnel.
3-5
Power cord warnings

If an AC power cord was not provided with your product, purchase one that is approved for use in your country.
To avoid electrical shock or fire, check the power cords to be used with the
product as follows: Do not attempt to modify or use the AC power cords if they are not the exact type required to fit into the grounded electrical outlets. The power cords must meet the following criteria: The power cord must have an electrical rating that is greater than that of the electrical current rating marked on the product. The power cord must have safety ground pin or contact that is suitable for the electrical outlet. The power supply cords are the main disconnect device to AC power. The socket outlets must be near the equipment and readily accessible for disconnection. The power supply cords must be plugged into socket-outlets that are provided with a suitable earth ground. Do not attempt to modify or use the supplied AC power cord if it is not the exact type required. A product with more than one power supply has a separate AC power cord for each supply.
Equipment rack anchoring

The equipment rack must be anchored to an unmovable support to prevent it from falling over when one or more 9900 WNG Central or Detectors are extended in front of the rack on slides. You must also consider the weight of any other device installed in the rack. A crush hazard exists should the rack tilt forward, which can cause serious injury.
3.3
Regulatory specifications
The 9900 WNG meets the specifications and regulations for safety and EMC described in this chapter.
Product Safety Compliance

The 9900 WNG complies with the following safety requirements:
USA/Canada: UL 60950-1, 1st Edition/CSA 22.2 Europe: Low Voltage Directive 2006/95/EC to EN60950-1, 1st Edition Product EMC Compliance - Class A Compliance
The 9900 WNG has been has been tested and verified to comply with the following electromagnetic compatibility (EMC) regulations:
USA: FCC 47 CFR Parts 2 and 15, Verified Class A Limit Canada: IC ICES-003 Class A Limit International: CISPR 22, Class A Limit, CISPR 24 Immunity Electromagnetic
Compatibility Notices
3-6 Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 July 2010 3HE 06049 AAAA TQZZA
Europe: EMC Directive, 2004/108/EEC EN 300-386 - Electromagnetic Compatibility and Radio spectrum Matters (ERM) EN55022, Class A Limit, Radiated & Conducted Emissions EN55024 Immunity Characteristics for ITE EN61000-4-2 ESD Immunity (level 2 contact discharge, level 3 air discharge) EN61000-4-3 Radiated Immunity (level 2) EN61000-4-4 Electrical Fast Transient (level 2) EN61000-4-5 Surge EN61000-4-6 Conducted RD EN61000-3-2 Harmonic Currents EN61000-3-3 Voltage Flicker
3-7
3-8
9900 WNG Detector and Central server installation
4.1 9900 WNG Detector and Central server installation overview 4-2 4.2 Power requirements 4.3 Receiving the shipment 4-3 4-5 4-6
4.4 Installing the 9900 WNG server in a rack 4.5 Grounding a DC-powered server 4.6 Connecting the cables 4-17 4-15
4-1
4.1
9900 WNG Detector and Central server installation overview

You or an Alcatel-Lucent technical support representative can perform the hardware installation. The following tasks are part of hardware installation:
preparation of racks or cabinets for installation of 9900 WNG Central and

Detector servers
installation of the 9900 WNG Central, Detector, and the external disk array into
the racks connecting the 9900 WNG Central and 9900 WNG Detector server to an existing network See chapter 7 for more information about the mandatory configuration procedures for the 9900 WNG. Table 4-1 lists the tasks that you must perform to install the 9900 WNG Central Detectors, in the order that you need to perform them.
Table 4-1 9900 WNG installation tasks
Task Set up the required AC or DC power supplies Install the 9900 WNG Central and Detector using the appropriate rack mounts Ground the servers, if you are using a DC power supply Connect the 9900 WNG to your OAM and traffic networks See section 4.2 4.4 4.5 4.6
Required hardware
Table 4-2 describes the hardware that is required for installing 9900 WNG Central and Detector.
Table 4-2 Hardware requirements for the 9900 WNG Central and Detectors
Equipment WNG Central Server
(1) (1)
Description The 9900 WNG Central server The 9900 WNG Detector is a NEBS-3 and ETSI certified product which is suited for a host of applications in the Telecom Central Office and industrial environment. (1) An external redundant data storage device for the 9900 WNG Central. Cat5e or better: Various lengths for direct connections Cables must be shielded and grounded at both ends.
WNG Detector Server External disk array Ethernet cables

(2)
Transceiver (1 of 2)
Copper or optical transceivers are required for the ports on the packet capture card. See section 4.6 for more information about ports on the packet capture card.
4-2
Equipment SAS cable Mounting rack for servers Power supply cable Fiber optic cables (optional)
Description A SAS cable used to connect the 9900 WNG Central to the external disk array. 19-inch mounting brackets and 23-inch adapters Two 6-foot US 110V AC power cable Various lengths:
50/125 m multi-mode fiber (MMF), Duplex LC-SC connectors 50/125 m multi-mode fiber (MMF), Duplex LC-ST connectors 50/125 m multi-mode fiber (MMF), Duplex LC-LC connectors
(2 of 2) Notes (1) 9900 WNG equipment is delivered with the required software installed. (2) Contact your Alcatel-Lucent technical support representative for ordering information.
4.2
Power requirements
This section describes the power requirements of the 9900 WNG for both AC and DC power supplies.
AC power supplies
Table 4-3 describes the requirements for AC power.
Table 4-3 AC power requirements
Component Main AC Voltage Continuous power Description The AC line voltage source must be 50 or 60 Hz, and have a voltage of 100 to 127 VAC for 110 V operation or between 200 and 240VAC for 220V operation. The 9900 WNG has the following continuous AC power requirements:

Peak power
maximum continuous output power: 604W maximum continuous current: 5A maximum peak output power: 680W maximum peak current: 5.6A
The 9900 WNG has the following peak AC power requirements:

Main AC power connection
The AC power cords are considered the main connection for the server and must be readily accessible. If the individual server power cords are not readily accessible, then you must install an AC power connection for the entire rack unit. This main connection must be readily accessible, and it must be labeled as controlling power to the entire rack, not just to the servers. To avoid the potential for an electrical shock hazard, you must include a third wire safety ground conductor with the rack installation. If the server power cord is plugged into an AC outlet that is part of the rack, then you must provide proper grounding for the rack itself. If the server power cord is plugged into a wall AC outlet, the safety ground conductor in the power cord provides proper grounding only for the server. You must provide additional, proper grounding for the rack and other devices installed in it.
Grounding the rack installation
(1 of 2)
4-3
Component Over-current protection
Description The equipment is designed for an AC line voltage source with up to 20 A of over-current protection per cord feed. If the power system for the equipment rack is installed on a branch circuit with more than 20 A of protection, you must provide supplemental protection for the server. The overall current rating of a configured server is less than 6 amperes. The external disk array has the following AC power requirements:
External disk array

(2 of 2)
power source voltage: 120VAC power consumption: 530W current: 4.5A
Note Do not modify or use an AC power cord set that is not the exact type required. You must use a power cord set that meets the following criteria:
Rating: In the U.S. and Canada, cords must be UL listed or CSA

certified type SJT, 18-3 AWG. Outside of the U.S. and Canada, cords must be flexible and meet standards for that region. Connector, wall outlet end: Cords must be terminated in grounding-type male plug designed for use in your region. The connector must have certification marks showing certification by an agency acceptable in your region. For U.S., the connector must be listed and rated for 125% of the overall current rating of the server. Connector, server end: The connectors that plug into the AC receptacle on the server must be an approved IEC 320, sheet C13, type female connector. Cord length and flexibility: Cords must be less than 4.5 m (14.8 ft) long.
DC power supplies
The server with DC input is to be installed in a Restricted Access Location in accordance with articles 110-16, 110-17, and 110-18 of the National Electric Code, ANSI/NFPA 70. The DC source must be electrically isolated from any hazardous AC source by double or reinforced insulation. The DC source must be capable of providing up to 300 W of continuous power per feed pair.
Caution Connection with a DC source should only be performed by trained service personnel.
Table 4-4 describes the requirements for DC power.
4-4
4 9900 WNG Detector and Central server installation Table 4-4 DC power requirements
Component Main DC Voltage Continuous power Description Redundant DC power feeds are supported for high reliability. The 9900 WNG requires a -48V DC power source. The 9900 WNG has the following continuous DC power requirements:

Peak power
maximum continuous output power: 604W maximum continuous current: 12.6A maximum peak output power: 680W maximum peak current: 14.2A
The 9900 WNG has the following peak DC power requirements:

Main DC power connection Grounding the server
The UL-listed circuit breaker of a centralized DC power system may be used as a disconnect device when easily accessible and must be rated no more than 10 A. This server is intended for installation with an isolated DC return (DC-I) and is to be installed in a CBN per NEBS GR-1089. To avoid the potential for an electrical shock hazard, you must reliably connect an earth grounding conductor to the server. The earth grounding conductor must be a minimum 6 AWG connected to the earth ground studs on the rear of the server. The safety ground conductor must be connected to the chassis stud with a Listed closed two-hole crimp terminal having 5/8-inch pitch. The nuts on the chassis earth ground studs must be installed with a 10 in-lbs of torque. The safety ground conductor provides proper grounding only for the server. You must provide additional, proper grounding for the rack and other devices installed in it. Over-current protection UL-listed circuit breakers must be provided as part of each host equipment rack and must be incorporated in the field wiring between the DC source and the server. The branch circuit protection is rated minimum 75 VDC, 10A maximum per feed pair. If the DC power system for the equipment rack is installed with more than 10 A of protection, you must provide supplemental protection for the server. The overall current rating of a maximum configured server is 8 A. The external disk array has the following DC power requirements:
Over-current protection
External disk array
power source voltage: -48V power consumption: 530W current: 11A
4.3
Receiving the shipment

Procedure 4-1 describes how to inspect a 9900 WNG package.
4-5
Procedure 4-1 To inspect a 9900 WNG package

The following are assumptions:

1 2 3
The delivery receipt is available to check against the contents that you received. The 9900 WNG Central and Detector are packaged separately, each in their own carton.
Check that all materials that are noted on the packing slip are accounted for. Visually inspect the package to be sure there is no visible damage to the shipping container. Perform one of the following: a b If the server is damaged, record the problems on the shipping manifest and report the damage to the transport company. If server is not damaged go to step 4.
4 5
Carefully remove the chassis from the carton. If you use a box cutter to cut the outer carton, exercise caution and ensure that you do not damage the chassis. Remove the anti-static bag that surrounds the chassis only when you are ready to install the chassis.
4.4
Installing the 9900 WNG server in a rack

You can install the 9900 WNG Central or Detector to a rack or cabinet.
Danger Ensure the following safety measures are taken:
Only trained and qualified personnel should anchor and install the
rack. Only trained and qualified personnel should mount the chassis. Always wear an electrostatic discharge (ESD) preventive wrist or ankle strap in contact with bare skin. Always connect the ESD strap with a banana plug to a proper ESD grounding point, typically located off the front of the equipment rack.
Prerequisites
Ensure the following:
secure all tools for anchoring and installing the brackets and rack follow all safety instructions verify that the rack is properly bolted and braced and is well grounded to a
grounding electrode
refer to the rack manufacturer documentation for instructions

Rack installation
Each 9900 WNG server includes a rack mount kit to install the server in a 19-in rack, with four extension brackets to support a 23-in rack. Procedure 4-2 describes how to assemble the rack mount for a 4-post rack. Procedure 4-3 describes how to assemble the rack mount for a 2-post rack.
Procedure 4-2 To install the 9900 WNG in a 4-post rack

Before you begin to install your system in the rack, carefully read any safety instructions, cautions and warnings that are associated with the installation activities.
If you are installing more than one system, install the first system in the lowest available position in the rack. Because of the size and weight of the system, never attempt to install the system in the mounting rails by yourself.
Caution Before you install systems in a rack, install the front and side stabilizers on stand-alone racks or the front stabilizer on racks joined to other racks. Failure to install stabilizers accordingly before installing systems in a rack could cause the rack to tip over, potentially resulting in bodily injury under certain circumstances. Always install the stabilizers before installing components in the rack.
1 Attach the two inner rails (marked LEFT and RIGHT) to the chassis, each with three 8-32x1/4 SEMS screws, as shown in Figure 4-1.
Figure 4-1 Attaching inner rails to the 9900 WNG
Attach the universal front mounting bracket to the chassis, each with two 8-32x1/4 SEMS screws.
Note The universal front mounting bracket can be flipped to position the system further forward in the rack, as shown in Figure 4-2.
4-7
4 9900 WNG Detector and Central server installation Figure 4-2 Universal front mounting bracket
Using two 8-32 KEPS nuts per L-bracket, assemble L-brackets to the outer rail's four outermost threaded studs. (Installation kit contains both EIA and ETSI L-brackets.) 23-in. Figure 4-3 shows the EIA L-brackets.
Figure 4-3 Outer rail assembly (EIA L-brackets)
4-8
Install the outer rail subassemblies into the rack using ten or twelve (19" or 23" kits, respectively) 10-32x1/2 SEMS screws. If bar-nuts are used, they must be installed such that all threads are aligned vertically, ensuring the center hole is not skewed with respect to the holes on the rack rail. Figure 4-4 shows the mounting bracket assembly.
Note 1 If mounting a 1U system in a 1U confined space, four 2U bar-nuts are included to replace the 1U bar-nuts. The 2U bar-nuts need to be installed in the 1U space either above or below the 1U space where this kit is being mounted. When installing multiple 1U systems, the 2U bar-nuts must be used in the next to last kit. Note 2 L-brackets must be adjusted front-to-back to fit rack depth. The distance between the front equipment mounting rail and rear equipment mounting rail cannot exceed 24 inches. Note 3 Mounting brackets must be adjusted based on rack depth.
Figure 4-4 Mounting bracket assembly
Slide the system into the rack making sure the inner rails are captured by the outer rails. Support the weight of the system until the lock features on the inner rails engage with the slot features on the outer rails. An audible click is heard. Figure 4-5 shows how to insert the 9900 WNG.
4-9
4 9900 WNG Detector and Central server installation Figure 4-5 Inserting the 9900 WNG
Note After engaged, the lock features must be released to remove the system from the rack. To release the lock features, depress the two latches with the blue arrows (one on either side) downward. While depressing the lock features and supporting the system weight, pull the system out. Pressure can be released after the lock features disengage from the outer rail. Figure 4-6 shows the lock features.
Figure 4-6 9900 WNG lock features
Install two 10-32X1/2 SEMS screws to hold the universal front mounting brackets to either the L-brackets or the rack's equipment mounting rails (23-in. or 19-in., respectively). Figure 4-7 shows the 9900 WNG installed using mounting brackets.
4-10
4 9900 WNG Detector and Central server installation Figure 4-7 Installing the 9900 WNG using mounting brackets
Note If installing into a 19-inch 4-post rack that has EIA wide hole spacing, the EIA wide adapter bracket must be used. Install this bracket onto the face of the L-brackets using the same 10-32x1/2 SEMS screws that fasten the L-brackets to the rack's front equipment mounting rails. Figure 4-8 shows the EIA wide adapter bracket.
Figure 4-8 EIA wide adapter bracket installation
Procedure 4-3 To install the 9900 WNG in a 2-post rack

1 2 Attach the two inner rails (marked LEFT and RIGHT) to the chassis, each with three 8-32x1/4 SEMS screws. Attach the universal front mounting bracket to the chassis, each with two 8-32x1/4 SEMS screws, as shown in Figure 4-9.
4-11
4 9900 WNG Detector and Central server installation Figure 4-9 Attaching mounting brackets to the 9900 WNG
Note The universal front mounting bracket can be flipped to locate the system further forward in the rack, as shown in Figure 4-10.
Figure 4-10 Universal front mounting bracket
Using three 8-32 KEPS nuts per L-bracket, assemble the appropriate L-brackets and the 2-post mounting bracket to the outer rail. (The kit contains both EIA and ETSI L-brackets.) The 2-post mounting bracket is installed onto the two front-most studs, overlapping the front L-bracket and sharing two threaded studs with it. 23-inch EIA L-brackets are shown in Figure 4-11.
4-12
4 9900 WNG Detector and Central server installation Figure 4-11 EIA L-bracket assembly
Install the two outer rail subassemblies in the rack using twelve 10-32x1/2 SEMS screws or other appropriate fasteners. If bar-nuts are used, they must be installed such that all threads are aligned vertically, ensuring the center hole is not skewed with respect to the holes on the rack rail. Figure 4-12 shows the outer rail subassemblies.
Note 1 If mounting a 1U system in a 1U confined space, four 2U bar-nuts are included to replace the 1U bar-nuts. The 2U bar-nuts need to be installed in the 1U space either above or below the 1U space where this kit is being mounted. When installing multiple 1U systems, the 2U bar-nuts must be used in the next to last kit. Note 2 L-Brackets must be adjusted front-to-back to fit rack channel depth.
Figure 4-12 Outer rail subassemblies
Slide the system into the rack making sure the inner rails are captured by the outer rails. Support the weight of the system until lock features on the inner rails engage with the slot features on the outer rails, as shown in Figure 4-13. An audible click is heard.
4-13
4 9900 WNG Detector and Central server installation Figure 4-13 Inserting the 9900 WNG
Note After engaged, the lock features must be released to remove the system from the rack. To release the lock features, depress the two latches with the blue arrows (one on either side) downward. While depressing the lock features and supporting the system weight, pull the system out. Pressure can be released after the lock features disengage from the outer rail. Figure 4-14 shows the lock features.
Figure 4-14 9900 WNG lock features
Install two 10-32X1/2 SEMS screws to hold the universal front mounting bracket to the 2-post mounting bracket, as shown in Figure 4-15.
4-14
4 9900 WNG Detector and Central server installation Figure 4-15 Attaching the 2-post mounting bracket
4.5
Grounding a DC-powered server

9900 WNG equipment powered using a DC power supply must be properly grounded. The ground terminal cable has the following requirements:
The copper wire that is used for grounding must be a 6 AWG copper wire. Double lug terminals must have 45 angle tongue. The ring terminal must have an inner diameter of 1/4 inch (5 to 7 mms) on a 5/8
inch (1.5875 cm) spacing with a width of 0.48 inches.
Figure 4-16 Grounding terminals: 9900 WNG rear view
The length of the grounding wire depends on the location of the router and the proximity to proper grounding facilities. Two grounding screws are located on the rear side of the server. See section 4.2 for more information about DC power connections.
4-15
Prerequisites and safety precautions

The ground wire has the following requirements:
The server must be connected to a reliable earth ground. The earth ground wire
must be installed in accordance with local safety standards.
The server ground wire must be connected directly to the cabinet or frame ground
which is ultimately connected to earth ground. Do not connect the server ground point to the VRTN path of the DC supply. See section 3.2 for more information about safety requirements.
Danger 1 Before powering-up the shelf, ensure the ground
terminals are connected to the protective PE of the building.

Danger 2 Ensure the power is turned off before making power
connections, and after the power connection is made, do not touch the power terminals.
Procedure 4-4 To prepare the ground wire

1 2 3 Using a wire-stripping tool, strip the insulation from the wire. Slide the open end of the ground lug (accessory box) over the exposed area of the prepared wire. Using a crimping tool, crimp the ground lug to the wire.
Procedure 4-5 To ground the server

1 2 3 4 Remove the nuts and washers from the ground lugs on the rear side of the server, on the top left side. Using the prepared ground wire, place the ground lug through the two server ground screws. Install locking washers and nuts. Torque the nuts to 10 in-lbs. Connect the opposite end of the grounding cable to the appropriate grounding point at your site to ensure adequate server ground according to local safety codes.
4-16
4.6
Connecting the cables

The cable connections required for the 9900 WNG depend on the configuration of your network and the external ports on your 9900 WNG Detector devices. In general, you need to create the following cable connections:
a connection between the 9900 WNG Central and any associated 9900 WNG
Detectors, either through a network or a direct cable connection a connection that provides the 9900 WNG Detector with an appropriate network traffic feed. See chapter 2 for more information about tap points and the network traffic feed. a connection between the 9900 WNG Central and the external disk drive an optional connection between the 9900 WNG Central and a separate BMC lights-out management network an optional connection between the 9900 WNG Detector and a separate BMC lights-out management network
Figure 4-17 shows the cable connections for a 9900 WNG system where the 9900 WNG Detectors are connected to the 9900 WNG Central using a LAN.
Figure 4-17 9900 WNG cable requirements using a LAN
Network Traffic Tap points 9900 WNG Detector 9900 WNG Detector 9900 WNG Detector
1 LAN Management network Ethernet cable Ethernet cable
9900 WNG Central
SAS cable
External disk drive
21209
Figure 4-18 shows the cable connections for a 9900 WNG system where a 9900 WNG Detector is connected directly to the 9900 WNG Central using a cross-over cable.
4-17
4 9900 WNG Detector and Central server installation Figure 4-18 9900 WNG cable requirements using a direct connection
Network Traffic Tap points 9900 WNG Detector 9900 WNG Detector 9900 WNG Detector
LAN Management network Ethernet cable
Ethernet cable 9900 WNG Central
SAS cable
External disk drive
21210
9900 WNG Central external ports

Table 4-5 describes the external ports on the 9900 WNG Central.
Table 4-5 9900 WNG Central external ports
External port Ethernet port 1 Function Provides access to the 9900 WNG Central GUI, CLI, and web-based reports. The port can be connected to a network that provides communication between the 9900 WNG Central and any 9900 WNG Detectors. This port can also be used to connect to a BMC lights-out management network. Used to connect the 9900 WNG Central to a 9900 WNG Detector or a BMC lights-out management network. If neither of these connections are required, then the port is unused. Used to connect the 9900 WNG Central to an external disk array
Ethernet port 2
SAS port
9900 WNG Detector external ports

Table 4-6 describes the external ports on the 9900 WNG Detector.
4-18
4 9900 WNG Detector and Central server installation Table 4-6 9900 WNG Detector external ports
External port Ethernet port 1 Function Used to connect the 9900 WNG Detector to the 9900 WNG Central, either using a network or directly using a cross-over cable Can be used to connect the 9900 WNG Detector to a BMC lights-out management network Used to connect the 9900 WNG Detector to a network traffic feed. A packet capture card has one of the following sets of ports:
Ethernet port 2 Packet capture card
one 10Gb/s port, which requires an XFP optical transceiver four 1Gb/s copper SFP ports four 1Gb/s optical SFP ports
Cable connections
Perform Procedure 4-6 to connect cables to 9900 WNG Detector servers. Perform Procedure 4-7 connect cables to a 9900 WNG Central server
Caution Connecting the 9900 WNG to a router is only recommended if the 9900 WNG and the router are on the same grounding plane, either isolated or integrated. Otherwise, Alcatel-Lucent recommends using a demarcation patch panel, and the Ethernet cable shields must terminate at the ground.
Procedure 4-6 To connect cables for a 9900 WNG Detector

1 Connect a Ethernet cable to Ethernet port 1 on the 9900 WNG Detector. If you are directly connecting to a 9900 WNG Central, use a cross-over cable. If you are connecting to a router or patch panel, use a straight cable. Perform one of the following: a b To connect the 9900 WNG Detector to a management LAN, connect the other end of the Ethernet cable to a router or patch panel. To connect the 9900 WNG Detector directly to the 9900 WNG Central, connect the other end of the Ethernet cable to Ethernet port 2 on the 9900 WNG Central.
3 4
If you are using a separate BMC lights-out management network, connect the Ethernet cable for the BMC network to Ethernet port 2 on the 9900 WNG Detector. Connect cables for designated network taps in your network to the ports on the capture card. The ports available, and the cables required, depend on the capture card that is installed in the 9900 WNG Detector. Repeat steps 1 to 4 for all other 9900 WNG Detectors.
4-19
Procedure 4-7 To connect cables for a 9900 WNG Central server

Note You cannot connect the 9900 WNG Central to a separate BMC lights-out management network and directly to a 9900 WNG Detector at the same time, as both connections use Ethernet port 2.
1 Connect the 9900 WNG Central to your OAM network by performing the following: i ii 2 Connect an Ethernet cable to Ethernet port 1 on the 9900 WNG. Connect the other end of the cable to a router or patch panel in your OAM network.
If you need to connect the 9900 WNG Central directly to a 9900 WNG Detector, perform the following: i ii Connect a cross-over Ethernet cable to Ethernet port 2 on the 9900 WNG Central. Connect the other end of the cable to Ethernet port 1 on the 9900 WNG Detector.
If you need to connect the 9900 WNG Central to a separate BMC lights-out management network, perform the following: i ii Connect an Ethernet cable to Ethernet port 2 on the 9900 WNG Central Connect the other end of the cable to a router or patch panel in your maintenance network.
Connect the 9900 WNG Central to the external disk array using a mini-SAS cable.
Connecting power cables

Connect the power cables to each server and the power source. See chapter 5 for information about how to power up the system.
4-20
Powering up, powering down, and resetting 9900 WNG components
5.1 Powering up and down the 9900 WNG Central and Detector overview 5-2 5.2 Powering up and down the 9900 WNG Central 5.3 Powering up and down a 9900 WNG Detector 5-2 5-4
5.4 Powering up, powering down, or resetting the 9900 WNG Detector or Central using the BMC device 5-5
5-1
5 Powering up, powering down, and resetting 9900 WNG components
5.1
Powering up and down the 9900 WNG Central and Detector overview
You can power up, power down, and reset the 9900 WNG Central and Detector servers.
Powering up the 9900 WNG Central and Detector

You can power up a 9900 WNG Central or Detector locally by using the power switch on the control panel of the 9900 WNG Central and Detector server. The power switch controls the system power.
Powering down the 9900 WNG Central and Detector

You can power down a 9900 WNG Central or Detector on the 9900 WNG Central or Detector and using a CLI command. You must have the sudo role to power down a 9900 WNG Central or Detector.
5.2
Powering up and down the 9900 WNG Central

Perform Procedure 5-1 to power up a 9900 WNG Central. You can also power up the 9900 WNG Central remotely using the BMC device, as described in section 5.4. Perform Procedure 5-2 to power down the 9900 WNG Central server.
Procedure 5-1 To power up 9900 WNG Central

1 2 Ensure that the unit is plugged in and that the power cables are connected. Locate the power switch on the control panel. The control panel is located in the front panel of the 9900 WNG Central, on the top right corner. Figure 5-1 shows the 9900 WNG Central Control panel.
5-2
5 Powering up, powering down, and resetting 9900 WNG components Figure 5-1 9900 WNG Central control panel
Press and release the power switch. The following LEDs are green:
NIC LED PWR LED
Procedure 5-2 To power down the 9900 WNG Central

1 2 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Power down the 9900 WNG Central by typing:
system shutdown
The following in an example of the output: Broadcast message from root (pts/2) (Fri Jan 18 09:21:31 2008): The system is going down for system halt NOW!
5-3
5.3
Powering up and down a 9900 WNG Detector

Perform Procedure 5-3 to power up a 9900 WNG Detector device. You can also power up the server remotely using the BMC device, as described in section 5.4. Perform Procedure 5-4 to power down a 9900 WNG Detector device.
Procedure 5-3 To power up a 9900 WNG Detector

This procedure takes approximately 5 min to complete. 1 2 Ensure that the unit is plugged in and that the power cables are connected. Locate the power switch on the control panel. The control panel is located on the front panel of the 9900 WNG Detector device, on the upper-right corner. Figure 5-2 shows the 9900 WNG Detector Control panel.
Figure 5-2 9900 WNG Detector Control panel
Press and release the power switch. The following LEDs are green:
NIC LED PWR LED
5-4
Procedure 5-4 To power down the 9900 WNG Detector

1 2 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Access the Detector tab on the Topology view to obtain the IP address of the 9900 WNG Detector to power down by typing:
detector detectorname
where detectorname is the name or IP address of a 9900 WNG Detector
Power down the 9900 WNG Detector by typing:

system shutdown
The following is an example of the output:

Broadcast message from root (pts/1) (Fri Jan 18 09:20:27 2010): The system is going down for system halt NOW! Connection to 1.1.1.2 closed.
5.4
Powering up, powering down, or resetting the 9900 WNG Detector or Central using the BMC device
Perform Procedure 5-5 to power up, power down, or reset a 9900 WNG Detector Central using the BMC device.
Procedure 5-5 To power up, power down, or reset a 9900 WNG Detector or Central using the BMC device
1 Ensure that the following tasks have been completed:
The BMC interface has been configured, as described in Procedure 7-2. The IPMI management utility has been installed on the machine (Linux or Windows) from which you need to access the BMC.
Power up, power down, or reset a 9900 WNG Detector or Central by typing:
hwreset [-d|u|c] -N nodename -U admin -P password
The following example shows the hwreset command that was used to power down a 9900 WNG Detector or Central with IP address 1.1.1.2 and remote password admin:
hwreset -d -N 1.1.1.2 -U admin -P admin hwreset ver 1.30 Opening connection to node 1.1.1.2... -- BMC version 0.62, IPMI version 2.0
5-5
hwreset: powering down ... chassis_reset ok hwreset: IPMI_Reset ok hwreset: completed successfully
The following example shows the hwreset command that was used to power up a 9900 WNG Detector or Central with IP address 1.1.1.2 and remote password admin:
hwreset -u -N 1.1.1.2 -U admin -P admin hwreset ver 1.30 Opening connection to node 1.1.1.2... -- BMC version 0.62, IPMI version 2.0 hwreset: powering down ... chassis_reset ok hwreset: IPMI_Reset ok hwreset: completed successfully
The following example shows the hwreset command that was used to reset or power cycle a 9900 WNG Detector or Central with IP address 1.1.1.2 and remote password admin.
hwreset -c -N 1.1.1.2 -U admin -P admin hwreset ver 1.30 Opening connection to node 1.1.1.2... -- BMC version 0.62, IPMI version 2.0 hwreset: powering down ... chassis_reset ok hwreset: IPMI_Reset ok hwreset: completed successfully
5-6
Commissioning
6-1 7-1
7 Mandatory configuration procedures
License requirements
6.1 Licensing overview
6-2 6-3 6-3
6.2 Obtaining a license file
6.3 Installing the license file on the 9900 WNG Central
6-1
6.1
Licensing overview
A valid product activation license file must be obtained and installed on the 9900 WNG Central. The license file determines the releases of the 9900 WNG that can be installed. The license file supports specific releases of the 9900 WNG. For example, if you have a license file for Release 2.1, you can install the 9900 WNG, Release 2.1 or earlier; a release later than 2.1 is not supported. Typically, the license file is already installed on your system, but you can obtain the license file by contacting your Alcatel-Lucent account representative. Table 6-1 describes the parameters that are in the license file.
Table 6-1 License file
Parameter Hostid Version Expiration Date Max Sessions Description The hostid must match the hardware hostid of your 9900 WNG Central machine. The version number must indicate a later version of the 9900 WNG product release than what is currently installed on 9900 WNG Central. The license is valid until the expiration date and time. After the license expires, the 9900 WNG in inoperable. You can obtain a permanent license that does not expire. The maximum number of simultaneous active subscriber sessions that can be viewed in the network at any time across all of the 9900 WNG Detectors. If the number of sessions exceeds the license maximum session limit, the following events may occur:
the system operates up to the session limit key information that is related to additional subscriber sessions is lost anomaly events and report information are not accurate because of lost information
See chapter 35 for information about how to view the current license status and license violation system events.
License limit exceeded

When the number of observed sessions exceeds 85% of the maximum limit, a warning is sent to the NMS by an SNMP trap. This warning also appears on the GUI System Events View. When the number of sessions exceeds the limit, a critical system event alarm is generated. When the number of sessions drops below 80% of the session maximum, the license limit exceeded condition is cleared automatically.
License expiration
A license expires if an expiration date is specified in the license. Otherwise, the license is a permanent license. When a license has an expiration date, the license expires within 12 hours after the end of the day that is specified by the expiration date in the license. A license expiration check is performed every 12 hours, unless the license expiration field is specified as permanent. When a license expires, a critical system event is generated and an SNMP trap is sent to the northbound NMS.
6-2
Retrieving license expiration data

License expiration warnings start five days before the expiration date and then every 12 h until the license is renewed or expires. To view these warnings, use one of the following:
show license CLI command System Events View in the GUI
6.2
Obtaining a license file

You must obtain a valid 9900 WNG product activation license file (alu9900.lic) from your Alcatel-Lucent representative. Only one license file is required by the 9900 WNG. To obtain a license, you must have the following information:
maximum number of simultaneous mobile subscriber data sessions aggregated

from all 9900 WNG Detectors that you need to support hostid that matches the 9900 WNG Central duration of license Before you obtain a license, you need the host identifier of 9900 WNG Central. The host identifier should match the serial number in the license file. Perform Procedure 6-1 to obtain the host identifier of 9900 WNG Central.
Procedure 6-1 To obtain the host identifier of 9900 WNG Central

1 2 Log in to the CLI, as described in Procedure 14-1 or 14-2. Display the hostid by typing:
show hostid
The hostid is displayed.
6.3
Installing the license file on the 9900 WNG Central

Licenses are installed on the 9900 WNG through a license file (alu9900.lic) that you copy to the 9900 WNG Central using the load license CLI command. The load license command copies the license file to the 9900 WNG Central. After the data in the license file has been verified and validated, the 9900 WNG Central is activated.
Note The license file can be updated on the 9900 WNG Central at any time using the load license command which forces Central to reread and revalidate/reprocess the file; an expiring license can be reloaded without downtime.
6-3
Perform Procedure 6-2 to install a new license on the 9900 WNG Central server. A new license may be required in the following cases:
the initial install of the product license on a new system the license has expired or is near the expiration date and a new one has been
obtained to extend the expiration date a license has been obtained to increase the number of monitored simultaneous mobile sessions the system has been upgraded to a new release and a new license has been obtained to activate the software
Procedure 6-2 To install a new license on the 9900 WNG Central

This procedure allows the license file to be imported from a USB memory stick or SCP. 1 2 Log into the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Type:
load license location_type location
where location_type is USB or SCP location is an SCP location, if you are using SCP
The 9900 WNG Central verifies and validates the license file. Information about the license is loaded into the 9900 WNG; for example, version, expiration date, quantity, and issue date.
6-4
7.1 Mandatory configuration procedures overview 7.2 Mandatory configuration procedures 7-2
7-2
7-1
7.1
Mandatory configuration procedures overview

Mandatory configuration procedures are the tasks that you must performin the order they are listedto configure and provision the 9900 WNG Central and Detector for the first time. See chapter 12 for the optional configuration procedures that you may need to perform, depending on the configuration of your network.
7.2

Perform the tasks that are listed in Table 7-1, in the order they are listed, to configure the 9900 WNG system.
Table 7-1 Mandatory configuration procedures
Task To perform the prerequisites to configure the management interface and BMC LAN on a 9900 WNG server To configure the management interface and BMC LAN on the 9900 WNG Central and Detector (1) To provision the 9900 WNG Central To provision the 9900 WNG Detector server
(1)
See Procedure 7-1 7-2 7-3 7-4
Note
(1)
Repeat this task for each 9900 WNG Detector.
Procedure 7-1 To perform the prerequisites to configure the management interface and BMC LAN on a 9900 WNG server
1 2 3 Install the 9900 WNG Central and Detector servers in equipment racks. See chapter 4 for more information. Connect all necessary cables. See chapter 4 for more information. Save the 9900 WNG Central license key as alu9900.lic on a USB storage device. See chapter 6 for more information.
7-2
Ensure that you have an LMT available to configure the 9900 WNG Detector and Central servers. The LMT can be a laptop or workstation. The examples in this chapter assume the use of a laptop. Obtain the following information:
9900 WNG Central
IP address hostname DNS servers IP address hostname DNS servers
9900 WNG Detector
IP address of the NTP server
Procedure 7-2 To configure the management interface and BMC LAN on the 9900 WNG Central and Detector
1 2 3 Perform Procedure 7-1 to complete the prerequisites. Connect your LMT to the management interface on the 9900 WNG. On the LMT, open a terminal emulation program and create a serial connection to the 9900 WNG. Table 7-2 lists the properties for the serial connection.
Table 7-2 Serial connection properties
Attribute Speed Data bits Parity Stop bits Flow control Terminal emulation Value 9600bps 8 bits None 1 None VT1000
At the prompt, log in as root. If you are accessing the BMC on the 9900 WNG for the first time and you do not know the password, contact your Alcatel-Lucent technical support representative. You are prompted to enter a new root password after you log in.
Start the network configuration script by typing:

run /sdbin/networkConfig
The network configuration script menu appears:

1) Configure Interfaces 2) Set Hostname 3) Set DNS 4) Configure BMC 5) Exit Please select an option
When prompted, start the interface configuration tool by typing:

1
7 8 9
Use the arrow keys to select the Edit a device params option, and press the space bar. Select the eth0 option, and press the space bar. The configuration menu for Ethernet port 0 appears. Configure the attributes, as described in Table 7-3.
Table 7-3 BMC ethernet port attributes
Attribute Static IP Netmask Default gateway IP Value The IP address of the 9900 WNG The network mask for the 9900 WNG The IP of the gateway for the 9900 WNG
10 11
Click on OK, and then click on Quit. The network configuration script menu is displayed. Specify the hostname of the 9900 WNG by typing:
2 hostname
where hostname is the hostname of the 9900 WNG
12
Specify the IP address of the DNS server for the 9900 WNG by typing:
3 IP.address
where IP.address is the IP address of the DNS server for the 9900 WNG
13
Open the BMC LAN configuration menu by typing:

4
The BMC LAN configuration menu appears:

1) Set IP 7-4 Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 July 2010 3HE 06049 AAAA TQZZA
2) Change Password 3) Exit Please select an option
14
Configure the BMC LAN IP information by typing:

1
15 16
When prompted, enter the IP address, network mask, and IP gateway for the BMC interface. Configure the password for the BMC LAN by typing:
2 password
where password is the new password for the BMC LAN
17
Exit the configuration script by typing:

3 5
18
Restart the 9900 WNG by typing:

reboot
Procedure 7-3 To provision the 9900 WNG Central

1 2 Log in to the 9900 WNG Central as root using SSH, as described in Procedure 14-1. Specify the IP address of the NTP server for the 9900 WNG Central by typing:
ntp server add IP_address
where IP_address is the IP address of the NTP server.
Start the NTP server by typing:

ntp enable
Add your license file to the 9900 WNG Central by typing:

load license USB start_central
See chapter 6 for more information about licenses.
7-5
5 6
Add a new user to the 9900 WNG Central, as described in Procedure 36-1. Repeat step 5 to add new users, as required.
Procedure 7-4 To provision the 9900 WNG Detector server

1 2 Log in to the 9900 WNG Central as root using SSH, as described in Procedure 14-1. Register the new 9900 WNG Detector with the 9900 WNG Central by typing:
detector add IP_address name group
where IP_address is the IP address of the 9900 WNG Detector, name is the name of the 9900 WNG Detector, and group is the group to which the 9900 WNG Detector belongs.
Log in to the 9900 WNG Detector remotely by typing:

detector detector_name
where detector_name is the name of the 9900 WNG Detector that you specified in step 2.
Configure the NTP server address for the 9900 WNG Detector by typing:
ntp server add IP_address
where IP_address is the IP address of the 9900 WNG Central.
Enable NTP on the 9900 WNG Detector by typing:

ntp enable
7-6
Hardware maintenance
8 Replacing CRUs
8-1
Replacing CRUs
8.1 CRU overview
8-2 8-2
8.2 Replacing hardware precautions 8.3 Replacing a power supply 8.4 Replacing a hard disk drive 8-3 8-4
8-1
8 Replacing CRUs
8.1
CRU overview
CRUs are components that can be removed and replaced by service provider personnel without technical assistance or special training from Alcatel-Lucent. Table 8-1 describes the CRUs on the 9900 WNG Central and Detectors that you can use for ordering.
Table 8-1 CRUs on the 9900 WNG Central and Detector servers
Orderable item 300988870 300988888 300988896 Description SPARE, HARD DISK DRIVE, 147GB SAS, FOR ALU9900WNG CENTRAL/DETECTOR SPARE, POWER SUPPLY, AC PWR INPUT, FOR ALU9900WNG CENTRAL/DETECTOR SPARE, POWER SUPPLY, 48VDC PWR INPUT, FOR ALU9900WNG CENTRAL/DETECTOR Comm code 409073657 409073632 409073640
Table 8-2 lists where to find more information.

Table 8-2 CRU information
For information about 9900 WNG Detector and Central server installation Hardware status and fault reporting Hardware Failure system events See Chapter 4 Chapter 37 Section 38.13
8.2
Replacing hardware precautions

The following are installation safety precautions:
Follow all installation instructions. Remove rings and watches before beginning the procedure to avoid a short across
the high-current power supply output terminals Never install telecommunication wiring or connections during lightning storms or in wet areas. Never touch uninsulated wires or terminals unless power has been disconnected at the interface.
8-2
8 Replacing CRUs
Electrostatic discharge precautions

Components are sensitive to ESD. The following are precautions to prevent injury or damage from electrostatic discharge:
Wear a grounding strap when working with any parts of the system. Minimum
acceptable precautions include a grounded wrist or heel strap that is attached to the frame and a grounded, static-dissipating floor mat. Work in an area that is protected against electrostatic discharge. Use conducting floor and bench mats that are conductively connected to the rack electrostatic protection bonding point. Wear working garment made of 100% cotton to avoid electrostatic charging. Ensure that the rack is grounded.
8.3
Replacing a power supply

Perform Procedure 8-1 to replace a faulty power supply on a 9900 WNG Central or Detector. Perform this procedure when troubleshooting or when fault clearance procedures indicate that there is a need to replace a power supply.
Procedure 8-1 To replace the power supply

This procedure requires the following tools and materials:
antistatic wrist strap electrostatic discharge mat a replacement power supply module
This procedure typically takes 10 min to perform.
Note The AC cord is a standard cord that plugs into an AC receptacle. To disconnect it, pull the plug from the power supply.
The DC connection has a short cable that is attached to the power supply on one end, and a connector on the other end. That connector plugs into the permanently connected power feed that has the mating connector. Power can be removed by either separating the connectors, or, if the power feeds are attached on an upstream circuit protector (breaker or fuse), to remove power, open the circuit protector. 1 2 Power down the device, as described in Procedure 5-2 (9900 or 5-4 (9900 WNG Detector).
WNG Central)
Disconnect the appropriate power cord. The power cord connections for DC and AC power supply modules are shown in Figure 8-1.
8-3
8 Replacing CRUs Figure 8-1 Power supply module
3 4 5 6 7
Press the green safety lock down and hold. Grasp the handle, pull the module out, and place it on the electrostatic discharge mat. To insert a new power supply, press and hold the green safety lock downward and slide the power supply module into the chassis slot. Reconnect the power cables or close the circuit protector, and then power up the unit. After a few minutes, the unit powers up. Verify that the power supply module that you just installed is functioning properly by checking the green power LED. If the power LED reports power supply failure, contact your Alcatel-Lucent technical support representative.
8.4
Replacing a hard disk drive

Each drive has two small LEDs located just to the left of the green release button. When a hard disk drive is operating properly, the lower LED is green and is illuminated steadily and the upper LED is amber. When a drive is faulted, the green LED is dark and the amber LED is illuminated steadily. Hard disk drive bay numbering is shown in Figure 8-2.
8-4
8 Replacing CRUs Figure 8-2 Hard drive numbering
When you remove a hard disk drive, a major alarm is generated. The alarm continues to be generated even after you have replaced the hard drive. The CLEI labels are shipped in a three-label set. The replacement hard disk drive should be affixed with two text CLEI labels. The third (2D) CLEI label, shipped loose with the drive, should be affixed to the carrier after the drives are swapped. The old 2D label on the carrier have the serial number of the drive embedded in the data, so it should be covered with the new label. Perform Procedure 8-2 when troubleshooting or when fault clearance procedures indicate that there is a need to replace a hard disk drive.
Procedure 8-2 To replace a hard disk drive

This procedure requires the following tools and materials:
Antistatic wrist strap Electrostatic discharge mat A replacement hard disk drive CLEI label for the replacement hard disk drive
This procedure typically takes 5 to 10 min to perform. 1 Attach the antistatic wrist strap to the grounding lug on the equipment rack.
Danger A wrist strap must be worn that is attached to the cabinet framework at an ESD grounding point. Hold components only at the edges or on the insertion and removal facilities. Always observe general ESD instructions.
2 On the lower-left front panel of the 9900 WNG Detector or Central server, locate the faulty hard disk drive.
Caution Ensure that you are removing a faulty hard disk drive. Removing an operating hard disk drive can cause system failure!
8-5
8 Replacing CRUs
Remove the front bezel using the following instructions: a b c Disconnect the cables from the front panel USB port and / or serial port connectors. Loosen the bezel retention screw from the right side (A). Rotate the bezel outward as shown and remove (B).
Figure 8-3 Front bezel
Remove the drive tray by pressing the green button, opening the lever, and pulling out the hard drive/tray assembly.
Figure 8-4 Hard drive tray assembly, removed from the HDD bay.
Remove the four screws securing the hard drive to the tray. Remove the hard drive and place it on an antistatic discharge mat.
8-6
8 Replacing CRUs Figure 8-5 Hard drive unscrewed from the tray
6 7 8
Locate the old CLEI label on the tray and cover it with the new CLEI label. Install the new drive into the tray and secure it with four screws. With the drive tray locking lever in the fully open position, slide the hard drive/tray assembly into the chassis opening until it stops. Close the lever, pressing it until it snaps shut.
8-7
8 Replacing CRUs Figure 8-6 Replacement hard drive assembly before insertion into chassis
Replace the bezel on the device. a b c Align the four tabs on the left side of the bezel with the slots in the front panel. Then, rotate the free end of the bezel to the closed position. Snap the front bezel into place and tighten the screw at the right edge of the bezel (if used). Re-connect the serial port and USB cables if they are used.
10
Verify that the major alarm has cleared.
8-8
Software maintenance and upgrades
9 Managing software
9-1
Managing software
9.1 9900 WNG software upgrade overview 9.2 Software upgrade CLI commands 9.3 Software repositories 9-3 9-5 9-2
9-2
9.4 Software upgrades and updates
9-1
9 Managing software
9.1
9900 WNG software upgrade overview

You need to upgrade the software on the 9900 WNG Central and Detector servers when there are:
OS updates or patches are available that the 9900 WNG needs 9900 WNG application software updates
Software upgrades and updates for the 9900 WNG are performed using the software management tools that are described in Table 9-1.
Table 9-1 Software management tools
Software management tool RPM Description A core component of the Red Hat Enterprise Linux Operating System. RPM is a command line driven package management system that is capable of installing, uninstalling, verifying, querying, and updating computer software packages. Each software package consists of an archive of files along with information about the package such as its version, a description, and the like. A software package manager tool for installing, updating, and removing packages and their dependencies on RPM-based systems. It automatically computes dependencies and determines what should occur to install packages on the product. Yum makes it easier to maintain groups of machines without having to manually update each one using RPM.
Yum
You can use the 9900 WNG Central, an external repository, or a USB memory stick as the software repository. See section 9.3 for more information. CLI commands are used for software upgrades and updates. See section 9.2 for more information about CLI commands and section 9.4 for more information about upgrade procedures.
9.2
Software upgrade CLI commands

CLI commands are used for 9900 WNG software upgrades and updates. You must have the sudo privilege on the 9900 WNG Central. Table 9-2 describes the CLI upgrade commands.
9-2
9 Managing software Table 9-2 CLI upgrade commands

CLI command show software repo all show software repo alu9900 show software repo central show software repo detector show software installed central show software installed central [all] show software installed detector <detectorName> show software installed detector all <detectorName> install software central <packageName> update software central [packageName] install software detector <detectorName> <packageName> install software detector <detectorName> [packageName] Description Displays all of the 9900 WNG application and OS packages that are in the repository Displays the 9900 WNG Central and Detector application packages in the repository that can be installed Displays the 9900 WNG Central application packages in repository that can be installed Displays the 9900 WNG Detector application packages in repository that can be installed Displays the 9900 WNG Central application packages that are installed Displays all of the 9900 WNG Central application and OS packages that are installed Displays the 9900 WNG Detector application packages that are installed Displays all of the 9900 WNG Detector application and OS packages that are installed on a specific 9900 WNG Detector Installs the specified 9900 WNG Central application or OS package on the 9900 WNG Central Updates a 9900 WNG Central application or OS package to the latest version that is available in the repository Installs the specified 9900 WNG Detector application or OS package on a specific 9900 WNG Detector Updates a 9900 WNG Detector application or OS package to the latest version that is available in the repository
Note For the install CLI commands, the packageName contains the version of the software package to be loaded. For the update CLI commands, you do not need to specify the version of the software package because the most current version of the software package that is in the repository is loaded.
The following is an example of the install software central command:

install software central aware-central-0.7-11984
The following is an example of the update software central command:

update software central aware-central
9.3
Software repositories
You can use any of the following as a software repository:
the 9900 WNG Central (on a disk that is reserved for software updates or
upgrades) an external repository that is not on the 9900 WNG Central server a USB memory stick
9 Managing software
The 9900 WNG Central and Detectors are upgraded independently of each other on a per machine basis. The 9900 WNG Central can serve as the repository for 9900 WNG Detectors.
Configuring the 9900 WNG Central server as the software repository

Perform Procedure 9-1 to configure the 9900 WNG Central server as the software repository.
Procedure 9-1 To configure the 9900 WNG Central as the software repository
When you use the 9900 WNG Central server as the software repository, the area that is reserved on the hard disk for the repository is at: /var/www/aware-yum. 1 2 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Enable the 9900 WNG Central Repository by typing:
repo enable central
Perform Procedure 9-5 to upgrade software on the 9900 WNG Central using the 9900 WNG Central as the repository.
Displaying the enabled software repository

Perform Procedure 9-2 to display the enabled software repository.
Procedure 9-2 To display the enabled software repository

1 2 Access the CLI, as described in Procedure 14-1 or 14-2. Display the enabled software repository by typing:
show repoStatus
The following output example shows which external repository is enabled:

external repository enabled. (https://yumuser:get-updates@ mh.lucent.c om/aware-current/) central repository disabled. local repository disabled. Yum proxy is disabled.
9-4
9 Managing software
9.4
Software upgrades and updates

Software updates or upgrades are software packages that provide fixes and or new features and functions for software releases that are already released. Table 9-3 lists the procedures to load software upgrades or updates.
Table 9-3 Software upgrades or updates procedures
To To upgrade software on the 9900 WNG Central and Detector using the 9900 WNG Central repository To upgrade software on the 9900 WNG Central and Detector using an external software repository To upgrade software on the 9900 WNG Central and Detector using a USB removable hard drive as the software repository To display the software packages that are in the software repository See Procedure 9-3 9-4 9-5 9-6
Upgrading software
The following procedures describe how to upgrade software on the 9900 WNG Central.
9-5
9 Managing software
Procedure 9-3 To upgrade software on the 9900 WNG Central and Detector using the 9900 WNG Central repository
1 2 Perform Procedure 9-1 to configure the 9900 WNG Central as the software repository. Import the RPMs into the repository on the 9900 WNG Central server by performing one of the following: a Import the software packages from a USB memory stick that is installed in the 9900 WNG Central server by typing:
repo import usb
Note The CLI command searches for /repo on the USB memory stick. All USB memory sticks that contain the 9900 WNG and/or OS software upgrades/updates are created by your Alcatel-Lucent technical support representative.
b Import the software packages from a secure file copy from an external machine by typing:
repo import scp user@host:/pathname
Note The path in the CLI command must be the path of an existing software repository that was initially created by your Alcatel-Lucent technical support representative.
3 Start the software upgrade or update by performing one of the following: a Upgrade or update the software on the 9900 WNG Central server by typing:
update software central packageName
where packageName is the name of the software to upgrade or update
The command updates all of the 9900 WNG Central servers and OS packages that are available in the repository.
Note Executing the update software central packageName only updates the package name that is included in the command line.
Upgrade or update the software on the 9900 WNG Detector server by typing:
update software detector detectorName packageName
where detectorName is the name of the 9900 WNG Detector packageName is the name of the software to upgrade or update
9-6
9 Managing software
The command updates all of the 9900 WNG Detectors and OS packages that are available in the repository.
Note Executing the update software detector detectorName packageName only updates the package name that is included in the command line.
Procedure 9-4 To upgrade software on the 9900 WNG Central and Detector using an external software repository
1 2 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Configure the repository location by typing:
repo setExternal repo URL
where URL is https://yumuser:get-updates@hostname/path
Enable the repository by typing:

repo enable external
Start the software upgrade or update by performing one of the following: a Upgrade or update the software on the 9900 WNG Central server by typing:
The command updates all of the 9900 WNG Central application and OS packages that are available in the repository.
Note Executing the update software central packageName command only updates the package name that is included in the command line.
b Upgrade or update the software on the 9900 WNG Detector server by typing:
where detectorName is the name of a specific 9900 WNG Detector packageName is the name of the software to upgrade or update
9-7
9 Managing software
The command updates all of the 9900 WNG Detectors and OS packages that are in the repository.
Note Executing the update software detector detectorName packageName command only updates the package name that is included in the command line.
Procedure 9-5 To upgrade software on the 9900 WNG Central and Detector using a USB removable hard drive as the software repository
1 2 3 Logged into the CLI on the 9900 WNG Central with the sudo privilege, as described in Procedure 14-1 or 14-2. Install the USB memory stick that has been provided by your Alcatel-Lucent technical support representative into the 9900 WNG Central server. Type:
repo mount usb
Enable the USB repository by typing:

repo enable local
Start the software upgrade or update by performing one of the following: a Upgrade or update the software on the 9900 WNG Central server by typing:
The command updates the 9900 WNG Central server and OS packages that are available in the repository.
Note Executing the update software central packageName updates only the package name that is included in the command line.
Upgrade or update the software on the 9900 WNG Detector server by typing:
where detectorName is the name of a specific 9900 WNG Detector where packageName is the name of the software to upgrade or update
9-8
9 Managing software
The command updates the 9900 WNG Detectors and OS packages that are available in the repository.
Note Executing the update software detector detectorName packageName only updates the package name that is included in the command line.
Displaying software packages

Perform Procedure 9-6 to display the software packages that are in the software repository.
Procedure 9-6 To display the software packages that are in the software repository
1 2 Access the CLI with the user or admin privilege, as described in Procedure 14-1 or 14-2. Enter the following CLI command:
show software repo option
where option is one of the options that are listed in Table 9-4.
Table 9-4 Show software repo CLI command options

Option all alu9900 central detector Description Displays all of the 9900 WNG application and OS packages that are in the repository and can be installed Displays the 9900 WNG Central and Detector application packages that are in the repository and can be installed Displays the 9900 WNG Central application packages that are in the repository and can be installed Displays the 9900 WNG Detector application packages that are in the repository and can be installed
9-9
9 Managing software
9-10
USER GUIDE
Alcatel-Lucent 9900
USER GUIDE
Disclaimers
9900 WNG overview
10 9900 WNG system
10-1 11-1
10 9900 WNG system
10.1 9900 WNG overview
10-2 10-4 10-7
10.2 9900 WNG Detector and Central 10.3 9900 WNG external user interfaces
10-1
10 9900 WNG system
10.1
9900 WNG overview

The 9900 WNG monitors wireless data subscriber traffic and network signaling traffic to identify behaviors that threaten the performance of wireless data networks. The 9900 WNG performs the following monitoring tasks:
analyzes subscriber IP traffic using the hints extracted from wireless signaling
traffic profiles the behaviors of the network and endpoints (including subscribers and servers) detects and reports anomalous behaviors provides broad detection capabilities for issues that affect networks such as:
battery drain anomalies where IP layer activity causes excessive subscriber device
battery drain
signaling anomalies where IP layer activity cause excessive amount of signaling

events in the wireless network
RNC overload source of traffic that is not requested or wanted by wireless subscribers port scans for vulnerabilities and service exploitation (vertical port scans and
horizontal port scans) always active subscribers who have anomalously high usage of the radio channel high usage subscribers who consume significant amounts of bandwidth subscribers using peer-to-peer applications that may violate end-user agreements ICMP router discovery abuse that may disrupt active subscriber sessions flooded mobile, where a subscriber session is overwhelmed by unsolicited traffic battery drain anomalies from distributed sources where subscriber device battery is drained by unwanted traffic from multiple sources high signaling subscribers who contribute large amounts of signaling load to the network
For information about the attacks, see chapter 33. detects low-volume behaviors that consume anomalously high radio access network resources generates mobile flow records determines how subscriber IP traffic affects multiple layers of the network by measuring the consumption of network resources, such as air resources, signaling overhead, and bandwidth
Key 9900 WNG functions

Table 10-1 describes the 9900 WNG the key functions for wireless data operators.
Table 10-1 Key 9900 WNG functions
Key function Operations Description Service providers can determine which subscribers, servers, and applications are the most significant contributors of non-value-added traffic and load on the network, so they can remove that traffic from their network. The benefit is more efficient use of the installed base.
(1 of 2)
10-2
10 9900 WNG system
Key function Planning
Description Service providers can establish a baseline measurement of network use at the individual subscriber level, allowing more accurate predictions of network capacity trends. The benefit is better capacity planning and network architectures, along with savings in network build-out strategies. Service providers can ensure that packet transmissions from devices and networks are consistent with the design and are not being sent fraudulently. The benefit is a more predictable network performance, per design and specification Service providers can detect a new class of wireless-specific DOS attacks targeted at the signaling layer and exhausting RF channels, as well as the mobile devices that are directly or surreptitiously participating in the attacks. The benefit is reduced network outages and downtime. Service providers gain better ways to determine the network cost associated with supporting any application, thereby enabling applications-level ROI calculations. The benefit is increased awareness of the overall cost of delivering specific applications and services.
Engineering
Security
Marketing
(2 of 2)
Key 9900 WNG benefits

Table 10-2 describes the 9900 WNG the key benefits for wireless networks.
Table 10-2 Key 9900 WNG benefits
Key benefit Wireless networks have unique limited resources Description With the increase in sophistication of wireless devices and networks, increasingly complex threats have also emerged. Wireless networks, by nature of having limited air spectrum that must be shared, are susceptible to abuses of RF and mobile device signaling resources. These could include malicious attacks, but are also caused by the normal behaviors of IP applications. Detecting threats to wireless networks has proven to be highly challenging. Threats can originate from within the network and from the Internet. Network threats can exist at very low volumes or appear as normal activity. Wireless networks have limited resources with which to support the growing demand of data subscribers. In wireless networks, signaling resources and radio frequency capacity must be conserved and managed carefully to meet the ever-growing demands upon the network. The limited physical resources of wireless networks is another reason that a strong and effective security solution is needed. Many products exist in the market that address IP traffic management and control. However, these products do not address the needs of wireless data networks because they do not measure the impact that the traffic has on wireless resources. New solutions are required that strictly offer protection to the network gateway, the packet core, and the wireless access node. The solution must offer protection to the bearer and signaling path and the subscribers handset, and preserve air resources. The 9900 WNG solution has been designed specifically to identify and address the behaviors that threaten the performance of wireless data networking. With the visibility offered by the 9900 WNG, operators can better operate, optimize, manage, monitor, and secure their networks.
New wireless traffic behaviors threaten the capacity of wireless resources Existing solutions are inadequate
9900 WNG is an important new step
10-3
10 9900 WNG system
10.2
9900 WNG Detector and Central

The main components of the 9900 WNG system include:
9900 WNG Central 9900 WNG Detector

Figure 10-1 shows the 9900 WNG Detector and Central in a wireless network.
Figure 10-1 9900 WNG components in a wireless network
The connections between the 9900 WNG and other NEs in a wireless data CDMA network are shown in Figure 10-2.
10-4
10 9900 WNG system Figure 10-2 Network architecture for a CDMA environment
NMS
9900 WNG Central
9900 WNG Detector Servers
GGSN External Sources
AAA
RNC
BTS
SGSN GGSN AAA AAA

21186
RNC BTS
The 9900 WNG supports UMTS networks. The connections between the 9900 WNG and other network elements in a UMTS network are shown in Figure 10-3.
Figure 10-3 Network architecture for a UMTS environment
10-5
10 9900 WNG system
9900 WNG Detector

Table 10-3 describes the 9900 WNG Detector based on the location.
Table 10-3 9900 WNG Detector
Location CDMA environment Description In the network, a 9900 WNG Detector observes mirrored IP traffic between the AAA server and the PDSN, and between the HA and the PDSN. The 9900 WNG Detector monitors wireless traffic and reports anomalous behaviors to the 9900 WNG Central. The 9900 WNG Detector supports CDMA and UMTS technology at the same time. Wireless network The 9900 WNG Detector comprises purpose-designed hardware and software that monitors IP sessions and detects anomalous behaviors, registered to the individual subscriber level. The 9900 WNG Detector observes IP traffic mirrored from the packet core, as well as RADIUS traffic, interprets network events and states, and identifies anomalous traffic flow. The 9900 WNG Detector reports anomalies to the 9900 WNG Central to alert operators to take appropriate action. The 9900 WNG Detector identifies wireless specific anomaly events and notifies the 9900 WNG Central over a secure tunnel. All communication for configuration, bootstrap, and alarm reporting from the 9900 WNG Detector to the 9900 WNG Central component is through a SSL connection. The 9900 WNG Detector provides the following functionality:

UMTS environment
supports up to two million packets per second or up to 4 Gb/s, whichever is lower supports up to one million subscriber sessions supports up five million simultaneous flows tracks information from the subscriber registration activities to associate the dynamically assigned IP address with the user device identification and network path infers loads across the wireless data network by watching signaling and data traffic detects wireless 3G and 4G network anomaly behavior using proprietary algorithms monitors individual subscriber session behavior (Mobile Flow records) monitors mobile-to-mobile and Internet-to-mobile traffic
In the UMTS environment, the 9900 WNG Detector observes mirrored IP traffic on two interfaces: between the AAA Server and the SGSN (Serving GPRS Service Node) and between the SGSN and the GGSN (Gateway GPRS Service Node). It is expected that an available Ethernet port from each of these interfaces is available from a switch or router within the Service Providers network. To avoid congestion on the capture ports, the capture port speed shall match or exceed the snooped interface. The 9900 WNG Detector snoops the path to the mirrored AAA Server for information regarding active mobile IP data sessions and reports anomalous behavior to the 9900 WNG Central. The 9900 WNG Detector supports CDMA technology and Universal Mobile Telecommunications System (UMTS) technology at the same time.
9900 WNG Central

Table 10-4 describes the 9900 WNG Central based on the location.
10-6
10 9900 WNG system Table 10-4 9900 WNG Central

Location CDMA environment Wireless network Description The 9900 WNG Central has an EMS and also supports a northbound system log and SNMP interface to network management systems, if required. The 9900 WNG Central comprises hardware and software with which to manage a set of 9900 WNG Detectors. The 9900 WNG Central handles correlation and northbound reporting functions, and helps identify unwanted traffic on the network. The 9900 WNG Central uses application software to process anomaly event streams from the 9900 WNG Detector, generate alarms, generate daily and on-demand network usage reports, and report to northbound network and security operations platforms. The 9900 WNG Central collects event data and mobile flow records generated from multiple 9900 WNG Detectors that are deployed throughout a providers network and stores the information in a database. The 9900 WNG Central provides the following functionality:

UMTS environment
configures and manages 9900 WNG Detectors in the system as well as itself supports up to 10 Detectors provides GUI and CLI capabilities collects, stores, and reports event data and notifications from the Detectors provides a status display of the 9900 WNG system and provides the ability to relay status and alarm information on external and internal interfaces as needed by the configuration provides the WSP with a user-friendly means of observing, recording, and interpreting the alarms and reports on anomaly status downloads software upgrades to the Detectors manages events at an aggregated average rate of 2500 events per second manages servers at a peak rate of 10 000 events per second
The 9900 WNG Central has an EMS and also supports a northbound system log and Simple Network Management Protocol (SNMP) interface to the Network Management Systems (NMS), if required.
10.3
9900 WNG external user interfaces

Figure 10-4 shows the components of the 9900 WNG and the associated interfaces.
10-7
10 9900 WNG system Figure 10-4 9900 WNG external interfaces
The 9900 WNG external interfaces that are used to configure, monitor, and control NEs and their managed resources are:
9900 WNG Central webpage GUI CLI
NMS SNMP BMC
See chapter 13 for more information about 9900 WNG external interfaces.
10-8
11.1 9900 WNG Release 2.1 features
11-2
11-1
11.1
9900 WNG Release 2.1 features

Table 11-1 describes the features added in Release 2.1 of the 9900 WNG.
Table 11-1 9900 WNG Release 2.1 features
Feature
Description
Use
Platform, hardware, and system performance Platform software and firmware Increase platform memory Platform software and firmware are upgraded to the current versions Platform memory is increased to 64 Gbytes, which:
improves the system performance when running user reports on systems with data flows that are greater than 400 Mbytes per day increases the capacity of the 9900 WNG Central To process the maximum line rate of 4 Gb/s, whether the line rate is from a 4 x 1 Gb/s or one 10G interface. See chapter 2 for more information about port cards.
10 Gb/s tap port
Supports an optional 10 Gb/s traffic input port on the 9900 WNG Detector. You can order the 9900 WNG Detector with four 1 Gb/s tap ports or one 10 Gb/s tap port. Supports the tracking of hand ups and hand downs counts at the session level across 2.5G and 3G technologies. The 2.5G and 3G filter in the Subscriber Cumulative Distribution web report can be used to view the subscriber distribution across subscribers who operate only in 2.5G and 3G networks. Supports expanded redundant data storage for the 9900 WNG Central; for example 30 to 60 days of mobile flow and sessions record for forensic GUI reports, for approximately 400 days of long-term history for the web reports. The number of storage days can vary because of the network traffic load. A hot spare disk and RAID 5 configuration is used for increased reliability.
Tracking of hand ups and hand downs
External disk array
To store mobile flow and session records, and all of the long term data that is used for reporting. See chapter 4 for more information about the external disk array.
System administration Incremental backups Supports the incremental backup of the reports database To decrease the amount of time and resources to perform a backup of the reports database. See Procedure 39-2 to perform an incremental backup. Automatic saving of configuration changes Supports the automatic saving of 9900 WNG Detector configuration changes that were made using CLI commands. The changes are copied to the startup.xml file. The copy running startup CLI command is no longer required. To reduce system administration and decrease configuration errors. See Table 14-8 for descriptions of CLI commands.
Monitoring Disk failure monitoring Supports an SNMP trap and system event for disk failures on the 9900 WNG Central and Detector. A hot spare disk configuration in the external array is the default configuration. The hot spare disk configuration automatically replaces a problem disk that is in the RAID 5 configuration. To replace a failed disk. See section 38.13 for more information about the Hardware Failure system event. See Table 19-6 for more information about the HW Failure SNMP trap.
(1 of 6)
11-2
Feature Enhanced 9900 WNG Central monitoring
Description Supports the monitoring of the 9900 WNG Central using a heartbeat, system event, and SNMP trap if the 9900 WNG Central stops processing some events The show stats CLI command displays the current and peak rates of the 9900 WNG Detector traffic feed inputs. A system event is generated when the line rate is greater than or equal to:
Use To provide extra reliability and automatic recovery. See Table 19-6 for more information about the Process Down SNMP trap event. To determine whether the traffic feed input is reaching the maximum port line, which indicates a high probability that packets are being dropped before they reach the 9900 WNG Detector. See show stats in section 37.4 for more information. To size the backhaul communication from the 9900 WNG Detector to Central. See show backhaul in section 37.4 for more information for more information. To detect and monitor problems. See the following for more information:
Additional statistics

Backhaul information
950 MB/s for a 1 Gb/s interface 3900 MB/s for a 10 Gb/s interface
The show backhaul command displays the current and peak management backhaul communication rates between the 9900 WNG Detector and Central. Supports the following system events:
System events
Line rate thresholdto monitor the traffic feed to the 9900 WNG Detector Swap Usageto monitor potential performance degradation because the 9900 WNG Central or Detector is swapping to the disk, which indicates the system memory is at the maximum capacity Hardware Failurefor the external disk array when a problem is identified by the 9900 WNG, which indicates that disk may need to be replaced
section 38.11 for the Line rate threshold system event section 38.14 for the Swap Usage system event section 38.13 for the Hardware Failure system event
Advanced logging and monitoring CLI commands
Supports the following advanced logging and monitoring CLI commands:
To facilitate monitoring of the system and troubleshooting system problems. See Table 14-8 for descriptions of CLI commands. See chapter 37 for information about monitoring the 9900 WNG Central and Detector.
show log database show log compression show log central-err
User roles and privileges User roles and privileges Supports additional levels for the GUI and Web Reports role. GUI and Reports roles can be set to any or a combination of the following: To provide increased security by setting the access level for the GUI and Reports roles. See chapter 36 for more information about user accounts and roles.
Subscriber Network Admin (only GUI role) AppsDevices (only Reports role) Anomaly Demo
The Demo role is not for standard operations, but it can be used for demonstrations to hide sensitive information, such as APNs, realms, or subscriber IDs. The CLI role is unchanged. Timeout for GUI and Web sessions Supports the idleTimeout CLI command that sets a timeout for user sessions after a specified period of inactivity To configure an idle timeout. See Procedure 36-14 for information about how to set the idle timeout.
(2 of 6)
11-3
Feature CDMA device reporting CDMA device reporting
Description
Use
Supports reporting for specific CDMA device manufacturer and model type, which are based on the input that is entered from the service provider device or subscriber database. The CDMAdeviceMode CLI command is used to configure the mode for the system. Only one mode can be supported at a time. The modes are:
To provide device-related information for CDMA networks. See Table 14-8 for more information about the CDMAdeviceMode CLI command.
manufacturerOnly ranges list
For UMTS/3GPP based devices, the manufacturer and model type identification is always supported, regardless of the CDMA device setting. Subscriber session timeout Subscriber session timeout Performance KPI TCP Downlink Saturated Throughput performance KPI Supports the TCP Downlink Saturated Throughput performance KPI. The saturated throughput KPI measures only the flows that have saturated TCP or that have passed the typical TCP slow start phase. This KPI appears in mobile flow and dashboard elements, and it is a parameter that can be used for plotting in web reports. To provide an accurate measurement of the network capacity. See the following for more information: Supports a subscriber session timeout for sessions that have not sent or received data in two weeks To provide protection against traffic feed issues or a lost RADIUS or signaling message.
Tables 27-4, 29-8, 29-9 Sessions and performance parameters for network element reports in section 31.4 Parameters overview for subscriber reports in section 31.7
Trend alerts Trend alert enhancements Support the configuration of an alert that is generated when a load parameter for a specific NE deviates from the past history, as determined by the 9900 WNG To improve the accuracy of trends for specific load parameters which deviate from past history. See Table 14-8 for descriptions of pattern CLI commands. See section 22.3 for information about how to view trend alerts.
Network hops and path tracking Increase number of network hops tracked by the 9900 WNG Detector Supports the following number of hops that are tracked by the 9900 WNG Detector:
60 000 RNC-Cell hops 7500 SGSN-RNC hops (UMTS) 7500 PDSN-RNC hops (CDMA) 1500 GGSN-SGSN hops (UMTS) 1500 HA-PDSN hops (CDMS)
RNC-Cell hops include 2.5G RNC equivalents (BSC- or MSC-based) and 3G RNC. The number of hops can by modified based on your operational needs. Contact your Alcatel-Lucent technical support representative. (3 of 6)
11-4
Feature
Description
Use
Application mapping tables Application mapping tables Supports additional default application mappings to identify highly accessed URLs, such as Google, Facebook, and Yahoo. To reduce effort for configuring the application map table. See Adding entries to the application map table in section 12.3 for information about how to update the application mapping table for Internet websites.
GUI Provider parameter for the Roaming report Supports the Provider parameter for HA, PDSN, GGSN, and SGSN NEs in the NE tables, which are automatically populated based on a list of known IP addresses that are used by service providers. You can also manually enter IP addresses for the Provider parameter, as previously supported. Supports audit logging of the following reports that are run from the GUI: To automatically display the provider name in the Roaming report for the HA, PDSN GGSN, and SGSN NEs. See Tables 24-1, 24-2, 24-5, and 24-6 and Roaming traffic report in section 31.2 for more information. To use the show log gui CLI command to display information about the report input parameter, the user that runs the report, and the execution time. See chapters 25, 27, 29 for more information about the supported reports. See show log gui in section 37.2 fore more information. To change the start and end times for the Network Element Forensic report so that the report can be run in shorter intervals, without manually entering start and stop times. See Procedure 25-1 for more information about how to configure and generate a network forensic report. Anomaly History reports System Event History reports Export to file for Subscriber reports Quicker display of the Overall Network Topology Graph Plotting the performance KPIs in the Dashboard view CDMA device information JRE 1.6 versions Enhancements to the Anomaly History view, which displays the results of queries about anomaly and performance events Enhancements to the System Events History, which displays the results of queries about system events Supports the export of path information To display several history query results in multiple tabs. See section 22.4 for more information. To display several system history query results in multiple tabs. See section 26.4 for more information. To export flow, session, and path data. See sections 29.10 and 29.11 for more information. Improved response times for displaying the Overall Network Topology Graph and other reporting performance improvements Supports plotting the performance KPIs, such as Downlink TCP throughput, RTT, and Packet Loss Supports additional CDMA device information, such as manufacturer and model information Supports all JRE 1.6 versions, with the exception of using the GUI CLI with the Chinese language on the end-user computer, which requires JRE 1.6 version 19 or later.
Logging of GUI reports

Start and stop times for the Network Element Forensic report
Network Element Report and Network Hop Report that are accessed from the Network Forensic Report view Mobile Flow query Subscriber Report
Supports the setting of start and stop times for the Network Element Forensic report by zooming an area on the report plot output
To plot almost real-time performance KPIs in the Dashboard view. See Table 21-3 for more information. To display device and manufacturing data. See section 31.9 for more information.
(4 of 6)
11-5
Feature Chinese and Spanish languages
Description Supports the Chinese and Spanish languages on the GUI. You can customize and import from the CLI a new language resource file on the 9900 WNG Central. Supports the Saturated Throughput measure on the Mobile Flow details performance tab
Use To change the language of the GUI. See section 16.5 for more information.
Saturated Throughput measure
To display the Saturated Throughput measure. See Table 27-4 for more information.
Subscriber and VIP group reporting Subscriber and VIP group reporting Supports groups of IMSI/NAI that represent subscribers. You can create the groups using the subscriberGroup import CLI command or the Group Manager interface. Supports subscriber groups as a filter on the following reports: To filter groups in some subscriber reports. See chapter 32 for more information about the Group Manager interface and Table 14-8 for information about the subscriberGroup CLI command. To configure a filter to display a report about a group of subscribers. See Tables 31-40, 31-41, and 31-43 for more information.
Subscriber group filter

Web-based Group Manager interface
Subscriber Cumulative Distribution Subscriber Top Mobiles (single day, multiple parameter) Devices Performance KPI by Manufacturer/Model
Supports a web-based Group Manager interface from the 9900 WNG Central webpage to:
To decrease effort for reporting information about subscribers. See chapter 32 for more information.

Web reports Realm/APN reports
create subscriber groups search for subscribers groups view or modify subscribers groups
Supports the Realm/APN comparison table which collects the data that is associated with UMTS APNs or CDMA realms, and displays the information in one table. The Realm/APN resource breakdown pie charts indicate the relative usage across the top Realm/APNs. Supports additional Network Element reports in the main reporting web interface. The reports are:
To report information about APNs/realms. See Realm/APN comparison table report in section 31.7 for more information.
Additional Network Element reports
Network Element Comparison tables for the Cell, RNC, SGSN, or GGSN/HA NEs in UMTS networks and Cell, RNC, PDSN, or HA NEs for CDMA networks Multi-Element Comparison tables for the Cell, RNC, SGSN, or GGSN NEs in UMTS networks, and Cell, RNC, PDSN, or HA NEs in CDMA networks Cell Cumulative distribution function tables for traffic and session/performance for UMTS networks, and traffic and session/performance for CDMA networks
To display all of the data that is associated with one or more NEs. You can use the exported data for additional analysis. See Network elements reports in chapter 31 for more information.
NE Comparison Table
Supports an NE Comparison Table that has one row per NE. The table can be sorted by a specific parameter. Separate tables are provided for Cell, RNC, SGSN/PDSN, and GGSN/HA NEs. Supports the Multi-Element Time Trend table that collects the hourly data for several NEs in one table. You can use an input parameter to report information for the entire day or specific hours.
To display information about multiple NEs for comparison purposes. See Network elements reports in chapter 31 for more information. To display information for multiple NEs in one time-trend table. See Network elements reports in chapter 31 for more information.
Multi-Element Time Trend table
(5 of 6)
11-6
Feature Subscriber group reports
Description Supports Subscriber group reports
Use To report information about subscriber groups. See Procedures 32-1 to 32-4 for more information.
Browser-based reports interface Filtering using wildcards Supports the percentage sign (%) as a wildcard character in the Mobile ID/IMSI filter in the following reports: To expand searches using a wildcard character. See Table 31-40 and Table 31-44 for more information. To plot Hop reports for a configurable interval. See Time Resolution in section 31.5 for information about how to set the plotting interval. Decimal values to identify cells Supports specifying the MCC, MNC, LAC and CID for UMTS cells, or the SID, NID, and CID for CDMA cells using decimal values in the following reports: To provide decimals values as filter criteria for CDMA and UMTS cells. See Tables 31-11, 31-12, and 31-15 to 31-20 for more information.

Hop report plotting increments
Overall subscriber cumulative distribution Top mobiles
Supports the plotting of hop reports in daily, hourly, and minute increments

2.5G, 3G, and 4G access filtering Top Applications report
Cell Cell Cell Cell Cell Cell Cell Cell
comparison table (CDMA) comparison table (UMTS) multi-element time-trend table (CDMA) multi-element time-trend table (UMTS) cumulative dist. (CDMA; traffic) cumulative dist. (CDMA; session & perf) cumulative dist. (UMTS; traffic) cumulative dist. (UMTS; session & perf)
Supports filtering by 2.5G, 3G, and 4G access on the Overall subscriber cumulative distribution report. The4G LTE is not supported. The Top Applications web report provides information about all of the configured applications and the top unconfigured applications. The report is based on an application category.
To filter by 2.5G, 3G, and 4G access. See Table 31-40 for more information. To display the number of subscribers for configured applications, regardless of whether the applications are on the Top Application list. See Top applications reports in section 31.8 for more information.
Reports performance improvements
Multiple performance improvements for the reports interface; for example, device reporting results are displayed faster than in previous releases
Motive customer care API Web services-based Motive customer care API Provides the interface with the Alcatel-Lucent Motive customer care product. The information that can be retrieved using the API includes: To allow customer care technicians to access specific usage data for the subscribers that require assistance. See chapter 20 for more information.

(6 of 6)
overall data usage device types used anomaly events which may have affected the subscriber specific application usage whether the subscriber had accessed an area of the network that was experiencing network congestion
11-7
11-8
Configuration procedures
12-1
12.1 Optional configuration procedures overview
12-2 12-2
12.2 9900 WNG Detector optional configuration procedures 12.3 9900 WNG Central optional configuration tasks 12-16
12-1
12.1
Optional configuration procedures overview

Optional configuration procedures are the tasks that you can choose to perform to modify the defaults of some parameters or if you need to change settings to achieve desired operation of the system or outputs. See chapter 7 for the mandatory configuration procedures that you must perform.
12.2
9900 WNG Detector optional configuration procedures

Table 12-1 lists the tasks that you can perform for the 9900 WNG Detector.
Table 12-1 9900 WNG Detector optional configuration tasks
Task To specify the 9900 WNG Detector deployment mode To configure an RNC load threshold To configure RNC-to-PCF IP address mapping To configure RNC-to-SAI mapping To specify the mobile IP address range To modify the anomaly event throttle rate To add subnets to a whitelist To modify the mobile dormancy timeout value To include, exclude, clear, and show VLAN IDs to process To disable the reporting of an anomaly event To specify the intensity level for a reported anomaly event To add a 9900 WNG Detector To copy 9900 WNG Detector configuration files to another 9900 WNG Detector To delete a 9900 WNG Detector See Procedure 12-1 12-2 12-3 12-4 12-5 12-6 12-7 12-8 12-9 12-10 12-11 12-12 12-13 12-14
Specifying the 9900 WNG Detector deployment mode

The deploymentMode CLI command specifies the 9900 WNG Detector deployment mode. By default, the system auto detects Mobile IP address ranges from RADIUS accounting records. The autodetectMobilesfromAAA CLI command enables and disables the auto detection of IP address ranges. When the deployment mode is set to SimpleIPOnly, you can specify the range of mobile IP addresses. When the deployment mode is MobileIPOnly or simpleIPandMobileIP, the system automatically obtains the home agent IP address from the mobile IP. Perform Procedure 12-1 to specify whether the 9900 WNG Detector device analyzes mobile IP traffic, simple IP traffic, or both. By default, the 9900 WNG Detector analyzes mobile IP traffic only.
Procedure 12-1 To specify the 9900 WNG Detector deployment mode

This procedure is typically performed during initial installation. 1 Log in to the CLI with the admin privilege by performing one of the following: a b c 2 3 SSH, as described in Procedure 14-1 or 14-2 Console login LMT
Log in to the 9900 WNG Detector, as described in Procedure 14-3. Specify the deployment mode by typing:
deploymentmode option
where option is one of the command line options that is described in Table 12-2
Table 12-2 deploymentMode command options

Option MobileIPOnly (default) Description The 9900 WNG Detector analyzes the Bearer Mobile IP traffic in IP-IP tunnels only. The 9900 WNG Detector ignores simple IP packets, except mobile IP signaling and RADIUS AAA packets. With this setting, the 9900 WNG Detector auto-discovers HAs, PDSNs, SGSNs, GGSNs, and mobile IP address ranges. SimpleIPOnly The 9900 WNG Detector analyzes the Simple IP packets only, and ignores IP-IP tunneled packets and MobileIP signaling. Typically used for backward compatibility with older devices deployed in the field. The 9900 WNG Detector analyzes IP-IP tunneled packets and SimpleIP packets.
simpleIPandMobileIP
Display the deployment mode setting by typing:

show deploymentMode
Configuring the RNC load threshold

Perform Procedure 12-2 to configure different RNC load thresholds to match varying capacity of different deployed RNCs in the network.
12-3
Procedure 12-2 To configure an RNC load threshold

Note The RNC load threshold attributes are set to the default values when you provision RNC using the rncPcfMap (for CDMA RNC) or rncSaiMap (for UMTS RNC) CLI commands. The global default can be retrieved using the show detectionThresholds rncOverload command. This command allows service providers to tune the threshold value for RNCs depending on the RNC capacity.
1 Log in to the CLI with the admin privilege by performing one of the following: a b c 2 3 SSH, as described in Procedure 14-1 or 14-2. Console login LMT
Log in to the 9900 WNG Detector remotely, as described in Procedure 14-3. Configure the RNC load threshold value by typing:
rncLoadThreshold set rnc_ID value1 value2 ... valueN
where rnc_ID is the RNC identifier that is used in reports and the RMS GUI value1 is an integer value between 0 and 10 000 000 value2 to valueN are optional, additional integer values between 0 and 10 000 000
4 5
Repeat step 3 to configure additional RNC threshold values, as required. Display the RNC load threshold settings by typing:
show rncLoadThreshold all
Configuring CDMA RNC-to-PCF IP address mapping

The mapping of the PCF IP addresses to RNC elements enables the 9900 WNG to report information for each RNC. PCF IP addresses are derived from RADIUS accounting records. The 9900 WNG uses the mapping to identify the signaling load for each RNC without requiring a physical connection to an RNC, which allows for multi-vendor operation. The performance data from an RNC is used to report RNC overload anomaly events. Perform Procedure 12-3 to map a CDMA RNC element to one or more PCF IP addresses. The RNC-to-PCF mapping allows you to identify a particular RNC, given the PCF IP address obtained from AAA accounting records.
12-4
Procedure 12-3 To configure RNC-to-PCF IP address mapping

Note 1 This procedure is optional, but is highly recommended by Alcatel-Lucent. Note 2 You cannot map the same PCF IP address to two different RNC
IDs. 1 Log in to the CLI with the admin privilege by performing one of the following: a b c 2 3 SSH, as described in Procedure 14-1 or 14-2 Console login LMT
Log in to the 9900 WNG Detector remotely, as described in Procedure 14-3. Perform one of the following: a Enter multiple IP addresses in a single command by typing:
rncPcfMap addlist RNC_ID IP_address
where RNC_ID is the RNC identifier to which you need to map IP addresses, and IP_address is a list of IP addresses separated by spaces. For example, 100.1.1.1 100.2.2.2.
Enter IP addresses using prompts by typing:

rncPcfMap add RNC_ID
where RNC_ID is the RNC identifier to which you need to map IP addresses.
You are prompted to enter IP addresses. When you are finished entering addresses, press on a blank line. 4 Display the RNC-to-PCF mapping entries by typing:
show rncPCFmap all
Configuring UMTS RNC-to-SAI mapping

The mapping of the SAI to RNC elements enables the system to report traffic for each RNC. SAI mappings are derived from RADIUS accounting records. The 9900 WNG uses the mapping to identify the signaling load on each RNC without requiring a physical connection to an RNC, which allows for multi-vendor operation. The performance data from an RNC is used to report RNC overload anomaly events. Perform Procedure 12-4 to map a UMTS RNC element to one or more SAIs. A SAI is used to identify an area that consists of one or more cells that belong to the same Location Area. The RNC-to-SAI mapping identifies a specific RNC, given the SAI is obtained from AAA accounting records.
Procedure 12-4 To configure RNC-to-SAI mapping

Note This procedure is optional, but is highly recommended by Alcatel-Lucent. If the RNC is not mapped to one or more SAIs using this procedure, GUI pages, real time traffic patterns, in progress sessions, and UMTS RNC-related reports for the UMTS RNCs cannot be displayed.
1 2 3 Log in to the CLI with the admin privilege, as described in Procedure 14-1 or 14-2. Log in to the 9900 WNG Detector remotely, as described in Procedure 14-3. Perform one of the following: a b 4 Go to step 4 to map an SAI to an RNC ID. Go to step 5 to map multiple SAIs an RNC ID. You cannot specify the same SAI IP address to two different RNC IDs.
Map an SAI to an RNC ID by typing:

rncSaiMap add rncID
where rncID the RNC identifier string, which identifies the RNC in reports and in the GUI
You are prompted to add additional SAI mappings. The following is an example:
rncSaiMap add rnc_801 Add Sai Address:1234567890abc0 Add Sai Address:1234567890abcd Add Sai Address: OK.
Go to step 6. 5 Map multiple SAIs to an RNC ID by typing:

rncSaiMap addlist rncID saiIP1 ... saiIPx
where rncID is the RNC identifier string, which identifies the RNC in reports and in the GUI saiIP1 to saiIPx are 14 character hexidecimal strings, seperated by a space
The following is an example:

rncSaiMap addList rnc801 1234567890abc0
Verify the RNC-to-SAI mapping entries by typing:

show rncSaiMap all
The following is an example of the information that appears:

RNC 801
12-6
1234567890abc0 1234567890abcd RNC myRNC_name_is_IH_UMTS_LAB_RNCID_532AAAAAAAAAAAAAAA
Specifying the mobile IP address range

You use the mobileIPsubnets CLI command to specify the range of IP addresses for a mobile device. Perform Procedure 12-5 to specify the range of IP addresses for mobile devices. Alcatel-Lucent recommends that you perform this procedure when the 9900 WNG Detector deployment mode is set to SimpleIPonly, as described in Procedure 12-1.
Procedure 12-5 To specify the mobile IP address range

1 2 3 Log in to the CLI with the admin privilege, as described in Procedure 14-1 or 14-2. Log in to the 9900 WNG Detector remotely, as described in Procedure 14-3. Perform one of the following: a b 4 Go to step 4 to specify an IP address for the mobile device. Go to step 5 to specify multiple IP address for the mobile device.
Specify an IP address for the mobile device by typing:

mobileIPSubnets add
You are prompted to enter an IP address. The following is an example:

Add subnet: 1.1.1.1/24 Add subnet: 2.2.2.2/24 Add subnet: OK.
Go to step 6. 5 Specify multiple IP address for the mobile device by typing:

mobileIPSubnets addlist IPaddress1 IPaddress2 ... IPaddressx
where IPaddress1 to IPaddressx are the list of IP address
12-7

mobileIPSubnets addlist 1.1.1.1/24, 2.2.2.2/24
Verify the mobile IP address entries by typing:

show mobileIPSubnets
The mobile IP addresses appear.
Modifying the anomaly event throttle rate

Perform Procedure 12-6 to modify the maximum rate at which a 9900 WNG Detector sends anomaly events to the 9900 WNG Central. By default, anomaly events are throttled to the 9900 WNG Central at a maximum rate of 10 000 Kbytes/s.
Procedure 12-6 To modify the anomaly event throttle rate

1 2 3 Log in to the CLI with the admin privilege, as described in Procedure 14-1 or 14-2. Log in to the 9900 WNG Detector remotely, as described in Procedure 14-3. Modify the event rate by typing:
eventrate anomalyEvents rate
where rate is an integer, in kb/s
Verify the new event rate setting by typing:

show eventrate anomalyEvents

Anomaly Events will be throttled to Central at a maximum rate of 10000 KBytes/sec.
Adding subnets to a whitelist

You use the whitelist CLI command to add subnets to the whitelist. The 9900 WNG ignores traffic from subnets that are in the whitelist. Anomaly events are not generated for subnets that are in the whitelist. You can use CLI commands to delete subnets from or to clear the whitelist. Perform Procedure 12-7 to specify the subnets that are included in the whitelist.
Procedure 12-7 To add subnets to a whitelist

1 2
12-8
Log in to the CLI with the admin privilege, as described in Procedure 14-1 or 14-2. Log in to the 9900 WNG Detector remotely, as described in Procedure 14-3.
Perform one of the following: a b Go to step 4 to add one subnet to the whitelist. Go to step 5 to add multiple subnets to the whitelist.
Add a subnet to the whitelist by typing:

whitelist add
You are prompted to add subnets. The following is an example of the information that is displayed.
Add subnet: 1.1.1.1/24 Add subnet: successfully added subnet(s)
Go to step 6. 5 Add multiple subnets to the whitelist by typing:

whitelist addList subnet1 subnet2...subnetx
where subnet1 to subnetx are the subnets to add to the whitelist. Use a space to separate the subnets.

whitelist addList 1.1.1.1/24, 2.2.2.2/24 successfully added subnet(s)
Verify the subnets in the whitelist by typing:

show whitelist

2 whiteListedSubnets 1.1.1.1/24 2.2.2.2/24
Modifying the mobile dormancy timeout value

Perform Procedure 12-8 to specify the mobile dormancy timeout value, in s. By default, the mobile dormancy value is set to 5 s.
12-9
Procedure 12-8 To modify the mobile dormancy timeout value

1 2 3 Log in to the CLI with the admin privilege, as described in Procedure 14-1 or 14-2. Log in to the 9900 WNG Detector remotely, as described in Procedure 14-3. Specify a mobile dormancy value by typing:
dormancy timeout
where timeout is a value from 0 to 1000 s. The default is 5.
Verify the mobile dormancy timeout setting by typing:

show dormancy
The following example shows a mobile dormancy timeout of 10 s:

mobileDormTimeout = 10
Specifying the VLANs from which packets are captured

Perform Procedure 12-9 to specify the VLANs from which a 9900 WNG Detector captures packets to process. You can configure a 9900 WNG Detector to process packets only from a specified VLAN or to process all packets, except the packets from specified VLANs. By default, a 9900 WNG Detector analyzes packets from all VLANs.
Procedure 12-9 To include, exclude, clear, and show VLAN IDs to process
1 2 3 Log in to the CLI with the admin privilege, as described in Procedure 14-1 or 14-2. Log in to the 9900 WNG Detector remotely, as described in Procedure 14-3. Perform one of the following: a b c d 4 Go to step 4 to include VLAN IDs. Go to step 5 to exclude VLAN IDs. Go to step 6 to show VLAN IDs. Go to step 7 to clear VLAN IDs.
Specify the VLAN IDs that the 9900 WNG Detector captures packets for by typing:
captureVLAN include vlan1 vlan2 ... vlanN
where vlan1 to vlanN are VLAN IDs from 0 to 4095
In the following example, the first command configures Detector99 to process only packets from VLAN IDs 15 and 95. The second command verifies the settings.
detector:detector99# captureVLAN include 15 95
12-10
Packets will only be processed from VLANs: 15 95 detector:detector99# show captureVLAN captureVLAN include 15 95
Specify the VLAN IDs that the 9900 WNG Detector does not captures packets for by typing:
captureVLAN exclude vlan1 vlan2 ... vlanN
where vlan1 to vlanN are VLAN IDs from 0 to 4095
In the following example, the first command configures Detector99 to ignore packets from VLAN ID 101:
captureVLAN exclude 101 All packets will be processed except from VLANs: 101
Display the captured packets by typing:

show captureVLAN
The following shows the information that appears.

captureVLAN exclude 101
Clear all settings and configure the 9900 WNG Detector to process packets from all VLAN IDs by typing:
captureVLAN clear
The following example clears all settings and configures Detector99 to process packets from all VLANs:
detector: detector99# captureVLAN clear No VLAN filtering will be done, all packets will be processed
Disabling the reporting of specific anomaly events

Perform Procedure 12-10 to disable the reporting of specific anomaly events.
Procedure 12-10 To disable the reporting of an anomaly event

1 2 Log in to the CLI with the admin privilege, as described in Procedure 14-1 or 14-2. Log in to the 9900 WNG Detector remotely, as described in Procedure 14-3.
12-11
Disable the reporting of a specific event by typing:

anomalyEventmask event_type off
where event_type is one of the following values: all, alwaysActive, batteryAttackDistributed, batteryAttackSingleSrc, floodMobileDistributed, floodMobileSingleSrc, highSignalingSubscriber, highUsage, p2pMobile, portScanHoriz, portScanVert, rncOverload, sigAttackSingleSrc, routerDiscoveryAbuse, or unwantedSrc.
The following example disables event generation for always active event:
anomalyEventMask alwaysActive off Event type AlwaysActive is disabled.
Verify the anomaly event mask settings by typing:

show anomalyEventmask all
The following example shows the information that appears.

sigAttackSingleSrc threshold 0 rncOverload threshold 0 batteryAttackSingleSrc threshold 0 portScanVert threshold 0 portScanHoriz threshold 0 alwaysActive threshold 0 highUsage threshold 0 unwantedSrc threshold 0 p2pMobile threshold 0 batteryAttackDistributed threshold 0 floodMobileSingleSrc threshold 0 floodMobileDistributed threshold 0 highSignalingSubscriber threshold 0 routerDiscoveryAbuse threshold 0
Specifying the intensity level for reporting anomaly events

Perform Procedure 12-11 to specify the intensity level at which a 9900 WNG Detector reports an anomaly event. By default, the system reports anomaly events with intensity level greater than 0.
12-12
Procedure 12-11 To specify the intensity level for a reported anomaly event
1 2 3 Log in to the CLI with the admin privilege, as described in Procedure 14-1 or 14-2. Log in to the 9900 WNG Detector remotely, as described in Procedure 14-3. Specify the intensity at which an anomaly event is reported by typing:
anomalyEventmask event_type intensity
where event_type is one of the following values: all, alwaysActive, batteryAttackDistributed, batteryAttackSingleSrc, floodMobileDistributed, floodMobileSingleSrc, highSignalingSubscriber, highUsage, p2pMobile, portScanHoriz, portScanVert, rncOverload, sigAttackSingleSrc, routerDiscoveryAbuse, or unwantedSrc intensity is a value from 0 to 5
The following example shows how to configure the 9900 WNG Detector to report always-active subscriber events only if the event is at intensity level 2 or higher:
detector99# anomalyEventMask alwaysActive 2 Event type AlwaysActive was previously enabled, however it is now enabled for the event intensity values above 2.
Verify the current settings by typing:

show anomalyEventMask all
The following example shows the information that appears:

sigAttackSingleSrc threshold 0 rncOverload threshold 0 batteryAttackSingleSrc threshold 0 portScanVert threshold 0 portScanHoriz threshold 0 alwaysActive threshold 2 highUsage threshold 0 unwantedSrc threshold 0 p2pMobile threshold 0 batteryAttackDistributed threshold 0 floodMobileSingleSrc threshold 0 floodMobileDistributed threshold 0 highSignalingSubscriber threshold 0
12-13
routerDiscoveryAbuse threshold 0
Adding a detector to a 9900 WNG system

Perform Procedure 12-12 to add a detector to an existing 9900 WNG system.
Procedure 12-12 To add a 9900 WNG Detector

1 2 3 4 Install the 9900 WNG Detector device in an equipment rack, as described in section 4.4. Connect all the necessary cables, as described in section 4.6. Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Add a detector to the 9900 WNG Central by typing:
detector add IP_detector name group
where IP_detector is the IP address of the detector name is the name of the specific 9900 WNG Detector group is the group of the detector
5 6
Configure the management interface and lights-out management interface on the 9900 WNG Detector, as described in Procedure 7-2. Provision NTP on the 9900 WNG Detector by typing:
ntp server add ntp-server
where ntp-server is the IP address of the NTP server
Enable NTP on the 9900 WNG Detector by typing:

ntp enable
If the software repository is on 9900 WNG Central, update the software on the 9900 WNG Detector by typing:
repo enable central
Return to the 9900 WNG Central CLI by typing:

exit
10
Update the 9900 WNG Detector software by typing:

update software detector name
where name is the name of the 9900 WNG Detector for the updated software
12-14
Copying files from a 9900 WNG Detector

Perform Procedure 12-13 to copy configuration files from one 9900 WNG Detector to another 9900 WNG Detector in the same 9900 WNG system (that is, connected to the same 9900 WNG Central). You can use this procedure to simplify the configuration of multiple 9900 WNG Detectors.
Procedure 12-13 To copy 9900 WNG Detector configuration files to another 9900 WNG Detector
1 2 Log in to the CLI with the admin privilege, as described in Procedure 14-1 or 14-2. Copy the 9900 WNG Detector configuration file to another 9900 WNG Detector by typing:
copy detector source destination
where source is the name of a provisioned 9900 WNG Detector from which you are copying configuration files destination is the name of the destination 9900 WNG Detector
Verify that the configuration files have been successfully copied to the destination 9900 WNG Detector by typing:
where detector_name is the name of the destination 9900 WNG Detector for the configuration file
dir

appMapping.xml lastrunning.xml laststartup.xml startup.xml
Deleting a 9900 WNG Detector

Perform Procedure 12-14 to administratively delete a provisioned 9900 WNG Detector.
12-15
Procedure 12-14 To delete a 9900 WNG Detector

1 2 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Delete a 9900 WNG Detector by typing:
detector delete detector
where detector is the name of a 9900 WNG Detector
Verify that the 9900 WNG Detector has been deleted by typing:
show detectors
Only the connected and provisioned 9900 WNG Detectors appear.
12.3
9900 WNG Central optional configuration tasks

Table 12-3 lists the tasks that you can perform for the 9900 WNG Central.
Table 12-3 9900 WNG Central optional configuration tasks
Task To upgrade software on the 9900 WNG Central and Detector using the 9900 WNG Central repository To specify the NMS servers and configure SNMPv1/v2c settings To configure SNMPv3 settings To configure SNMP for anomaly, trend, and congestion alerts To configure the application map table To enable the security event manager feed To load a saved login banner To generate and display a public key See Procedure 9-3 19-1 19-2 19-14 12-15 12-16 12-17 12-18
Adding entries to the application map table

The application map table is used to create user-defined application configurations for reporting detailed information for system resources and performance metrics. Each application is identified by an application name. Related applications are grouped by an application category. Resource and performance for the applications appear are displayed in web reports and on the GUI, as described in Table 12-4.
12-16
12 Optional configuration procedures Table 12-4 Location of information from the application map table
Location Web reports Description The Applications report provides application specific information for resources and performance metrics for subscribers, devices, RNCs, and APNs. See section 31.8 for more information. Application information appears in the following:
GUI
Top Applications tabs in the Subscriber report; see section 29.7 Flow/Session tab in the Subscriber report; see section 29.10 Top Applications tab in the Network Forensic report (detailed); see section 25.3 Mobile Flow forensic report; see section 27.1
Built-in Configurations
The 9900 WNG provides built-in configurations that identify the applications. Table 12-5 lists the built-in configurations and their associated category.
Note The applications cannot be removed. However, the applications can be moved to the Other category.
Table 12-5 Built-in Configurations

Built-in configuration BitTorrent Gnutella eDonkey FTP VPN RTSP streaming FTP VPN RTSP streaming Category P2P_MOBILE
Default configurations
The 9900 WNG identifies applications based on a combination of server IP addresses, ports, and protocols. The 9900 WNG provides default configurations for traffic to and popular servers, such as Google, Yahoo, Apple, and Microsoft. Based on the server port, traffic to and from ther servers, the 9900 WNG provides additional classifications for the server. For example, the traffic to and from Google servers on ports 143, 110, 25, and 993 are classified as Gmail. The traffic to and from Apple servers on port 5223 are classified as Apple Push Notification, which is for Apple iPhone devices.
12-17
Procedure 12-15 To configure the application map table

1 2 Log in to the CLI with the admin privilege, as described in Procedure 14-1 or 14-2. Add an application to the application map table by typing:
applicationMap add appname appcategory server_IP/server_subnet port/ANY protocol/ANY
where appname is the unique name of an application appcategory is the application category. Application categories are used to group related application names; for example, IMAP, POP3, and SMTP can be classified as e-mail. server_IP/server_subnet port is an IP address or subnet, expressed in the format AAA.BBB.CCC.DDD or AAA.BBB.CCC.DDD/n (a subnet), and each part is a value from 0 to 255 and and n is the number of bits in the network prefix. port is the server port number or use ANY if the port number is not known. protocol is the protocol name or number; for example, TCP or 6. If the protocol is not known, use ANY
Note Application reports can be generated using the appname or appcategory.
Go to step 3 to delete an application from the application map table. Go to step 4 to update an application name or application category from the application mapping by typing Go to step 5 to import multiple applications. 3 Delete an application from the application mapping by typing
applicationMap delete all/appname/appcategory
where all/appname/appcategory is all applications, an application name, or application category
Update an application name or application category from the application map table by typing:
applicationMap update appname/appcategory new_appname/new appcategory
where appname/appcategory is an application name or application category new_appname/appcategory is the new name of the application category
12-18
Import multiple applications by performing one of the following: a Import multiple application configurations from a CSV file using SCP by typing one of the following:
applicationMap import add scp user@host:/path applicationMap import replaceall scp user@host:/path
where user@host:/path is the location of the file in the local or remote host
Import multiple application configurations from a CSV file that is on a USB disk by typing one of the following:
applicationMap import add usb filename applicationMap import replaceall usb filename
where filename is the name of the file on the USB to be imported
Note The CSV files must use the following format:

appname,appcategory,server_ip/subnet,port,protocol
For example, the following commands create a WEB category for all traffic that goes to 2 WAP proxies and to a class C subnet that contains the customer portal web servers, which is accessed through https (port 443) and http (port 80):
applicationmap add wapproxy01 WEB 1.1.144.144 ANY TCP applicationmap add wapproxy02 WEB 1.1.144.145 ANY TCP applicationmap add customerportal WEB 1.1.212.0/24 443 TCP applicationmap add customerportal WEB 1.1.212.0/24 80 TCP
The following are examples of commands to create a Blackberry category for three Blackberry servers:
applicationmap add blackberry01 Blackberry 1.1.1.140 15771 ANY applicationmap add blackberry02 Blackberry 1.1.145.141 15771 ANY applicationmap add blackberry03 Blackberry 1.2.145.142 ANY ANY
Verify the application map entries by typing:

show applicationMap all
The following appears:

appname category server_ip port protocol
------------------------------------------------------------------------
12-19
FTP.inferred VPN rtsp-streaming P2P:Gnutella P2P:Edonkey P2P:Bittorrent
OTHER VPN
ANY ANY
ANY ANY ANY ANY ANY ANY
ANY ANY ANY ANY ANY ANY
RTSP-streaming ANY P2P_MOBILE P2P_MOBILE P2P_MOBILE ANY ANY ANY
See Application configuration priority rules in this section for information about how the 9900 WNG determines which configurations in the application map table to use.
Application configuration priority rules
The following are the rules for configurations in the application map tables: 1 When there are two application configurations with server_ip/subnets, the application configuration that has a more specific network prefix has the higher priority. Using the following two application mappings, appname2 has the higher priority because appname2 has a larger network prefix and any traffic to or from 10.1.1.X maps to appname2. Traffic to or from 10.1.Y.Z is mapped to appname1: appname1 appcategory1 10.1.0.0/16 ANY ANY appname2 appcategory2 10.1.1.0/24 ANY ANY 2 When there are two application mapping with the same server_ip/subnet, but one application mapping uses ANY for a generic port and another application mapping uses a specific port number, the application mapping with the specific port number has a higher priority. Using the following two application mappings, appname3 has the higher priority. All traffic to 10.1.1.X to and from port 80 are mapped to appname3 and traffic to the other ports are mapped to appname2. appname2 appcategory2 10.1.1.0/24 ANY ANY appname3 appcategory2 10.1.1.0/24 80 ANY
Enabling the security event manager feed

Procedure 12-16 describes how to enable the security event manager feed.
12-20
Procedure 12-16 To enable the security event manager feed

1 2 Log in to the CLI with the admin privilege, as described in Procedure 14-1 or 14-2. Enable the security manager feed by typing:
securityMgrFeed enable
Loading a saved login banner

Procedure 12-17 describes how to load a saved login banner.
Procedure 12-17 To load a saved login banner

1 2 Log in to the CLI with the admin privilege, as described in Procedure 14-1 or 14-2. Perform one of the following: a b 3 Go to step 3 to load the banner from the USB. Go to step 4 to load the banner from the SCP.
Load the banner from the USB by typing:

load banner usb
The banner is loaded from the /banner directory on the USB. 4 Load the banner from the SCP by typing:
load banner scp_location
where scp_location is the location of the SCP
The banner is loaded from the SCP.
Generating a public key

You can use the 9900 WNG CLI to generate and display a public key for your account. You can register your public key with a remote server to validate your login; for example, by adding it to the ~.ssh/authorized_keys file, which eliminates the need to provide a password when you manage files at that location. The tasks you can accomplish using your public key depend on your network configuration and operating systems. Procedure 12-18 describes how to generate and display your public key.
12-21
Procedure 12-18 To generate and display a public key

1 2 Log in to the CLI with the admin privilege, as described in Procedure 14-1 or 14-2. Generate a public key for your account by typing:
genPublicKey
Display the public key by typing:

show publickey
Record the public key or copy it to a secure location.
12-22
Internal and external interfaces
13 Interfaces overview 14 CLI 14-1
13-1
15 PC client installation 16 GUI 16-1
15-1
17 9900 WNG Central webpage 18 BMC 19 SNMP 18-1 19-1 20-1
17-1
20 Motive API
13.1 Interfaces overview
13-2 13-3
13.2 Logging in to 9900 WNG interfaces
13-1
13.1
Interfaces overview
Table 13-1 describes the interfaces that can be used to configure, monitor, and control NEs and their managed resources.
Table 13-1 9900 WNG interfaces
Interface Internal Central webpage GUI
Description
See chapter
The 9900 WNG Central webpage and related pages provides access to 9900 WNG reports and to the GUI. The 9900 WNG EMS is a software application that resides on the 9900 WNG Central. The 9900 WNG EMS manages the 9900 WNG components including the 9900 WNG Central itself and the 9900 WNG Detectors. The 9900 WNG GUI is a graphical user interface developed to support all OA&M activities on the 9900 WNG system. The EMS user interface supports fault management, configuration management, performance management, security management, and system administration. 9900 WNG Central displays key information on the GUI in real time.
17 16
CLI External BMC
The CLI provides a text-based command interface for issuing 9900 WNG OA&M commands on 9900 WNG Central and Detector.
14
The 9900 WNG system supports basic BMC functionality, which is a location-independent remote access to the 9900 WNG Central and Detector, to respond to critical incidents and to perform maintenance. Both the 9900 WNG Central and Detector include a hardware module that provides the BMC functionality. The BMC module is independent of the server and it connects to the network on an independent Ethernet connection. If the 9900 WNG Central or Detector is out of service, the module can support remote system operations. You can use the BMC to:
18

SNMP
view the server hardware status from a remote location turn on, turn off, or reset the server from the remote location 19 GET SET TRAP
The 9900 WNG Central supports the following SNMP commands:
All SNMP interactions with the 9900 WNG Detector use the 9900 WNG Central. The 9900 WNG Central supports SNMP version v1, v2c, and c3 and can be configured for any of these versions. The 9900 WNG Central generates SNMP traps to integrate with a northbound network interface management functions from a bidirectional monitoring, control, and management interface. Motive API NMS Motive is an Alcatel-Lucent product that provides a unified care environment for end-to-end visibility of the network with automated problem analysis and resolution. The NMS is a combination of hardware and software used to monitor and administer a network. Network management functions include activities, methods, procedures, and tools that pertain to the operation, administration, maintenance, and provisioning of a network system. The NMS receives SNMP traps from the 9900 WNG Central. 20
Figure 13-1 shows the 9900 WNG components and the associated interfaces.
13-2
13 Interfaces overview Figure 13-1 9900 WNG interfaces
13.2
Logging in to 9900 WNG interfaces

Table 13-2 where to find information about how to log into each interface.
Table 13-2 Logging in procedures for 9900 WNG interface
Interface Central webpage GUI CLI See Procedure 17-1 16-1 14-1 to 14-3
13-3
13-4
14 CLI
14.1 CLI overview
14-2 14-6 14-8
14.2 Logging in to the CLI
14.3 Changing modes and target servers 14.4 CLI command syntax 14.5 CLI navigation tips 14.6 CLI commands 14-12 14-12
14-14
14-1
14 CLI
14.1
CLI overview
The CLI provides a text-based command interface for performing 9900 WNG OA&M commands on the 9900 WNG Central and Detector including:
user administration process management (start, stop,

and restart) backup and restore loading license viewing log file detector configuration parameters
detector detection parameters detector configuration management central configuration software upgrade SNMP configuration report deletion Motive customer care
Accessing the 9900 WNG Central and Detector

You can access the 9900 WNG Central and Detector using the 9900 WNG Central CLI. The privileges for the CLI role are:
sudo admin user

There modes that are used to execute CLI commands are:
user enable sudo

To execute a CLI command, you need the appropriate privilege. Users can switch modes, if their privilege allows switching modes. After you log in to the 9900 WNG Central, you can change your privilege, or move from the 9900 WNG Central to a 9900 WNG Detector in any mode. See Changing modes and target servers in this section for more information. Table 14-1 lists where to find more information about CLI procedures.
Table 14-1 CLI information
For information about Roles Privileges Modes Changing modes Changing target servers CLI prompts (1 of 2) Changing modes and target servers in this section CLI prompts in this section See CLI roles, privileges, and modes in this section
14-2
14 CLI
For information about Log in to the CLI on the 9900 WNG Central Log in to the CLI on the 9900 WNG Detector Change privileges in the CLI Change from the 9900 WNG Central or Detector in the CLI CLI command syntax CLI navigation tips CLI commands (2 of 2)
See Section 14.2
Section 14.3
Section 14.4 Section 14.5 Section 14.6
CLI roles, privileges, and modes

Table 14-2 describes the privileges that can be used in the CLI.
Table 14-2 CLI roles
Privilege sudo Description Access to commands that require the highest level of server privileges, which includes:

admin user reportonly demoony
UNIX type commands shutdown reboot user add, delete, and modify NTP configuration backup, restore, add, or delete a 9900 WNG Detector start, stop, and restart application processes software upgrade commands
Access to the user and enable levels of the CLI, which includes configuration of the 9900 WNG Central and Detector Access to only the user-level CLI commands, which are mainly read-only commands Access to only the change password CLI command. The account in the CLI is used to create the Reports role, which provides access to reports. Access to only the user level CLI commands, which are mainly read-only commands. The GUI does not display IP addresses for the demoonly role.
Table 14-3 lists how each privilege maps to a mode. Your privilege determines the CLI commands that you can execute. See Changing modes and target servers in this section for more information.
Table 14-3 CLI privileges and modes
Privilege Mode sudo sudo (1 of 2) enable admin
14-3
14 CLI
Privilege
Mode sudo enable admin
admin user (2 of 2)
Changing modes and target servers
Each privilege and the mode that is associated with the CLI command determines the CLI commands that you can use. See section 14.6 for information about the CLI commands for each privilege. To navigate to different modes, you need the appropriate privileges, as listed in Table 14-3. A user with the sudo privilege can access all of the modes; a user with the user privilege can access only the user mode. The user cannot move up to the admin or sudo mode. You can only move up or down one mode level at a time, as shown in Figure 14-1. For example, to move from sudo mode to the user mode, you must move from the sudo mode, to the enable mode, and then to the user mode. See Procedure 14-4 for information about how to change modes.
Figure 14-1 Changing modes
Central mode Detector mode
Central enable mode
Detector enable mode
Central mode
Detector mode
21171
You can change from the 9900 WNG Central to a 9900 WNG Detector or change from a 9900 WNG Detector to the 9900 WNG Central. You must use two separate CLI commands to change your mode and target server. Figure 14-2 shows the commands that are required to move between modes and target servers. Table 14-4 lists the modes and whether you can move up or down on the 9900 WNG Central or Detector, if you have the required privilege. The prompts identify your location and mode, as listed in Table 14-5. Table 14-7 lists where to find information about how to change modes and target servers.
14-4
14 CLI Figure 14-2 CLI commands to move between modes and target servers
detector name central> central enable exit detector name central# central sudo exit detector name central:sudo# central
21172
detector:name> enable exit
detector:name# sudo exit
detector:name:sudo
Table 14-4 CLI modes

Mode User Enable Sudo User Down Enable Up Down Sudo Up
CLI prompts
The CLI prompt indicates your privilege level and whether you are on the 9900 WNG Central or Detector, as listed in Table 14-5.
Table 14-5 CLI prompts
Account sudo admin user 9900 WNG Central prompt 9900 WNG Detector prompt
central:sudo# central# central>
detector:detector_name:sudo# detector:detector_name# detector:detector_name>
See section 14.3 for information about how to change roles and target servers.
CLI timeout
When you are logged in to 9900 WNG Central or Detector using the CLI, you are logged out from the CLI session after one hour of inactivity. See section 14.2 for information about how to log in to the CLI.
14-5
14 CLI
14.2
Logging in to the CLI

Table 14-6 lists where to find information about how to log in to the CLI on the 9900 WNG Central and Detector.
Table 14-6 CLI log in procedures
To 9900 WNG Central To log in to the CLI on the 9900 WNG Central from a Windows or UNIX platform using SSH To log in to the CLI on the 9900 WNG Central from the GUI 9900 WNG Detector To log in to the CLI on the 9900 WNG Detector 14-3 14-1 14-2 See Procedure
Logging in to the CLI on the 9900 WNG Central

Perform Procedure 14-1 to log in to the CLI on the 9900 WNG Central from a Windows or UNIX platform. To log in to the CLI, you must have a user, admin, or sudo role, and an SSH client. Perform Procedure 14-2 to access the CLI on the 9900 WNG Central using the GUI.
Procedure 14-1 To log in to the CLI on the 9900 WNG Central from a Windows or UNIX platform using SSH
Note To log in to the CLI, you must have a user, admin, or sudo privilege.
Perform one of the following: a To log in from a UNIX platform, open a terminal window and type:
ssh user@hostname
where user is your 9900 WNG username hostname is the host name of the 9900 WNG Central server
The CLI prompt indicates your mode and whether you are on the 9900 WNG Central or Detector, as listed in Table 14-5. By default, you are logged in to the 9900 WNG Central with the user mode. Go to step 3. b To log in from a Windows platform, use the information that is included with your SSH client to open a connection to the 9900 WNG Central server. Go to step 2.
Enter your password when prompted.
14-6
14 CLI
Perform one of the following: a b To switch to the enable mode, go to step 4. To switch to the sudo mode, go to step 5.
Change to the enable mode by typing:

enable
Go to step 6. 5 Change to the sudo role by typing:

enable sudo
To display commands that are available for your role, enter a question mark (?). If you have an admin or user role, you can perform higher level roles in the CLI, as described in Procedure 14-4. You can access CLI command on the 9900 WNG Detector, as described in Procedure 14-3.
Procedure 14-2 To log in to the CLI on the 9900 WNG Central from the GUI
Note To log in to the CLI, you need a user account on the 9900 WNG Central.
1 2
Start the 9900 WNG Central GUI from the 9900 WNG Central webpage, as described in Procedure 17-1. The 9900 WNG Central GUI appears. Double-click on CLI from the navigation tree. When you access the CLI from the GUI for the first time, a message warning that the authenticity of the host cannot be established may appear. Click on the Yes button to continue. The CLI window appears. You are logged into the 9900 WNG Central with the user mode. The CLI prompt indicates your mode and whether you are on the 9900 WNG Central or Detector, as listed in Table 14-5. See step 3 in Procedure 14-1 for information about how to access the sudo and admin privileges. If you have an admin or sudo privilege, you can assume higher-level modes on the CLI, as described in section 14.3. To display commands that are available to your role, enter a question mark (?).
Accessing the CLI on the 9900 WNG Detector

Perform Procedure 14-3 to log in to the CLI on the 9900 WNG Detector.
14 CLI
Procedure 14-3 To log in to the CLI on the 9900 WNG Detector

1 2 Log in to the CLI for the 9900 WNG Central, as described in Procedure 14-1 or 14-2. Log in to a 9900 WNG Detector by typing:
where detector_name is the name of a 9900 WNG Detector
14.3
Changing modes and target servers

You can switch modes to move up or down a level or switch from the 9900 WNG Central to a 9900 WNG Detector in any mode. Table 14-7 lists where to find the procedures to change your mode, target server, or your mode and target server.
Table 14-7 Changing modes and target servers procedures
Task To change your mode on the 9900 WNG Central or Detector To change target servers at the same mode To change your mode and target server See Procedure 14-4 14-5 14-6
Procedure 14-4 To change your mode on the 9900 WNG Central or Detector
See Table 14-4 for the mode levels and whether you can move up or down a level. 1 2 Log in to the 9900 WNG Central, as described in Procedure 14-1 or 14-2. Perform one of the following: a b c Go to step 3 to change from the user to the sudo mode on the 9900 WNG Central. Go to step 4 to change from the user to the sudo mode on a 9900 WNG Detector. Go to step 5 to change from the sudo to the user mode on the 9900 WNG Central, change from the sudo to the user mode on a 9900 WNG Detector, or move to the mode one level down from your current mode.
Change from the user to the enable mode on the 9900 WNG Central by typing:
enable sudo
The following prompt appears:
14-8
14 CLI
central:sudo#
Go to step 5. 4 Change from the user to the enable mode on the 9900 WNG Detector by typing:
enable sudo
The following prompt appears:

detector:detector_name:sudo#
Go to step 5. 5 To move to the mode one level down from your current mode, type:
exit
The following is an example of how to change from the sudo mode to the user mode on the 9900 WNG Central:
Central:sudo# exit Central# exit Central>
The following is an example of how to change from the sudo mode to the user mode on the 9900 WNG Detector:
detector:detector_name:sudo# exit detector:detector_name# exit detector:detector_name>
Procedure 14-5 To change target servers at the same mode

1 2 Log in to the 9900 WNG Central, as described in Procedure 14-1 or 14-2. Perform one of the following: a b Go to step 3 to change from the 9900 WNG Central to a 9900 WNG Detector. Go to step 4 to change from the 9900 WNG Detector to a 9900 WNG Central.
14-9
14 CLI
Change from the 9900 WNG Central to a 9900 WNG Detector at the same mode by typing:
where detector_name is the name of the 9900 WNG Detector that you need to access
Change from the 9900 WNG Detector to a 9900 WNG Central at the same role level by typing:
central
Procedure 14-6 To change your mode and target server

1 2 Log in to the 9900 WNG Central, as described in Procedure 14-1 or 14-2. Perform one of the following: a b 3 Go to step 3 to change from the 9900 WNG Central to a 9900 WNG Detector in a different mode. Go to step 4 to change from a 9900 WNG Detector to a 9900 WNG Central in a different mode.
Change from the 9900 WNG Central to a 9900 WNG Detector at a different mode by performing one of the following: a Change to the mode that you need on the 9900 WNG Central and then change to the 9900 WNG Detector by typing:
where detector_name is the name of the 9900 WNG Detector
The prompt that appears depends on your mode; see Table 14-5. The following is an example of switching from the sudo mode on the 9900 WNG Central to the user mode on the 9900 WNG Detector:
central:sudo# exit central# exit central> detector detector_name detector:detector_name>
Change to the 9900 WNG Detector and then the mode that you need on the 9900 WNG Detector by typing:
14-10
14 CLI
The following is an example of switching from the sudo mode on the 9900 WNG Central to the user mode on the 9900 WNG Detector:
central:sudo# detector detector_name detector:detector_name:sudo# exit detector:detector_name# exit detector:detector_name>
Change from a 9900 WNG Detector to the 9900 WNG Central in a mode by performing one of the following: a Change to the mode that you need on the 9900 WNG Detector and then change to the 9900 WNG Central by typing:
central
The prompt that appears depends on your mode; see Table 14-5. The following is an example of switching from the user mode on the 9900 WNG Detector to the sudo mode on the 9900 WNG Central.
detector:detector_name> enable detector:detector_name# sudo detector:detector_name:sudo# central central:sudo#
Change to the 9900 WNG Central by typing:

central
Change to the mode that you need on the 9900 WNG Central. The following is an example of switching from the user mode on the 9900 WNG Detector to the sudo mode on the 9900 WNG Central:
detector:detector_name> central central> enable central# sudo central:sudo#
14-11
14 CLI
14.4
CLI command syntax

The following conventions are used to describe the syntax of the CLI commands:
Parameters appear in italics and represent one or more additional inputs that must
be included in the command. Commands are listed alphabetically in a table.
Braces {} enclose two or more choices that are separated by the pipe symbol (|).
Enter only one of the choices as part of the command. Choices can include parameters. Brackets [] enclose optional input. Optional input can include parameters and choices. If brackets [] enclose two or more words that are separated by the pipe symbol (|), the input is optional and you enter only one of the choices as part of the command. The following is an example of the user add syntax: user add id password [cli role] [firstname] [lastname]
14.5
CLI navigation tips

This section describes navigation tips and shortcuts that you can use when you are using the CLI.
Displaying available commands

To display the commands that are available to your login account when you logged into 9900 WNG Central or Detector, enter ?. The following example shows the commands available for the admin login account on 9900 WNG Central:
central> # detector enable exit history comment enter into detector mode enter privileged mode logs out of CLI display the current session's command line history logout paging ping show user logout of the command line interface paging settings four ICMP pings system information change password of current user
14-12
14 CLI
central# ? # applicationMap copy detector disable exit history history load logout paging ping securityMgrFeed show snmpAgent sudo user comment application Mapping copy command enter into detector mode disabled view exit this level display the current session's command line load command logout of the command line interface paging settings four ICMP pings security Event Manager Enabling/ Disabling system information snmp agent settings enter the root mode change password of current user
Using shortcuts
When you enter a command, you can type just enough characters to specify a unique string. The system fills in the rest of the name automatically. For example, to enter the history command, you only need to type h and then press the Enter key: central# h 1 2 3 enable sudo history
The shortcut applies only to command names and arguments; it does not apply to created variables, such as detector names, IP addresses, or accounts.
14-13
14 CLI
Command completion
You can enter a unique string from the name of the command, then press the Tab key and the system completes the command name or argument. The following example shows how the system completes the command when you enter rnc and then press the Tab key: detector: central# rncP + Tab key detector: central# rncPcfMap When you press Enter, the system displays the options for the rncPcfMap command
detector:detector99# rncPcfMap add addList clear delete deleteList
Scrolling through commands

You can use the up and down arrow keys on your keyboard to display previously entered commands. To reenter a command that you have previously entered, press the Enter key.
Paging through the CLI output

By default, paging is enabled on the CLI. When the output of a command spans several pages, you can press the space bar on the keyboard to display the next page. If paging is disabled on your system, you can enable it on 9900 WNG Central by typing the following command:
central# paging enable
You can disable the paging command by typing:

paging disable
14.6
CLI commands
Table 14-8 lists the 9900 WNG CLI commands, their associated privilege, and how to use them. See Table 9-2 for CLI upgrade commands, See section 14.4 about command syntax.
Table 14-8 CLI commands
Command
Privilege Detector admin sudo user Central admin sudo user
Description
See
# comment (1 of 24)
Enter a comment after the #
14-14
14 CLI
Command
Description
See
anomalyEventmask anomalyEventType intensity
Sets the intensity for the specific anomaly event. The values for intensity are 0 to 5. The list of anomalyEventType is:
Procedure 12-11
all (used to set the intensity setting for all the anomaly events) alwaysActive batteryAttackDistributed batteryAttackSingleSrc floodMobileDistributed floodMobileSingleSrc highSignalingSubscriber p2pMobile portScanHoriz portScanVert rncOverload routerDiscoveryAbuse sigAttackSingleSrc unwantedSrc
See Procedure for more information about how to set the intensity for the specific anomaly event. api add subnet <subnet> api add user <id> <password> api delete subnet <subnet> api delete user <id> api deleteList subnet applicationmap add appname category server_ip port protocol applicationmap delete all applicationmap delete appname appname applicationmap delete category category applicationMap push (2 of 24) Adds subnets for Motive API access Adds Motive API users Deletes the Motive API subnet Deletes Motive API users Deletes the list of Motive API subnets Adds a new application mapping Procedure 20-4 Procedure 20-1 Procedure 20-5 Procedure 20-2 Procedure 20-5 Procedure 12-15
Interactively selects and deletes the application mapping entries Deletes the application mapping for a specific application name Interactively selects and deletes the application mapping entries in a specific category Sends the current application mapping settings to all of the 9900 WNG Detectors
Procedure 12-15 Procedure 12-15
14-15
14 CLI
Command
Description
See
applicationmap import import {add | replaceAll} {usb | scp} source
Uploads the application mappings in bulk from a file add option adds application mappings without changing the existing mappings replaceAll removes all of the existing mappings and adds the mappings that are in the file source defines the file containing the application mapping records. The file can be imported through scp or usb. The imported file is parsed before the mappings are loaded in the system and if it has syntax errors, out of range/invalid data, duplicate records, appnames or {serverIP, port, protocol} combinations, an error message is generated and the command exits without adding any mapping. The file is in the CSV format.
Procedure 12-15
applicationmap update category curappname category autoDetectMobilesFrom AAA [enable | disable] backhaulTracking clear backup [all|config|security|db|lo gs|reports|license] [usb|scp location]
Changes the category setting for an existing application map entry Enables or disables the autoDetectMobilesFromAAA
Procedure 39-1
Resets the peak backhaul number Backs up the 9900 WNG Central, which includes the following:
configuration files security files database logs reports license files Procedure 39-5 Procedure 39-2 Procedure 12-9 Procedure 12-9
backup detector detector-id backup incremental {scp <location> | usb} captureFilter expression expression captureVLAN clear captureVLAN exclude vland1 vlan2 ... vlanN captureVLAN include vland1 vlan2 ... vlanN
Backs up a specific 9900 WNG Detector Creates incremental backups in a specified location Sets the expression to filter capture packets Clears the VLAN Sets the list of VLAN IDs that do not have their packets captured vlan1...N = string with maximum 50 characters Sets the list to VLAN IDs that have their packets captured vlan1...N = string with maximum 50 characters
Procedure 12-9
(3 of 24)
14-16
14 CLI
Command
Description
See
CDMAdeviceMode { manufacturerOnly | ranges | list}
Specifies the CDMA device mode. The options are:
manufacturerOnlythe exact model of CDMA device cannot be determined rangesrequires an import of MEID/ESN and the manufacturer and model for each range block. The same manufacturer and model device type may contain several blocks. The pESN resolution cannot be displayed. listrequires an import of each instance of device that contains a mapping of ESN or MEID to the manufacturer and model. The known subscriber NAI for the device can be optionally imported for resolving pESN hash conflicts for improved accuracy of pESN reporting. The list may also optionally contain the following: Device Category, such as Data Card, Smartphone, or WAP phone Device OS, such as Blackberry, Android, AppleOS, Symbian, or PalmOS
The Device Category and Device OS values can be determined by the service provider. clearBatchDBcounts clearDroppedPacketCount clearMaxSubscriberSessio nCount copy Resets failure counts Clears the dropped packet count that is kept in the 9900 WNG Detectors Resets the high water mark for the license Saves configuration to a file. The options are: Procedure 12-13

copy detector source destination copyDetectorConfig usb|scp| source (4 of 24)
copy file file1 file2 (copies file1 to file2) copy running to file2 (saves running configuration to file2) copy startup running (loads startup.xml and makes it running configuration) copy startup to file2 (saves startup.xml to file2) Procedure 12-13 Procedure 12-13
Copies a 9900 WNG Detector configuration to another 9900 WNG Detector Copies the configuration file to the 9900 WNG Detector
14-17
14 CLI
Command
Description
See
date date
Sets the system date. date = mmddHHMMCCYY where
mm = minute CC = century YY = year
Example: 070823592008 sets the date to: Tue Jul 8 13:30:00 EDT 2008 DBflushHosts delete config_file_name delete language gui <filename> deploymentMode [SimpleIPOnly | MobileIPOnly | SimpleIPOnlyandMobileIP Only detectionThresholds eventype threshold1 [threshold2] [threshold3] [threshold4] [threshold5] Deletes all of the database host data Deletes a specific configuration file. The startup configuration file cannot be deleted. Deletes the language resource file Sets the deployment mode for the 9900 WNG Detector to SimpleIP, MobileIP , or both Procedure 12-1
Sets the event intensity thresholds values for a specific event type:
alwaysActivepermitted values: 0.0-1.0 batteryAttackSingleSrcpermitted values: 0.0-1.0 batteryAttackDistributedpermitted values: 0.0-1.0 floodMobileDistributedpermitted values: 0.0-1.0 floodMobileSingleSrcpermitted values: 0.0-1.0 highSignalingSubscriberpermitted values: 0..10000 highUsagepermitted values: 0..100000000 p2pMobilepermitted: values 0..1000 portScanHorizpermitted values: 0..1000 portScanVertpermitted values: 0..1000 rncOverloadpermitted values: 0..10000000 routerDiscoveryAbusepermitted values: 0..100 sigAttackSingleSrcpermitted values: 0..1000 unwantedSrcpermitted values: 0..500000000 Procedure 7-4
detector detector add [ipaddress] detectorname detectorgroup (5 of 24)
Starts the CLI for a 9900 WNG Detector Provisions a specific 9900 WNG Detector
14-18
14 CLI
Command
Description
See
detector delete detectorname diff file1 file2
Deletes a specific 9900 WNG Detector Displays the difference between two configuration files.
Procedure 12-14

dir disable dormancy timeout enable eventmask eventype [enable|disable]
diff running startupthe difference between running and startup configuration diff startup lastrunningthe difference between startup and lastrunning configuration diff test1.xml test2.xmlthe difference between test1.xml and text 2.xml Procedure 12-8
Lists the name of the existing configuration file on the 9900 WNG Detector Returns to user mode from privileged mode Sets the Mobile dormancy timeout. The values are 0 to 1000. Enters the privileged mode Sets the mask value for the awareness events that are provided by eventype. The values for eventype are:

eventrate anomalyEvents rate eventrate awarenessEvents rate exit grep log central-err <pattern> grep log compression <pattern> (6 of 24)
a11SessionUpdate detectorTrafficUpdate gtpSessionUpdate HATrafficUpdate mipSessionUpdate MobileFlow PDSNTrafficUpdate RNCLoad radiusSessionUpdate subscriberSession hopTrafficUpdate pathTrafficUpdate ranapSessionUpdate Procedure 12-6
Sets the send rate for anomaly events Sets the send rate for awareness events Next lower access level Determines if there is pattern in the 9900 WNG Central error log Determines if there is a pattern in the compression log
14-19
14 CLI
Command
Description
See
export log logname user@host:/path
Exports the various log files that can be viewed from the CLI to an external host For the 9900 WNG Central view, the values for logname are:

grep applicationMap <pattern> grep log audit|central|detector| gui|syslog|systemEvents| webAccess pattern
gui audit webaccess syslog system
For the 9900 WNG Detector view, the values for logname are: detector syslog
Displays the application mapping that meet the specific pattern Searches for a pattern in logging details:
grep log audit patternsearch for pattern in CLI logging details grep log Central patternsearch for pattern in Central logging details grep log detector patternsearch for pattern in Detector logging details grep log gui patternsearch for pattern in GUI logging details grep log syslog pattern search for pattern in Syslog logging details grep log systemEvent patternsearch for pattern in system event logging details grep log webAccess patternsearch for pattern in web access logging details Procedure 12-3 Procedure 12-4 Procedure 36-13 Procedure 36-10
grep log database <pattern> grep log ipmi <pattern> grep log motive <pattern> grep rncLaiMap <pattern> grep rncPcfMap <pattern> grep rncSaiMap <pattern> grep users <pattern> guiDisconnect {all | user user} [clean | noclean]
Searches for a pattern in the database log Searches for BMC details that have a specific pattern Searches for a pattern in the motive log Displays the RNC-LAI mapping that has a specific pattern Displays the RNC-PCF mapping that has a specific pattern Displays the RNC-SAI mapping that has a specific pattern Displays the users that have a specific pattern Disconnects a specified user or all the connected GUI sessions. The clean option is used in upgrades to disconnect the existing sessions and reload the new configuration.
(7 of 24)
14-20
14 CLI
Command
Description
See
history idleTimeout {GUI | web} <timeout>
Displays the history of the CLI commands that were used by the logged in account Specifies the idle timeout for GUI and web users that have not had activity in a specified amount of time. The default is 0. Alcatel-Lucent recommends the timeout is set to a value that is greater than or equal to one day and the timeout can match any network timeout for subscriber sessions.
Procedure 36-9
ignoreDNSPackets {enable | disable} install software central packageName install software detector detectorName packageName load deviceTable {umts | cdmaList | cdmaRange} {scp location | usb filename} load language gui {scp <location> | usb <filename>} load load banner [usb | scp location]
Specifies whether DNS packets are ignored Installs a specific software package on a 9900 WNG Central Installs a specific software package on a specific 9900 WNG Detector Reload the device tables in different modes
Loads the GUI language resource file.
Procedure 16-3
Loads a banner file. By default, the default banner file is loaded. The options are:
Procedure 12-17

load license [usb | scp location] load providerTable {scp <location> | usb} load reportPackage [usb | scp location] load userguide [usb | scp location] logLevel
load from usb /banner directory copy using scp Procedure 6-2
Loads the license file Loads the providerTable from provider_ip_map.sql.bz2 to the specified location Imports the report package using a USB or SCP Imports the updated customer documentation using a USB or SCP Specifies the log level value. The values are:

logout (8 of 24)
emergsystem is unusable alertaction must be take immediately critcritical conditions errerror conditions warningwarning conditions noticenormal, but significant, conditions infoinformational message debuggingdebug-level message
Logs out of the CLI
14-21
14 CLI
Command
Description
See
lossRateThreshold intensi ty value mobileIPSubnets add mobileIPSubnets addList subnet [subnet...] mobileIPSubnets clear mobileIPSubnets delete subnet mobileIPSubnets deleteList module {a11 | gtpc | radius | mobileip} {enable | disable} moduleCounts {gtpc | mobileip} clear more config_file_name ntp disable ntp enable ntp server add ntp server delete ip_address packetCounts clear paging disable paging enable peakLineRates clear ping ip_address repo disable central repo disable external repo disable local repo enable central repo enable external repo enable local (9 of 24)
Specifies the loss rate threshold for the specific intensity level Prompts you to enter Mobile IP subnets one at a time. Press Enter to end the input. Adds the listed subnets to the existing list of Mobile IP subnets Clears all of the Mobile IP subnets Deletes the subnets from the existing list of Mobile IP subnets Deletes the listed subnets from the existing list of Mobile IP subnets Enables or disables various signaling decoder modules Resets the gtpc or mobileip module counters Displays the information contained in a specific configuration file
Procedure 7-3 Procedure 7-3 Procedure 9-3 Procedure 9-4
Disables NTP service Enables NTP service Specifies the IP address of NTP servers Removes a server IP address from the list of configured NTP servers Resets all of the packet counts Disables paging Enables paging Resets the peak line rate history for the 9900 WNG Detector traffic feed inputs
Displays the reachability status of a machine Disables the 9900 WNG Central repository Disables the external repository Disables the local repository Enables the 9900 WNG Central repository Enables the external repository Enables the local repository
14-22
14 CLI
Command
Description
See
repo import scp [package]
Imports a repository on the 9900 WNG Central using SCP. To import only a specific package, replace package with a package name. If you do not provide an optional package name, all of the packages with the specific package name are imported. Imports a repository on the 9900 WNG Central using a USB device. To import only a specific package, replace package with a package name. If you do not provide an optional package name, all of the packages with the specific package name are imported. Mounts a repository from a USB device Deletes proxy server details Specifies the proxy server details Specifies the repository to the external yum repository Unmounts a repository Specifies the minimum number of bytes that must be observed by a 9900 WNG Detector for a mobile session before that session is considered for a billing discrepancy. The setting prevents reporting on sessions with relatively small amounts of data. Replace value with a number from 0 to 2147483647. Specifies the minimum number of bytes that must be observed by a 9900 WNG Detector for a mobile session before that session is considered for a billing discrepancy. This prevents reporting on sessions with relatively small amounts of data. value is a number from 0 to 2147483647.
Procedure 9-3
repo import usb [package]
Procedure 9-3
repo mount repo proxy clear repo proxy set proxyServer port repo setExternal URL repo unmount reports billingValidationMinimum Bytes value
reports billingValidationDifferenc eThre value
reports delete [all | date date | between startdate endate]
Deletes reports. The options are:
delete all reports delete reports of a particular day delete reports between start date to end date
reports maxReportableRealms realm
Specifies the maximum number of realms or APNs that are reported separately in realm-based generated reports. realm is a value from 1 to 100. The top MaxReportableRealms are used in the report. If the value of MaxReportableRealms is greater than the number of detected realms, all of the realms are reported.
(10 of 24)
14-23
14 CLI
Command
Description
See
restore [all| config| security|db|logs|reports| license] [usb|scp location]
Restores 9900 WNG information, which incudes:
configuration files security files database logs reports license files Procedure 39-6
restore detector detector-id rncLoadThreshold clear all rncLoadThreshold clear rncid rncid rncLoadThreshold set rncid value1 value2 ... valueN
Restores a 9900 WNG Detector Resets all of the RNC load threshold values to the default values Resets the RNC load threshold values for the specific RNC ID to the default. rncid = string with maximum of 50 characters Specifies the RNC load threshold values for the specific RNC ID. Enter the threshold values in one line, each separated by space. rncid is a string of up to 50 characters value1 ... valueN is an integer between 0 and 10 000 000
Procedure 12-2
rncPcfMap add rncId
Adds a list of RNC-PCF address mappings. Enter the address list all in one line, each separated by a space Adds a list of RNC-PCF mappings inputted sequentially Clears all of the RNC-PCF mapping Clears the RNC-PCF mapping for the specific RNC Deletes a list of RNC-PCF address mappings. Enter the addresses in one line, each separated by a space) Deletes one or more RNC-PCF mapping for a specific RNC
Procedure 12-3
rncPcfMap addList rncId pcfIP [pcfIP...] rncPcfMap clear all rncPcfMap clear rncId rncPcfMap delete rncId pcfIP {pcfIP } rncPcfMap deleteList rncId (11 of 24)
Procedure 12-3
14-24
14 CLI
Command
Description
See
rncPcfMap import scp|usb source
Uploads, in bulk, the RNC-PCF mappings from a file through SCP or USB. The imported file is parsed before the mappings are loaded to the system. If the file has syntax errors, invalid data, or duplicate records, the commands exits without adding any mapping and sends the messages to correct the records in the file. source is the file that contains the RNC-PCF mapping records. The syntax of the source file must be in the following format: rnc-group,pcf_ip_address rnc-group,pcf_ip_address rnc-group,pcf_ip_address where rnc-group is a string and pcf_ip_address is a valid IP Address For example: RNC_TEST_2, 123.1.1.21 RNC_TEST_2, 123.1.2.21 BSC_CO_5, 113.1.1.22 BSC_CO_5, 113.1.2.22 BSC_CO_5, 113.1.1.23 If a pcf_ip_address already existed with specified values for pcf_ip_address, and the import file includes more addresses within the same group, the pre-existing entries from this group are assigned to un-named group. Only the new mappings in the imported file belongs to this group. If the imported list includes a PCF address that is already in an existing group, the mapping is updated with the new group.
rncSaiMap add rncid
Adds a list of RNC-SAI mappings. Enter the mappings in one line, each separated by a space. Adds list of RNC-SAI mapping inputted one after the other. rncid = string with maximum 50 characters sai = a hex string with exactly 14 characters
Procedure 12-4
rncSaiMap addList rncid sai [sai...]
Procedure 12-4
rncSaiMap clear all rncSaiMap clear rncid
Clears all values that are entered for the RNC-SAI mappings Clears the RNC-SAI mapping for the specific RNC ID. rncid = string with maximum 50 characters Deletes a list of RNC-SAI mappings. Enter the list of mappings in one line, each separated by a space) rncid = string with maximum 50 characters sai = a hex string with exactly 14 characters
rncSaiMap delete rncid sai {sai }
(12 of 24)
14-25
14 CLI
Command
Description
See
rncSaiMap deleteList rncid
Deletes one or more RNC-SAI mapping for a specific RNC rncid = string with maximum 50 characters Automatically groups SAIs that do not belong to any RNC Group. The SAIs are grouped by their LAC (the first 10 characters of their value). Uploads RNC-SAI mappings from a file, in bulk, through SCP or USB. The imported file is parsed before the mappings are loaded to the system. If there are syntax errors, invalid data, or duplicate records, the command exits without adding any mapping and with a message that the records in the file must be corrected. The syntax of the source file must be in the following format: rnc-group,sai rnc-group,sai where sai is a 14-character hexadecimal value and the starting character is 2 to 7 or 9 rnc-group is a valid RNC group. For example: RNC_TEST_3, 26800600004cb5 RNC_TEST_3, 800600004cb51 BSC_CO_1, 268006eb2857f8 BSC_CO_1, 268006eb2857f9 BSC_CO_1, 268006eb28586e For an example, if an existing RNC group called RNC-ABC has SAIs and the import file includes SAIs mapped to the RNC-ABC group. The preexisting entries from RNC-ABC are moved to the unnamed group and only the new mappings from the imported file are assigned to RNC-ABC. If the import file includes an SAI mapping that already exists in another group, the mapping is updated with the new group. If a mapping has the same SAI value as an RNC group, that mapping is rejected.
rncSaiMap groupByLAC
rncSaiMap import scp|usb source
securityMgrFeed disable securityMgrFeed enable syslogCollectorHost syslogCollectorPort netflowCollectorHost netflowCollectorPort service central restart service central start service central stop (13 of 24)
Disables the security event manager Enables the security event manager
Procedure 12-16
Restarts the 9900 WNG Central Starts the 9900 WNG Central Stops the 9900 WNG Central
14-26
14 CLI
Command
Description
See
service detector restart service detector start service detector stop service snmpAgent restart service snmpAgent start service snmpAgent stop show anomalyEventmask anomalyEventType
Restarts the 9900 WNG Detector Starts the 9900 WNG Detector Stops the 9900 WNG Detector Restarts the SNMP agent Starts the SNMP agent Stops the SNMP agent Displays the intensity setting for the specific anomaly event. The list of anomalyEventType is:

show api users show api stats show api subnets show applicationMap all show applicationMap category category show autoDetectMobilesFromAA A show backhaul
all (used to see the intensity setting for all the anomaly events) alwaysActive batteryAttack batteryAttackDistributed floodMobileDistributed floodMobileSingleSrc highSignalingSubscriber highUsage p2pMobile portScanHoriz portScanVert rncOverload routerDiscoveryAbuse sigAttack unwantedSrc Procedure 20-3 Procedure 20-6 Procedure 20-4 Procedure 12-15
Displays Motive API users Displays statistics for each Motive interface Displays the subnets for motive API access Displays all of the defined application mapping Displays the list of application mapping for the specific category. The category can be any string value. Displays whether autoDetectMobilesFromAAA is enabled or disabled
Displays the line rates for management interfaces that are between the 9900 WNG Detector and Central Displays the filter that is used for capture Displays the VLAN IDs for the capture VLAN
show backhaul in section 37.4 Procedure 12-9
show captureFilter show captureVLAN show CDMADeviceMode show cliSessions (14 of 24)
Displays the setting for the CDMA device mode Displays information about the active CLI sessions
14-27
14 CLI
Command
Description
See
show compressionStatus
Displays the current daily summary and number of uncompressed tables until the next hourly summary Displays the mysql information, such as open connections, process list, and list of queries Displays the deployment mode for a 9900 WNG Detector Shows the event intensity thresholds values for a specific event type:
show database show deploymentMode show detectionThresholds parameter value
Procedure 12-1

show detectors show diskArray show dormancy show eventmask eventype
alwaysActive batteryAttack batteryAttackDistributed floodMobileDistributed floodMobileSingleSrc highSignalingSubscriber highUsage p2pMobile portScanHoriz portScanVert rncOverload routerDiscoveryAbuse sigAttack unwantedSrc Procedure 12-8
Displays the list of 9900 WNG Detectors that are registered with the 9900 WNG Central Displays the disk status; for example, if the disk has failures or is running optimally Displays the mobile dormancy timeout value Displays the mask setting for the events specified by the variable eventype. The values are:

show eventrate anomalyEvents show eventrate awarenessEvents show hostId show hostname
a11SessionUpdate detectorTrafficUpdate mobileFlow sessionUpdate subscriberSession hopTrafficUpdate Procedure 12-6 Procedure 6-1
Displays the send rate for anomaly events Displays the send rate for awareness events Displays the platform hardware host ID Displays the hostname of the 9900 WNG Central or Detector, depending on which server executed the command
(15 of 24)
14-28
14 CLI
Command
Description
See
show idleTimeout {GUI | web} show ignoreDNSPackets show interface all show interface name show inventory show language gui show license show log audit show log central show log central-err show log compression show log database show log detector show log gui show log ipmi show log motive show log syslog show log systemEvents show log webAccess show logLevel show lossRateThreshold show memory show mobileIPSubnets show module show moduleCounts {gtpc | mobileip} show ntp
Displays the idle timeout for GUI and Web users Displays whether DNS packets are ignored
Procedure 36-14 Procedure 16-2 Procedure 35-1 Procedure 20-7 show memory in section 37.4 Procedure 12-5
Displays information about the network interfaces Displays information about a specific network interface Displays hardware information for the 9900 WNG Central or Detector
Displays the language resource file Displays the license and license violation details
Displays the CLI/GUI logging details Displays logging information for the 9900 WNG Central Displays the 9900 WNG Central error log Displays the compression log Displays the mysql log Displays logging information for a specific 9900 WNG Detector
Displays logging information for a specific GUI Displays logging information for the BMC Displays the motive log Displays system level logging information for the 9900 WNG Displays system event logging information for the 9900 WNG Displays web access logging information Displays the log event settings Displays the loss rate threshold for different levels Displays the system memory information Displays the IP subnets that are used for mobiles Displays the enabling status for signaling decoder modules Displays the gtpc or mobileip module counters
Displays the NTP configuration information for the 9900 WNG Central or Detector, depending on which server the command is executed
(16 of 24)
14-29
14 CLI
Command
Description
See
show packetCounts show processes show reportTime [verbose] show reports maxReportableRealms show reports billingValidationDifferenc eThreshold show reports billingValidationMinimum Bytes show repoStatus show rncLoadThreshold all show rncLoadThreshold rncid rncid show rncpcfmap all show rncPcfMap discoveredPCFConfigured show rncPcfMap discoveredPCFNotConfigur ed show rncpcfmap rncid rncid show rncpcfmap summary show rncSaiMap all|rncid rncid show rncSaiMap discoveredSaiConfigured show rncSaiMap discoveredSaiNotConfigur ed show rncpcfmap summary show runningConfig show securityMgrFeed status (17 of 24)
Displays the 9900 WNG Detector packet counts Displays the list of running processes Displays the earliest day of the reporting period and any missing data gaps, if verbose Displays the maximum number of realms or APNs that are reported separately in the realm-based generated reports Displays the difference between the observed bytes and the RADIUS reported bytes for a mobile session that causes the reporting of a billing discrepancy Displays the minimum number of bytes that must be observed by a 9900 WNG Detector for a mobile session before that session is considered for a billing discrepancy Displays the settings for all repositories Displays all existing RNC load threshold values Displays the RNC load threshold values for a specific RNC ID rncid = string with maximum 50 characters Displays the RNC-PCF mapping Displays the discovered PCFs that are configured Displays the discovered PCFs that are not configured Displays the RNC-PCF mapping for the specific RNC Displays a summary of RNC-PCF mappings Displays all of the existing RNC-SAI mappings or the mapping for a specific RNC ID. rncid is a string of up to 50 characters Displays the discovered SAIs that are configured Displays the discovered SAIs that are not configured Displays a summary of RNC-SAI mappings Displays the configuration that is currently running on the 9900 WNG Detector Displays whether the Security Event Manager is enabled or disabled
Procedure 12-4
14-30
14 CLI
Command
Description
See
show snmpAgent community show snmpAgent groups show snmpAgent hosts show snmpAgent info show snmpAgent users show snmpAgent views show software installed central [all] show software installed detector show software installed detector all show software repo [all|alu9900|central|dete ctor] show stats
Displays the list of SNMP communities Displays the SNMP groups Displays information about the SNMP host (managers) that are used to forward traps Displays information about SNMP, such as contact, location, and SNMP enabling Displays the list of SNMP users Displays the SNMP view details Displays information about the software that are installed on the 9900 WNG Central Displays information about the software that is installed on a specific 9900 WNG Detector Displays information about the software that is installed on all 9900 WNG Detectors Displays software package information
Procedure 19-2 Procedure 19-7 Procedure 19-2 Procedure 9-6
Displays statistics for all of the mobile NEs, such as PDSN and HA. Statistics include, current and peak rates of the 9900 WNG Central or Detector traffic feed inputs Displays subscriber group information
show stats in section 37.4
show subscriberGroup {all | summary | groupName groupName} show system
Displays all of the system information, such as CPU, memory usage, system name, location, and contacts See for more information. Displays a snapshot of the UNIX top utility Displays all of the mobile network elements, such as PDSN and HA, for all of a specific 9900 WNG Detector (in the detector view)
show system in section 37.4
show top show topology [element type] (18 of 24)
14-31
14 CLI
Command
Description
See
show trendAlert {all | node nodeName elementType trendName }
Displays the trend threshold values for different trends Values for elementTypes are: HA_GROUP, PDSN_GROUP, RNC_GROUP. Settings for trendName are:

show uptime show uniTCPFlows (19 of 24)
num_active_m nnum_hoin num_hoou i2m_pkts i2m_flows i2m_bytes m2i_pkts m2i_flows m2i_bytes m2m_pkts_up m2m_flows_up m2m_bytes_up m2m_pkts_down m2m_flows_down m2m_bytes_down down_rtt_mean down_tcp_pkts down_tcp_loss uni_i2m_pkts uni_i2m_flows uni_i2m_bytes uni_m2i_pkts uni_m2i_bytes ni_m2m_pkts_up uni_m2m_flows_up uni_m2m_bytes_up uni_m2m_pkts_down uni_m2m_flows_down uni_m2m_bytes_down loss_rate rtt_mean tcp_reset_i2m_pkts tcp_reset_m2i_pkts tcp_reset_m2m_pkts_down tcp_reset_m2m_pkts_up icmpunreach_i2m_pkts icmpunreach_m2i_pkts icmpunreach_m2m_pkts_down icmpunreach_m2m_pkts_up num_conn_setup_up num_conn_setup_down
Displays the time of the 9900 WNG Central or Detector servers since the last reboot Displays the statistics for the unidirectional TCP
14-32
14 CLI
Command
Description
See
show users show version show whitelist snmpAgent add community community ro|rw|wo ipaddress snmpAgent add group name [noAuthNoPriv|authNoPri v|authPriv] Read-view Write-view Notification-view snmpAgent add host v1 IpAddress port community | v2c IpAddress port community | v3 IpAddress port userName snmpAgent add user username groupname [authProtocol] [authPassword] [privPassword] snmpAgent add view view old [excluded | included] snmpAgent add community community ro|rw|wo ipaddress snmpAgent delete group name snmpAgent delete host IpAddress snmpAgent delete user user snmpAgent delete view view snmpAgent update contact contact snmpAgent update location location snmpServer add ip snmpServer addList ip[ip] [ip]... (20 of 24)
Displays the list of currently configured CLI and GUI users on the 9900 WNG Central. Displays the version of the 9900 WNG Detector Displays the whitelist subnets
Procedure 36-12 Procedure 12-7 Procedure 19-1
Specifies the community string that is used for SNMPv1/v2c get/set Specifies the access control rules for the group. The group name must be unique.
Procedure 19-4
Specifies the host for forwarded SNMP traps. IPaddress is the IP address of the trap recipient machine, port is the target port. For SNMP v1 or v2c, the community string is required. For SNMP v3, a user name is required to configure the trap host. Creates SNMP users. The authProtocol and authPassword parameters are required only when the user requires authorization or privacy, whereas privPassword is required for privacy support. Specifies the SNMP view. The SNMP view name should be unique. See Procedure for more information. Adds the community string that is used for SNMPv1/v2c get/set Deletes the SNMP group with the group name Deletes the host from the trap-receiving host list Deletes the SNMP user with a specific name Deletes the SNMP view with a specific name Sets the value of the SNMP contact string Specifies the SNMP location string Adds an NMS server to send SNMPv3 requests to the agent Adds a list of NMS servers to send SNMPv3 requests to the agent
Procedures 19-1 and 19-2
Procedure 19-3
Procedure 19-2
Procedures 19-1 and 19-2 Procedure 19-6 Procedure 19-5 Procedure 19-2 Procedure 19-2
14-33
14 CLI
Command
Description
See
snmpServer delete
Deletes a NMS server from the list of allowed NMS servers that send SNMPv3 requests to the agent Deletes NMS servers one at a time from the list of allowed NMS servers that send SNMPv3 requests to the agent Specifies the intensity of anomaly events. The SNMP trap for the selected event type is generated only if the event intensity is greater than or equal to the specified intensity. The values for intensity is 1 to 5, and off. Specify one of the following event types:
snmpServer deleteList
snmp trap anomaly eventType intensity
Procedure 19-14

snmp trap trendAlerts intensity
AlwaysActive batteryAttackDistributed batteryAttackSingleSrc floodMobileDistributed floodMobileSingleSrc highSignalingSubscriber highUsage p2pMobile portScanHoriz portScanVert rncOverload routerDiscoveryAbuse sigAttackSingleSrc unwantedSrc
Specifies the intensity of trend alerts. The SNMP trap for the selected event type is generated only if the event intensity is greater than or equal to the set intensity. The values for intensity is 1 to 5, and off. Specifies the intensity of congestion alerts. The SNMP trap for the selected event type is generated only if the event intensity is greater than or equal to the set intensity. The values for intensity is 1 to 5, and off. Sets the intensity of trend alerts. The SNMP trap for the selected event type is generated only if the event intensity is greater than the set intensity. The values for intensity is 1 to 5, and off.
snmp trap congestionAlerts intensity
subscriberGroup delete groupName [groupname ] (21 of 24)
Deletes one or more subscriber groups. After a subscriber group is deleted, all of the subscribers which were contained in the group are ungrouped.
14-34
14 CLI
Command
Description
See
subscriberGroup import {add|createOrReplace} {scp location |usb filename}
Bulk uploading of the subscriber group-subscribers mappings from a file.The source specifies the file that contains the groupName-subscriber mapping records. The file can be imported using SCP or USB. The imported file is parsed before the mappings are loaded. If the file contains syntax errors, invalid data, or duplicate records, the mappings are not changed. A subscriber can be contained in multiple groups. The syntax of the file containing the mapping is: subscriber_groupName,NAI/IMSI where subscriber_groupName is the name of the subscriber group, which can contain up to 64 NAI/IMSI (without realm) is an NAI/IMSI value The following describes the options:
addincrementally adds the subscribers to the subscriber group. Use createOrReplace command to create new or replace existing groups createOrReplacecreates or overwrites one or more subscriber groups that are in the file
The following is a sample file: Sub1, 1234567890 Sub1, 1234562890 Sub2, 1234567890 system reboot Reboots the 9900 WNG Detector or Central, depending on which server the command is executed Halts the system after bringing it down Removes or resets the trend threshold values for the specified trend. elementTypes are: HA_GROUP, PDSN_GROUP, RNC_GROUP The following are the trend names:
system shutdown trendAlert remove | reset nodeName elementType trendName
Procedure 5-2

(22 of 24)
num_active_mn i2m_flows i2m_bytes m2i_flows m2i_bytes num_conn_setup_up num_conn_setup_down airtime_up airtime_down
14-35
14 CLI
Command
Description
See
trendAlert set nodeName elementType trendName threshold
Specifies the trend threshold values for a specific trend. A trend threshold can be configured for a trend that is recognized by combination of three fields: element type, trend name, and node name. Specify one of the following values for elementTypes are: HA_GROUP, PDSN_GROUP, RNC_GROUP The list of trend names are:

update software central packageName update software detector detectorName packageName user add id password group firstname lastname user changePassword id
num_active_mn i2m_flows i2m_bytes m2i_flows m2i_bytes num_conn_setup_up num_conn_setup_down airtime_up airtime_down Procedure 9-4 Procedure 9-4
Updates a specific software package on the 9900 WNG Central Updates a specific software package on a specific 9900 WNG Detector Creates a CLI, GUI, Web, or ReportOnly user account. The options for the group are user, admin, reportonly, sudo, or demoonly. If the command is used in sudo mode, you must specify the ID to reset the password of a specific user. If the command is used from the user or admin mode, your password is changed. Deletes a specific the CLI, GUI, Web, ReportOnly, or Demoonly user Changes the CLI role for an account. The role can be user, admin, reportonly, or demoonly. Changes the GUI role for an account. The role can be NE, ano, subs, or admin.
Procedure 36-1
Procedures 36-2 and 36-4
user delete id user modify group CLI <id> <group> user modify group GUI <id> <gui_role1> [gui_role2] [gui_role3] [gui_role4] [gui_role5] user modify group id group user modify group Reports <id> <rep_role1> [rep_role2] [rep_role3] [rep_role4] user modify name id firstname lastname (23 of 24)
Procedure 36-11 Procedure 36-5 Procedure 36-5
Changes a specific user role. The role cannot be upgraded to sudo. Changes a specific role for a Reports account. The roles NE, subs, apps, or admin.
Procedure 36-5
Modifies a specific user name
Procedure 36-6
14-36
14 CLI
Command
Description
See
user modify PasswordAge id days user setDefaultPasswordAge days whitelist add
Resets the specific user current and future passwords to expire after the specified number of days Sets the default password for new and existing accounts. A current password lasts for the specified number of days. Prompts you to enter whitelisted subnets one at a time. Press Enter to finish entering whitelisted subnets. Specifies one or more whitelisted subnets Clears all of the whitelisted subnets Deletes the subnets from the list of whitelisted subnets Deletes the whitelisted subnets one at a time. Press Enter to finish deleting the whitelisted subnets.
Procedure 36-8
Procedure 36-7
Procedure 12-7
whitelist addList subnet [subnet...] whitelist clear whitelist delete subnet whitelist deleteList
Procedure 12-7
(24 of 24)
14-37
14 CLI
14-38
15.1 PC client installation overview 15.2 PC client installation 15-2 15-3
15-2
15.3 Launching the GUI client
15-1
15.1
PC client installation overview

The 9900 WNG EMS is a GUI client application that runs on your personal computer. You can use the GUI to manage 9900 WNG Central and Detector devices. The GUI provides the following functions:
secure PC-based GUI and CLI client interfaces to enable remote monitoring and
administration threat analysis SSH cut-through to 9900 WNG components a view of the entire wireless network that is being monitored on-demand reports
15.2
PC client installation
The 9900 WNG EMS is a software application that runs on the client PC. It is downloaded from 9900 WNG Central through the Java Web Start. The EMS manages 9900 WNG components (NEs), including the 9900 WNG Central and Detector. The 9900 WNG Central web applications run on client terminal platforms that meet these conditions:
Windows XP Minimum screen resolution: 1024 x 768 Internet Explorer 6.0 Java 1.6 or later Processor speed - a minimum of 1GHz
Provisioning your PC
Before you can run the GUI client on a machine, the machine must first be provisioned. Additionally, when your System Administrator changes the server certificate on the 9900 WNG Central server you must provision your PC again. Perform Procedure 15-1 to provision your PC.
Procedure 15-1 To provision your PC

1 2 3 4 Log into the 9900 WNG Central webpage, as described in Procedure 17-1. Click on the link First-time user please click here to provision your PC. Provide your WNG username and password to authenticate yourself when prompted. After a successful provisioning, a message box appears with a Your PC has been successfully provisioned message. Click on the OK button.
15-2
If you cannot provision your PCI, click on the Common launch problems link located on the 9900 WNG Central webpage for troubleshooting information.
15.3
Launching the GUI client

Perform Procedure 15-2 to launch the GUI client. This procedure assumes that you have provisioned your PC as described in Procedure 15-1.
Procedure 15-2 To launch the GUI client

1 2 3 Log into the 9900 WNG Central webpage, as described in Procedure 17-1. Click on Launch the GUI Client link. Enter your 9900 WNG username and password. Ensure that the Server field contains the hostname of your 9900 WNG Central server. After a successful login, the GUI client starts. If you cannot launch the GUI, click on the Common launch problems link located on the 9900 WNG Central webpage for troubleshooting information.
Deployment by Java Web Start

The GUI is deployed using the Java Web Start technology, and is launched from the 9900 WNG Central webpage. After your first execution of the program, its binary image is cached on your PC, so you do not have to download the program every time you execute it. You receive an automatic upgrade of the client program when the program is upgraded on the 9900 WNG Central.
15-3
15-4
16 GUI
16.1 GUI overview
16-2 16-2
16.2 Logging in to the GUI 16.3 GUI components 16-2
16.4 Common features and functions
16-6 16-8
16.5 Configuring the language on the GUI 16.6 Configuring preference settings
16-9
16-1
16 GUI
16.1
GUI overview
The 9900 WNG includes a GUI client application that runs on your personal computer. The GUI has the following key functions:
Threat and performance analysisThe GUI is designed to allow you to view and
analyze network threats and performance issues. The GUI is a dynamic interface that supports a variety of on-demand reports for real-time monitoring and analysis of network anomalies. Element managementyou can use the GUI to manage 9900 WNG Central and Detector devices. The GUI supports the following features:
secure PC-based GUI and CLI client interfaces to enable remote monitoring and
administration SSH cut-through to 9900 WNG components using the CLI menu item in the navigation menu
Menu-based and dynamic navigation

For some views, the data is automatically generated from the events that the Detector monitors, such as anomaly, performance and system events. You can access such data by clicking on the associated item in the navigation menu. Other views are generated by actions you perform, either from the navigation menu, or from features embedded in the GUI view which allow you to navigate dynamically and generate detailed, current reports on demand, such as the forensic, mobile flow, and network forensic views.
16.2
Logging in to the GUI

Procedure 16-1 describes how to log in to the GUI.
Procedure 16-1 To log in to the GUI

1 2 3 4 5 Access the 9900 WNG Central webpage, as described in Procedure 17-1. Click on the Launch GUI Client link. The log in pop-up window appears. Enter your user name and password. Choose the central server that you need to log in to from the Server drop-down menu. Click on the Login button. The GUI appears with the Dashboard view displayed.
16.3
GUI components
The first time that you open the GUI client, the Dashboard View appears as shown in Figure 16-1
16-2
16 GUI Figure 16-1 9900 WNG window components Dashboard View

LED status indicators Main menu Status bar Navigation menu
Workspace panel
21132
Table 16-1 describes the 9900 WNG GUI window components. The components in the GUI are persistent or variable. Persistent components remain visible in the GUI window and provide access to high-level navigation, commands, and monitoring functions. Variable components appear in the workspace panel. the layout and format of the workspace panel depend on the item that you select in the navigation menu.
Table 16-1 9900 WNG GUI persistent components
Component Main menu Description Contains menu and submenu items: See Table 16-2 for a description of the Preferences commands

Status bar
File Preferences Help User name and privileges the name of the 9900 WNG Central server that hosts the GUI LED status indicators
Displays the following items (from left to right):

(1 of 2)
Tables 16-3 and 16-4 for a description of the status LEDs
16-3
16 GUI
Component Navigation menu
Description Contains a list of items that represent the available GUI functions. Each item opens a specific view that appears in the workspace panel. Use the Navigate menu to navigate to a specific GUI function. You can navigate from one view to another without affecting the data in the views.
See Table 16-5
Workspace panel
The layout and content of this panel depends on the navigation menu item that you choose. The workspace panel is used to perform network performance monitoring and anomaly management
(2 of 2)
GUI menus
The GUI menu provides the top-level controls for the GUI client. Table 16-2 describes the menus.
Table 16-2 GUI menus
Menu File Preferences Submenu or command Exit command Set Data Retrieval Size Filter Received Events Set Subscriber Report Preferences Topology Preferences Reset Configuration Settings Help About command Provides information about the following: Description Provides access to the Exit command, which closes the GUI Provides options to change the default display settings for the GUI-based reports See Section 16.6
current version of the 9900 WNG current version of Java current OS run time for the current GUI session
9900 WNG status indicators

The GUI displays LEDs that indicate the status of the database, anomaly events, and the 9900 WNG system. Table 16-3 describes the status LEDs.
16-4
16 GUI Table 16-3 Status LEDs

Status LED Database LED color Green Yellow Description Indicates operations are normal, communication to Central database is healthy. Indicates all connections in the database connection pool are currently being used. This should turn green after operations such as report generation or mobile flow queries are complete. This is not necessarily indicative of a problem, unless the LED stays yellow for an extended period of time. If it does stay yellow, exit the GUI and log back in. Indicates communication to the Central database is down. See Table 16-4 for corrective action. Affects the ability to acknowledge / un-acknowledge and manually clear system events. It is recommended that you restart the GUI to fix this problem. Green Yellow Indicates everything is normal, anomaly events are being received and communication to Central is healthy. Indicates anomaly events are being received successfully although some communication with Central is not available. This affects the ability to acknowledge and manually clear anomaly events. Alcatel-Lucent recommends that you restart the GUI to fix this problem. Indicates the GUI cannot receive anomaly events from Central. This could be a network communications problem or a problem with the Central machine. See Table 16-4 for corrective action. Indicates everything is normal, system health events are being received and communication to Central is healthy. Indicates the system events are being received successfully although some communication with Central is not available. This affects the ability to acknowledge and manually clear system events. Alcatel-Lucent recommended that you restart the GUI to fix this problem. Indicates the GUI cannot receive system events from Central. This could be a network communications problem or a problem with the Central machine. See Table 16-4 for corrective action.
Red Unacknowledged Events
Red
System
Green Yellow
Red
Troubleshooting LEDs
Table 16-4 describes the color information for LEDs for troubleshooting.
Table 16-4 Troubleshooting LEDs
LED color Red Solution If all LEDs are red, there is either a network connectivity issue or the system is down. If you are able to access the 9900 WNG webpage but cannot authenticate yourself, contact your Alcatel-Lucent technical support representative. If you are unable to access the 9900 WNG webpage, check your network connectivity and/or verify that the 9900 WNG Central is powered up. Yellow Yellow/red If the database LED is yellow, you are likely making too many report/database accesses. If the system or anomaly LEDs are yellow/red, the GUI automatically retries and after the Central processes are up, these LEDs change to green.
16-5
16 GUI
Navigation menu and views in the workspace panel

Table 16-5 describes each of the items in the navigation menu, and where to find more information about the associated view.
Table 16-5 9900 WNG navigation menu
Navigation menu item Dashboard View Real-Time Events View Description Provides a snapshot of all active subscribers and display potential problems in the network Comprises three views: See Chapter 21 Chapter 22
Anomaly Events Performance Events Historic Events Chapter 23
Forensic view
Use this view to investigate threat events and analyze general mobile flow records, such as records that do not relate to an anomaly event. The Historic View tab contains a list of past forensic queries that are sorted from most recent to oldest.
Topology and network forensics System View Mobile flow CLI Subscriber
Provides a view of the network elements observed by the 9900 WNG Detector while monitoring the network traffic. Includes Element tables and Network graphs Displays current events representing health alerts and troubleshooting. Displays usage records that combine the typical network flow information with wireless-specific information. Provides SSH cut through to the Central CLI Displays reports about subscribers
Chapters 24 and 25 Chapter 26 Chapter 27 Chapter 28 Chapter 29
16.4
Common features and functions

Most of the views in the 9900 WNG GUI window have common components and features that allow you to change the contents of the view.
Sorting functions
The 9900 WNG includes a variety of ways to sort the data in the workspace panel. The sort functions depend on the report type that you view.
Tabular reports
Some tabular reports support the sorting of table data in ascending and descending order based on the column header that you choose. You can click on the column header to realign the order of the table for the following reports:
Forensic View report tables Topology Element Table

16 GUI
Mobile Flow records Subscriber Anomaly Events tab Network Forensic History tab
Report-specific filters
For all other filter operations, see the appropriate chapter for the GUI-based report.
Export functions
Table 16-6 describes the common export functions.
Table 16-6 Common Export functions
Action Buttons Export Opens a dialog box that allows you to choose the content (tabs) to be exported and the format: CSV, PDF, or both Exports the data to a CSV file Subscriber (all tabs) Network Forensic Description View where used
Export to CSV
Anomaly History Forensic View Mobile Flow System History
Export to PDF Right-click options Export table or selection to CSV
Exports the data to a PDF file
Forensic View
Exports the data to a CSV file
Element Tables
Calendar and time widget

The calendar and time widget can be accessed from all date- and time-based fields by clicking on the down arrow adjacent to the date/time field. You can use the calendar to select days in the past or future. The time field can be adjusted by the hour by clicking on the up/down arrows. You can also adjust the time by typing directly in the field. Click on the Now button to configure the current date and time.
Using the whois query

You can use the whois query on the GUI to identify the owner associated with either a Victim IP or an Attacker IP address shown in the Event Details panels (for example, the Anomaly Event Details panel or the Mobile Flow Event Details panel). To display the IP address of a victim or attacker, right-click on the IP address and choose whois. The whois query displays the following fields from the ARIN WHOIS database search.
16-7
16 GUI Table 16-7 whois query fields

Fields HostName OrgName OrgID Address City State/Province Postal Code Country NetRange CIDR NetName NetHandle Parent NetType Comment RegDate Updated OrgAbuseHandle OrgAbuseName OrgAbusePhone OrgAbuseEmail OrgTechHandle OrgTechName OrgTechPhone OrgTechEmail
16.5
Configuring the language on the GUI

The 9900 WNG Central GUI supports localization in English, Spanish, and Chinese. The language displayed in the GUI matches the language configured on the terminal you are using to view the GUI. See your operating system documentation for information about configuring language options. You can install a customized language resource file for the 9900 WNG; contact your Alcatel-Lucent representative for assistance in acquiring and configuring a language resource file. Table 16-8 lists the language configuration tasks you can perform and where to find more information.
Table 16-8 Configuring language procedures
Task To display the current language resource file To install a language resource file See Procedure 16-2 16-3
Procedure 16-2 To display the current language resource file

1 2 Log into the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Display the current language resource file by typing:
show language gui
16-8
16 GUI
Procedure 16-3 To install a language resource file

Performing this procedure changes the displayed language for all users. 1 2 Log into the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Install a new language resource file by typing:
load language gui location_type location
where location_type is USB or SCP location is the filename or SCP location of the language resource file. If the SCP location requires a password, you are prompted to enter the password.
The new language resource file is installed.
16.6
Configuring preference settings

The Preferences menu supports the configuration of the settings that are described in Table 16-9.
Table 16-9 Preference menu settings
Setting Data retrieval setting Anomaly event setting Subscriber reports preferences Network graph preferences Reset configuration settings Description Change the default data retrieval settings for anomaly events Specifies the type of events that the system displays Changes subscriber report preferences Specifies the number of cells to display in the network graph Resets all preferences to the default setting See Procedure 16-4 16-5 16-6 16-7 16-8
Procedure 16-4 To change the default data retrieval settings

1 2 Log in to the 9900 WNG Central webpage, as described in Procedure 17-1. Choose Set Data Retrieval Size from the Preferences menu. The Specify Page and Data Sizes window appears.
16-9
16 GUI
Change the settings for the fields, as described in Table 16-10. Select from settings in the drop-down menu to the right of each field.
Note The number of events that you display can affect the system performance. The system required more time to process a large number of events than a small number of events of the same type.
Table 16-10 Data retrieval settings

Option Max outstanding Events Shown in Network View/Current View Max Incidents Shown in the History View Max Events shown in Forensic/Subscriber View Description Specifies the number of events that are shown in the Anomaly Events view Specifies the number of events that are shown in the Anomaly History view Specifies the number of events that are shown in the Forensic View and Subscriber Views Values 20, 50, 100, 500 (default), 1000 See Anomaly Events view in chapter 22
500 (default), 1000, 1500, 2000, 2500 20, 50, 100, 500 (default), 1000
Anomaly History view in chapter 22 Chapter 23 (Forensic View) Chapter 29 (Subscriber View)
Maximum Flow Records per Mobile FLow Query
Specifies the number of events that are shown in the Mobile Flow View
100, 200 (default), 500, 1000
Chapter 27
Click on the Save button.
Procedure 16-5 To change the default event reporting settings

1 2 3 Log in to the 9900 WNG Central webpage, as described in Procedure 17-1. Choose Filter Received Events from the Preferences menu. The Filter Received Events window appears. By default, all event types are selected. Choose one of the following options to change the default settings: a Select the types of anomalies that you need to display in the GUI-based reports. Table 16-11 lists the anomaly events in the order that they appear in the Filter Received Events window. See chapter 33 for a detailed explanation of each type of event.
Table 16-11 Anomaly events filter
Event name SIGATTACK_SINGLE_SRC (1 of 2) Description Signaling attack from a single source
16-10
16 GUI
Event name HIGH_SIGNALING_SUB RNC_OVERLOAD BATTERYATTACK_SINGLE_SRC BATTERYATTACK_DISTRIBUTED FLOOD_MOBILE_SINGLE_SRC FLOOD_MOBILE_DISTRIBUTED PORTSCAN_VERT PORTSCAN_HORIZ ALWAYS_ACTIVE_SUB HIGH_USAGE_SUB P2P_MOBILE UNWANTED_SRC ROUTER_DISCOVERY_ABUSE (2 of 2)
Description High signaling subscriber RNC overload Battery attack from a single source Battery attack from a group of sources Flood mobile from a single source Flood mobile from multiple sources Vertical port scan Horizontal port scan Always active airtime subscriber High usage subscriber Peer-to-peer mobile Unwanted source of traffic ICMP router discovery abuse
b c 4
Click on the Select All button to display all types of anomaly events in the the views. Click on the Deselect All button to deselect all events.
Click on the OK button to save the filter preferences.
Procedure 16-6 To modify subscriber report preferences

1 From the 9900 WNG GUI, go to the Preferences drop-down menu and select Set Subscriber Report Preferences. The Set Subscriber Reports references widow appears. Configure the parameters in the Preferences dialog box, as described in Table 16-12.
Table 16-12 Subscriber report preferences
Parameter Minimum Observed Byte Threshold in bytes Description Specifies the minimum number of bytes that must be observed by a 9900 WNG Detector for a mobile session before that session is considered for a billing discrepancy. This prevents reporting on sessions with relatively small amounts of data. Value 1000 (default)
(1 of 2)
16-11
16 GUI
Parameter Discrepancy Difference Threshold in bytes (1) Restore defaults button (2 of 2) Note
(1)
Description Specifies the difference between the observed bytes and the bytes reported by RADIUS for a mobile session. If the threshold is reached or exceeded, the system reports a billing discrepancy. Restores the values in the form to the default values
Value 1000 (default)
The GUI settings do not affect other users or the daily/weekly/monthly billing discrepancy report that is set using the CLI.
Click on the Save button.
Procedure 16-7 To configure Network Graph preferences

1 2 3 From the main menu, choose Topology Preferences from the Preferences menu. The Topology Preferences window appears. Choose a value from the Limit Base Station drop-down menu. The options are 25, 50, 100, or 200 (default). Click on the Save & Close button.
Procedure 16-8 To reset default configuration settings

1 2 3 Log in to the 9900 WNG Central webpage, as described in Procedure 17-1. Choose Reset Configuration Settings from the Preferences menu. The Delete Configuration Settings dialog box appears. Click on the Yes button to reset the preferences.
16-12
17.1 9900 WNG Central webpage
17-2
17-1
17.1
9900 WNG Central webpage

The 9900 WNG Central webpage is the browser-based user interface from which you can access the following functions:
open the browser-based reports interface open the 9900 WNG Central client GUI open the Group Manager log out or change password get SNMP MIBs view customer documentation
Note Users with the reportonly privilege cannot view the GUI
link.
Perform Procedure 17-1 to access the functions supported by the 9900 WNG Central webpage.
Procedure 17-1 To access the 9900 WNG Central webpage

1 Using a web browser, navigate to the 9900 WNG Central webpage. The location of the web page depends on the hostname of the 9900 WNG Central. For example, if the hostname of your 9900 WNG Central is CentralHostName, use https://CentralHostName.
Note The 9900 WNG Central converts HTTP queries into HTTPS queries. For example:
http://centralhostname is converted to https://centralhostname 2 3 Enter your username and password and click on the Login button. The 9900 WNG Central home page appears. Choose one of the links in Table 17-1, which describes the functions that you can access and where to find more information.
17-2
17 9900 WNG Central webpage Table 17-1 Links on the 9900 WNG Central home page
Link Get reports Description Browser-based reports provide you with information about short and long-term trends in network events and activities. The reports are web-based and accessed by using a browser. The 9900 WNG GUI client supports the following activities: See Chapter 30 for information about how to access and use browser-based reports. See chapter 31 for detailed information about each type of report that you can generate. Chapter 16 for information about how to access and use the 9900 WNG GUI. See chapters 21 to 29 for information about the types of real-time reports that you can generate.
Launch the GUI Client

Group Manager
Threat and performance analysis in real-time Element management and SSH cut through to the CLI for the 9900 WNG Central and Detector
The Subscriber Group Manager webpage enables you to create subscriber groups which you can use to classify and manage a large number of subscribers Download the 9900 WNG MIB file
Chapter 32 for information about how to create and manage subscriber groups Section 19.9
Get SNMP MIBS View 9900 WNG Users Guide
17-3
17-4
18 BMC
18.1 BMC
18-2
18-1
18 BMC
18.1
BMC
The BMC provides system administrators with remote access to the 9900 WNG Central and Detectors. If the 9900 WNG Central or Detector hardware fails for any reason, the system administrator can access the status of the hardware and take corrective action. BMC firmware enables server management functions, such as remote reset and remote power off, even when the server operating system is down. The BMC LAN interface is configured with a separate IP address to enable remote access. The IPMI Management Utilities are used to send commands to the BMC firmware. These commands include accessing the firmware system event log, launching the remote console, and performing remote power off. The IPMI Management Utilities must be installed on the machine from which the system administrator wants to access BMC. The IPMI Management Utilities can be installed on a Linux or Windows platform. Table 18-1 lists where to find more information about the BMC.
Table 18-1 BMC information
For information about Configure the management interface and BMC LAN on the 9900 WNG Central Monitoring the 9900 WNG Central and Detectors using the BMC Powering up, powering down, or resetting a 9900 WNG Central or Detectors using the BMC IPMI CLI commands See Procedures 7-1 and 7-2 Section 37.5 Procedure 5-5 Table 14-8
18-2
19 SNMP
19.1 SNMP interface
19-2 19-3
19.2 Configuring SNMPv1/v2c 19.3 Configuring SNMPv3 19.4 SNMP user accounts
19-5 19-7 19-9 19-10
19.5 Managing SNMP components 19.6 Deleting SNMP components
19.7 Configuring SNMP for anomaly, trend, and congestion alerts 19-11 19.8 SNMP commands 19.9 SNMP MIBs 19-15 19-12
19-1
19 SNMP
19.1
SNMP interface
SNMP is a UDP-based network protocol that is used to monitor and manage complex networks. Table 19-1 describes the components in an SNMP-managed network.
Table 19-1 SNMP-managed network components
Component Managed device Description A network node that implements an SNMP interface that allows unidirectional (read-only) or bidirectional access to node-specific information. Managed devices exchange node-specific information with the NMSs. Managed devices, also known as NEs, can be any type of device, including, routers, access servers, switches, bridges, hubs, IP telephones, IP video cameras, computer hosts, and printers. A network-management software module that resides on a managed device. An agent has local knowledge of management information and translates the information to or from an SNMP-specific form and reports the information to the NMS. The higher level manager that monitors and manages a group of hosts or devices in the network.
Agent
NMS
SNMP agents interprets management data on the managed systems as variables. The variables that are accessible using the SNMP interface are organized in hierarchies containing OIDs. The hierarchies, and other meta data, such as type and description of the variable, are described by the MIB. Each OID identifies a variable that can be read or set using the SNMP. The SNMP specifies five core PDUs in version 1 and 2. Other PDUs were added to create SNMPv2c and then SNMPv3. The information between the agent and manager is exchanged in form of PDUs. SNMPv1 is the initial implementation of the SNMP. SNMPv1 and SNMPv2c have community (plain text) based authentication. However, the SNMPv3 architecture uses the USM for message security and the VACM for access control. See section 19.2 for more information about SNMPv1/v2c. See section 19.3 for information about SNMPv3. The 9900 WNG Central supports the SNMP interface. There is an SNMP agent that is on the 9900 WNG Central and the SNMP agent monitors processes, hardware, and software in the 9900 WNG Central and Detectors. You can use the SNMP agent to configure one or more NMSs to communicate and share information. A community, user-based authentication is required to communicate between the agent and manager. Table 19-2 describes the components of SNMP that must be configured.
Table 19-2 SNMP configurations
Component SNMP servers Community string Hosts (1 of 2) Description NMS servers that are allowed to send requests to the 9900 WNG Central Allows access the 9900 WNG MIB data The destination NMS for SNMP traps SNMPv1/v2c SNMPv3
19-2
19 SNMP
Component Views Groups User accounts
Description Restricts the user to have access to only the MIB Maps users to views. For each group, you can configure a read view, a write view, or both. For communicating between the agent and manager. An authentication protocol, password, and privacy password are required, depending on the group and specified authentication type.
SNMPv1/v2c
SNMPv3
(2 of 2)
See Table 14-8 for information about all SNMP CLI commands.
19.2
Configuring SNMPv1/v2c
SNMP versions 1 and 2 provide a level of security by using community strings, which, like public and private keys, are used to match valid requestors at the network component. Perform Procedure 19-1 to specify the NMS servers and configure SNMPv1/v2c settings.
Procedure 19-1 To specify the NMS servers and configure SNMPv1/v2c settings
This procedure requires the following privileges:

1 2
sudoto specify the NMS server entries adminto configure the SNMPv1/v2c settings
Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Configure the NMS server by performing one of the following: a Add one NMS server by typing:
snmpServer add IP_address
where IP_address is the IP address of an NMS server.
The following example shows how to configure a single server using the add option.
central:sudo# snmpServer add 1.1.1.1 Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
Add multiple NMS servers by typing:

snmpServer addlist IP_address_1 IP_address_2 IP_address_n
where IP_address_1 to IP_address_n are the IP addresses of the NMS servers
19-3
19 SNMP
The following example shows how to configure multiple servers using the addlist option:
central:sudo# snmpServer addList 1.1.1.1 2.2.2.2 3.3.3.3 Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
Verify the SNMP server entries by typing:

show snmpServer central:sudo# show snmpServer target ACCEPT ACCEPT ACCEPT prot all all all source 1.1.1.1 2.2.2.2 3.3.3.3 destination anywhere anywhere anywhere
Exit the sudo privilege and change to the admin privilege to configure SNMPv1/v2c settings by typing:
exit
Add the SNMP community by typing:

snmpAgent add community community access IP_address
where community is the community string used in GET/SET requests access is set to read/write access IP_address is the IP address of the NMS server that sends GET/SET requests
Add the SNMP host for the destination of the SNMP traps by typing:
snmpAgent add host version IP_address port community
where version is v1 or v2c IP_address is the IP address of the NMS server that receives the traps port is the port to which the trap is sent community is the community string used to receive the traps
7 8
Update SNMP location information, as described in Procedure 19-8. Update the SNMP agent contact, as described in Procedure 19-9.
19-4
19 SNMP
19.3
Configuring SNMPv3
SNMPv3 provides encryption and a USM for authentication and privacy services. The SNMPv3 with USM protects the system against:
modification of information masquerading the identity of an authorized entity message stream modification disclosure of information
Perform Procedure 19-2 to specify the NMS servers and configure SNMPv3 settings.
Procedure 19-2 To configure SNMPv3 settings

This procedure requires the following roles:

1 2
sudoto specify the NMS server entries adminto configure the SNMPv3 settings
Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Provision the NMS server by performing one of the following: a Add an NMS server by typing:
snmpServer add IP_address
where IP_address is the IP address of the NMS server
Add multiple NMS servers by typing:

snmpServer addlist IP_address_1 IP_address_2 IP_address_n
where IP_address_1 to IP_address_n are the IP addresses of the NMS servers
Replace IP_address with the IP address an NMS server. The following example shows how to configure a single server using the add option:
central:sudo# snmpServer add 1.1.1.1 Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
The following example shows how to configure multiple servers using the addlist option:
central:sudo# snmpServer addList 1.1.1.1 2.2.2.2 3.3.3.3 Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
Verify the SNMP server entries by typing:

show snmpServer
19-5
19 SNMP
The following example shows the SNMP servers:

target ACCEPT ACCEPT ACCEPT prot all all all source 1.1.1.1 2.2.2.2 3.3.3.3 destination anywhere anywhere anywhere
Exit the sudo privilege and change to the admin privilege to configure the SNMPv3 settings by typing:
exit
Verify that there are views. If there are views go to step 8. If there are no views, go to step 7 to create views. The following example shows that SNMP views:
central# show snmpAgent views
View-name noAuthView authMD5View authSHAView privView 7
OID-tree .1.3.6 .1.3.6 .1.3.6 .1.3.6
Inclusion INCLUDED INCLUDED INCLUDED INCLUDED
Create SNMP views by typing:

central# snmpAgent add view viewName oid excluded|included
where viewName is the name of an existing view oid is the OID tree excluded indicates exclude the object IDs from this view included indicates include the object IDs in this view.
Add an SNMP group by typing:

snmpAgent add group groupName Access readView writeView notifyView
where groupName is the name of a group AccessnoAuth is one of the following values: auth or priv readView is the name of an existing read view writeView is the name of an existing write view notifyView is the name of an existing notify view
Verify the group entries by typing:

show snmpAgent groups
The following example shows the SNMP agent groups:
19-6
19 SNMP
Group-name Notify-view NoAuthGroup noAuthView authMD5Group authMD5View
Context
Access
Read-View noAuthView
Write-view
noAuth noAuthNoPriv noAuthView auth authNoPriv
authMD5View authMD5View authSHAView privView privView
authSHAGroup auth authNoPriv authSHAView authSHAView privGroup privView priv authPriv
10
Add a user account by typing:

snmpAgent add user userName groupName [authProtocol] [authpassword] [privpassword]
where userName is the name of a user account groupName is the group to which this user belongs authProtocol can be MD5 or SHA authpassword is the user password privpassword is the privacy password
Note The authProtocol and authPassword parameters are required only when the user requires authorization or privacy. The privPassword parameter is required for privacy support.
Enabling authentication and specifying a privacy password for a user are optional. 11 Add the SNMP host for the destination of SNMP traps by typing:
snmpAgent add host version IP_address port userName
where version is v3 IP_address is the IP address of the NMS server to receive the traps port is the port to which the trap is sent userName is the SNMPv3 username that is used to authenticate traps
12 13
Update SNMP location information, as described in Procedure 19-8. Update the SNMP agent contact, as described in Procedure 19-9.
19.4
SNMP user accounts

The following procedures describe how to create and manage SNMP user accounts.
19-7
19 SNMP
Procedure 19-3 To create an SNMP user account

Perform Procedure 19-2 to create an SNMP user account.
Procedure 19-4 To create a n SNMP group

Perform Procedure 19-2 to create an SNMP group.
Procedure 19-5 To delete an SNMP user account

1 2 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Delete an SNMP user account by typing:
snmpAgent delete user user
where user is the username of an account
A confirmation prompt appears. 3 Delete the account by typing:

Y
Procedure 19-6 To delete an SNMP group

1 2 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Delete an SNMP group by typing:
snmpAgent delete group name
where name is the name of an SNMP group
Confirm the deletion by typing:

Y
Procedure 19-7 To display SNMP user accounts

1 2 Log in to the CLI with the admin privilege, as described in Procedure 14-1 or 14-2. Display the SNMP user accounts by typing:
show snmpAgent users 19-8 Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 July 2010 3HE 06049 AAAA TQZZA
19 SNMP
Table 19-3 describes the information that appears for SNMP user accounts.
Table 19-3 show snmpAgent users command
Column User-name Group-name Access Auth-Protocol Description The name of the SNMP user account The group name that contains the SNMP user account The access level for the SNMP user account, such as authNoPriv or no AuthNoPriv The authorization protocol for the account, such as MD5
19.5
Managing SNMP components

Table 19-4 lists where to find information about how to manage SNMP components.
Table 19-4 Managing SNMP components procedures
To To update SNMP location information To update the SNMP agent contact See Procedure 19-8 19-9
Procedure 19-8 To update SNMP location information

1 2 Log in to the CLI with the admin privilege, as described in Procedure 14-1 or 14-2. Update SNMP location information by typing:
snmpAgent update location location
where location is the location of the SNMP server
Procedure 19-9 To update the SNMP agent contact

1 2 Log in to the CLI with the admin privilege, as described in Procedure 14-1 or 14-2. Update the SNMP agent contact by typing:
central# snmpAgent update contact contact
where contact is the name of the contact at the SNMP location
19-9
19 SNMP
19.6
Deleting SNMP components

Table 19-5 lists where to find information about how to delete SNMP components.
Table 19-5 Deleting SNMP components procedures
Task To delete an SNMP user account To delete an SNMP group To delete IP addresses from an SNMP server To delete an SNMP community To delete an SNMP host To delete an SNMP view See Procedure 19-5 19-6 19-10 19-11 19-12 19-13
Procedure 19-10 To delete IP addresses from an SNMP server

1 2 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Perform one of the following: a b 3 To delete an IP address from an NMS server, go to step 3. To delete multiple IP addresses from one or more NMS servers, go to step 4.
Delete an IP address from an NMS server requests by typing:

snmpServer delete IP_address
Delete multiple IP addresses from one or more NMS servers by typing:

snmpServer deleteList
You are prompted to enter the IP addresses.
Procedure 19-11 To delete an SNMP community

1 2 Log in to the CLI with the admin privilege, as described in Procedure 14-1 or 14-2. Delete the SNMP community by typing:
snmpAgent delete community community access IP_address
where community is the community string used in GET/SET requests access is set to read/write access IP_address is the IP address of the NMS server that sends GET/SET requests
19-10
19 SNMP
Procedure 19-12 To delete an SNMP host

1 2 Log in to the CLI with the admin privilege, as described in Procedure 14-1 or 14-2. Delete the SNMP host by typing:
snmpAgent delete host IP_address port
where IP_address is the IP address of the NMS server that receives the traps port is the port number of the NMS server on which the traps are sent
Procedure 19-13 To delete an SNMP view

1 2 Log in to the CLI with the admin privilege, as described in Procedure 14-1 or 14-2. Delete the SNMP host by typing:
snmpAgent delete view viewName
where viewName is the name of an existing view
19.7
Configuring SNMP for anomaly, trend, and congestion alerts

All of the system events are set as SNMP traps. However, by default, SNMP traps are not generated for the anomaly events, and congestion and trend alerts. Perform Procedure 19-14 to configure the 9900 WNG Central to send anomaly, trend, and congestion alerts as SNMP traps.
Procedure 19-14 To configure SNMP for anomaly, trend, and congestion alerts
1 2 Log in to the CLI with the admin privilege, as described in Procedure 14-1 or 14-2. Configure the types of anomalies that are reported as SNMP traps and the intensity level which the traps are generated by typing:
snmp trap anomaly anomaly intensity
where anomaly is the anomaly event for which an SNMP trap is generated. The values are: alwaysActive, batteryAttackDistributed, batteryAttackSingleSrc, floodMobileDistributed, floodMobileSingleSrc, highSignalingSubscriber, highUsage, p2pMobile, portScanHoriz, portScanVert, rncOverload, routerDiscoveryAbuse, sigAttackSingleSrc, or unwantedSrc. intensity is the event intensity value, which can be 1 to 5 and off. If an anomaly event with equal or greater intensity is generated, a corresponding trap is generated for the anomaly.
19-11
19 SNMP
Add the intensity level for congestion alerts, above which an SNMP trap is generated, by typing:
snmp trap congestionAlerts intensity
where intensity is the event intensity value, which can be 1 to 5 and off. If a congestion alert with equal or greater than intensity is generated, a corresponding trap is generated.
Specify the intensity level for trend alerts above which an SNMP trap is generated by typing:
snmp trap trendAlerts intensity
where intensity is the event intensity, which can be 1 to 5 and off. If a trend alert with equal or greater than intensity is generated, a corresponding trap is generated.
19.8
SNMP commands
The 9900 WNG Central supports the following SNMP commands:
GET SET TRAP

The 9900 WNG Central handles all SNMP interactions. The 9900 WNG Central can integrate directly with a northbound network interface (NMS) by a bidirectional monitoring, control, and management interface. The 9900 WNG Central component generates all necessary traps to integrate with northbound network interface management functions.
SNMP SET
The SNMP SET request is used to change the state of the network to down or up.
SNMP GET
The SNMP GET request can be sent to the 9900 WNG Central from any northbound interface to access network interface details; for example, current state, packet counts, for of the 9900 WNG Central and Detectors.
SNMP TRAP
Table 19-6 describes the SNMP traps that are generated by the 9900 WNG Central and sent to the northbound interface.
19-12
19 SNMP Table 19-6 SNMP trap events

SNMP trap event AnomalyEvents Description If configured, an anomaly trap is generated for any of the following anomalies:

congestionAlerts CPU Usage Threshold
AlwaysActive BatteryAttackDistributed BatteryAttackSingleSrc FloodMobileDistributed FloodMobileSingleSrc HighSignalingSubscriber HighUsage P2pMobile PortScanHoriz PortScanVert rncOverload routerDiscoveryAbuse SigAttackSingleSrc unwantedSrc
A congestion alert trap is generated when the congestion level meets or exceeds the specified level. See Procedure 19-14. The critical trap is generated when the CPU usage on the 9900 WNG Central or any of the 9900 WNG Detectors exceeds the threshold value. A trap is generated when the threshold value is greater than or equal to 90%. The trap is cleared when the usage value is less than or equal to 80%. The critical trap is generated when the disk usage on the 9900 WNG Central or any of the 9900 WNG Detectors exceeds the threshold value. A trap is generated when the threshold value is greater than or equal to 90%. The trap is cleared with the threshold value is less than or equal to 80%. The partitions that are monitored are:
Disk Usage Threshold
For the 9900 WNG Central: root /aware /awaredb /tmp /var /dev/shm For 9900 WNG Detectors: root /tmp /var /aware
hwFailure licenseViolation (9900 WNG Central only)
The critical trap is generated at the 9900 WNG Central when there is a failure in the external disk array. The sub-object instance value for the trap is EXTARRAY. The critical trap is generated when one of the following occurs:

(1 of 3)
when the maximum session exceeds a threshold value. A trap with warning severity is generated when usage is greater than or equal to 85% and a trap with critical severity is generated when usage is equal to 100%. A warning trap is generated if the threshold is less than or equal to 95%. A clearing trap is sent when usage is less than or equal to 80%. if the license is not valid or the hostid is incorrect when the license expired. A warning alarm is sent 5 days before the license expires
19-13
19 SNMP
SNMP trap event lineRateExceeded
Description The critical trap is generated when one of the following occurs:
the traffic feed input rate is greater than or equal to 950 Mbits/s for 1G card or 3900 Mbits/s for the 10G card. The event indicates a high probability that of packets are being dropped. the transmitting rate by the 9900 WNG Detector is greater than or equal to 30 Mbits/s or the receiving rate of the 9900 WNG Central is greater than or equal to 40 Mbits/s the traffic feed input rate is less than or equal to 900 Mbits/s for 1G card or 3750 Mbits/s for the 10G card the transmitting rate for the 9900 WNG and the receiving rate for the 9900 WNG Central is less than or equal to 15 Mbits/s PortA PortB PortC PortD BACKHAULRCV BACKHAULXMIT
The trap is cleared when:

Link down
The sub-object instances for the trap are:
The critical trap is generated from the 9900 WNG when a link between two components is down. The sub-object instance for the specific event can be anomaly channel, awareness channel, snmp channel, system event channel, sysmonToSECChannel, or centralToSECChannel. The critical trap is generated when the memory usage on 9900 WNG Central or any of the 9900 WNG Detectors exceeds the threshold value. A trap is generated when the memory usage is:
Memory Usage Threshold

noPacketsReceived
greater than or equal to 97% for the 9900 WNG Central greater than or equal to 98% for the 9900 WNG Detectors less than or equal to 92% for the 9900 WNG Central less than or equal to 93% for the 9900 WNG Detectors
The trap is cleared when the usage is:
The major trap is generated from the 9900 WNG when packets are not displayed on the capture interface for more than 60 s. The trap is cleared when the capture interface receives the packets. A major trap is generated from the 9900 WNG when the queue threshold is full at the 9900 WNG Central or the usage is greater than or equal to 75% at the 9900 WNG Detector. The trap is cleared when the queue is not full at the 9900 WNG Central or the usage is less than or equal to 60% at the 9900 WNG Detector. The informational trap is generated from the 9900 WNG when the packet drop threshold is exceeded. By default, a trap is generated when 1000 packets are lost in a 5 min interval.
queueThresholdExceeded
packetDropThresholdExceeded
(2 of 3)
19-14
19 SNMP
SNMP trap event Process Down
Description The critical trap is generated when any of the monitored processes on the 9900 WNG Central or Detector fail or a heartbeat is not detected at the 9900 WNG Central. A corresponding clearing trap is generated when the process returns to operation. The following processes are monitored:
For the 9900 WNG Central: Centrald Compression mysql NTP Daemon Snmp System monitor Tomcat For 9900 WNG Detectors: Awared NTP Daemon System event reporter System monitor
SNMP Access Attempt Failed (9900 WNG Central only) swapThresholdExceeded
The authorization failure trap is generated whenever there is an invalid attempt to access SNMP information from any northbound interface. The critical trap is generated when the swap usage for the 9900 WNG Central or any of the 9900 WNG Detectors is greater than or equal to 50%. The trap is cleared when the usage is less than or equal to 10%. A trend alert trap is generated when the trend level meets or exceeds the specified level.
trendAlerts (3 of 3)
19.9
SNMP MIBs
SNMP-compliant devices, on the network components or agents, store data about the component in MIBS and return this data to the SNMP requestors. Procedure 19-15 describes how to access the SNMP MIBs.
Procedure 19-15 To access the SNMP MIBs

1 2 3 Access the 9900 WNG Central webpage, as described in Procedure 17-1. Click on the Get SNMP MIBs hyperlink. A download window appears. Click on the Save button and navigate to the location to save the zipped file of the SNMP MIBs.
19-15
19 SNMP
4 5
Click on the Save button. Navigate to the location of the zipped file of the SNMP MIBs, as chosen in step 3, and unzip the file. The following MIBs appear:
ALU9900-ALARM-MIB.my ALU9900-CENTRAL-MIB.my ALU9900-DETECTOR-MIB.my ALU9900-ROOT-REG.my ALU9900-TC.my
19-16
20 Motive API
20.1 Motive API
20-2 20-3 20-3 20-4
20.2 Motive API security
20.3 Motive API user accounts 20.4 Motive API CLI commands
20-1
20 Motive API
20.1
Motive API
Motive is an Alcatel-Lucent product that provides a unified care environment for end-to-end visibility of the network with automated problem analysis and resolution. For more information about Motive, see: http://www.motive.com/solutions/msm/msm.asp The 9900 WNG provides an interface to Motive. The data from the 9900 WNG is used for advanced customer care support. The Motive product queries the 9900 WNG database to get information to resolve customer issues. By using the 9900 WNG and Motive, a service provider can offer advanced customer care for their customers, such as whether:
the customer is receiving satisfactory data throughput on their mobile device any configuration in the mobile device may be adversely affecting the customer
experience, such as DNS configurations any data limitation issue may be adversely affecting the customer; for example, the customer exceeded the bandwidth usage this month any unsolicited traffic may be interfering with the resources of the customer mobile device and any resulting in battery drain; for example, network attacks or port scans multiple mobile devices that the customer used have any device configuration issues any applications on the mobile device may adversely affect usability, such as:
peer-to-peer applications; for example, file sharing applications viruses that are consuming excessive bandwidth daemons; for example, e-mail client servers that periodically check for e-mails and
result in excessive signaling and airtime
the 9900 WNG identified the anomalies; for example, victims or originators of
excessive data usage any network congestion caused a delay or disruption, and identify the congested NE; for example, as an overloaded cell The 9900 WNG provides a set of APIs to Motive. The APIs that use WSDL web service. The web services use HTTPS to ensure that the data exchange is secure, authenticated, and encrypted. The following additional layers of security are provided by the 9900 WNG:
The Motive host (or the subnet) that sends the requests to 9900 WNG must be
authenticated. Every API that sends messages must provide a username and password. See section 20.2 for more information about security.
20-2
20 Motive API
20.2
Motive API security

the following security is provided for messages that are sent between the 9900 WNG and Motive API:
The IP address of the Motive server, which starts the API, or the subnet must be
configured.
Every Motive transaction contains a username and password. All of the data is encrypted.
CLI commands are used to configure the security functions for the Motive API. See Table 14-8 for information about the Motive API CLI commands.
20.3
Motive API user accounts

The following procedures describe how to create, delete, and display Motive API user accounts.
Procedure 20-1 To create a Motive API user account

1 2 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Add the account and assign the password by typing:
api add user id password
where id is the username for the account password is the password for the account, which contains 6 to 41 characters. Table 36-3 lists the special characters.
Procedure 20-2 To delete a Motive API user account

1 2 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Delete a user account by typing:
api delete user id
where id is the username of the account
A confirmation prompt appears. 3 Confirm the deletion by typing:

Y
20-3
20 Motive API
Procedure 20-3 To display Motive API user accounts

1 2 Log in to the CLI with the sudo or admin privilege, as described in Procedure 14-1 or 14-2. Display the Motive API user accounts by typing:
show api users
A list of Motive API user accounts appears.
20.4
Motive API CLI commands

Table 20-1 lists where to find information about CLI commands that are used the Motive API.
Table 20-1 Motive API CLI commands
To To add Motive API subnets To delete Motive API subnets To display Motive API statistics See Procedure 20-4 20-5 20-6
Adding Motive API subnets

Perform 20-4 to add one or more Motive API subnets.
Procedure 20-4 To add Motive API subnets

1 2 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Add a Motive API subnet by typing:
api add subnet subnet
where subnet is the IP address of the Motive API subnet
You are prompted to add subnets. The following is an example of the information that is displayed.
Add api subnet: 1.1.1.1/24 Add api subnet: 2.2.2.2/24 Add api subnet: successfully added api subnet(s)
20-4
20 Motive API
Go to step 3. 3 Verify the Motive subnets by typing:

show api subnets

2 ListedSubnets 1.1.1.1/24 2.2.2.2/24
Deleting Motive API subnets

Perform 20-5 to delete one or more Motive API subnets.
Procedure 20-5 To delete Motive API subnets

1 2 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Perform one of the following: a b 3 Go to step 3 to delete one Motive API subnet. Go to step 4 to delete multiple Motive API subnets.
Delete a Motive API subnet by typing:

api delete subnet subnet
where subnet is the IP address of a Motive API subnet
Delete all of the Motive API subnets by typing:

api deleteList subnet
A confirmation request appears. 5 Delete the subnets by typing:

Y
Displaying statistics and log files

Perform Procedure 20-6 to display Motive API statistics.
20-5
20 Motive API
Procedure 20-6 To display Motive API statistics

1 2 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Display Motive API statistics by typing:
show api stats
Statistics collected for the Motive API, which are the total number of transactions and average, minimum, and maximum durations for the following:
applicationInfo dataUsage networkCongestion subscriberInfo subscriberIssues deviceInfo
Procedure 20-7 To display Motive API log file

1 2 Log in to the CLI with the sudo or admin privilege, as described in Procedure 14-1 or 14-2. Display Motive API log file by typing:
show log motive
The log file contains the statistics that are collected for the Motive API, which are the total number of transactions and average, minimum, and maximum durations for the following:
applicationInfo dataUsage networkCongestion subscriberInfo subscriberIssues deviceInfo
20-6
GUI components
21 Dashboard view
21-1 22-1
22 Real-time Events views 23 Forensic View 24 Topology view 23-1 24-1
25 Network Forensics view 26 System View 26-1 27-1
25-1
27 Mobile Flow view 28 CLI view 28-1
29 Subscriber view
29-1
21 Dashboard view
21.1 9900 WNG Central Dashboard View overview 21.2 Dashboard View components 21-2
21-2
21.3 Plotting elements in the Dashboard View 21.4 Dashboard View components and controls
21-5 21-8 21-9
21.5 Configuring optional properties for dashboard elements 21.6 Modifying chart display properties 21-12 21-13
21.7 Moving a dashboard chart to a new dashboard
21-1
21 Dashboard view
21.1
9900 WNG Central Dashboard View overview

The 9900 WNG Central Dashboard View supports dragging and dropping of dashboard icons onto the dashboard. The dashboard elements provide a snapshot of all active subscribers and display potential problems in the network such as excessive traffic on a specific HA or the health of the 9900 WNG Detector. The following dashboard icons that represent NEs may appear on the dashboard depending on the network technology (CDMA or UMTS):
HA PDSN CDMA RNC Detector GGSN
SGSN UMTS RNC Incidents Unidirectional
Dashboard features
The 9900 WNG Central dashboard provides the following features:
You can dynamically change the number of columns (1 to 10) that appears for
each NE dashboard view.
The following dashboard preferences are automatically saved when you exit the
GUI:
dashboard NEs and placement on each of the dashboards for incident and unidirectional NEs, individual threshold settings for each item and
which items are displayed in the NE
for plot NEs, chart properties including Parameter Selection, Network Elements
Selection, and Plots Color Selection
for plot NEs, Chart Duration and Chart Interval At Startup settings The GUI auto-discovers newly configured NEs and automatically updates the
dashboard to show all configured Network Elements.
21.2
Dashboard View components

The first time that you open the GUI client, the Dashboard View appears and there are no elements in the dashboard view as shown in 16-1 in chapter 16. Figure 21-1 shows the components of the Dashboard View.
21-2
21 Dashboard view Figure 21-1 9900 WNG window components Dashboard View
Palette button Multi-dashboard control Element chart Intensity tables Element title bar Element display controls
Column display control
Dashboard
Element chart controls Dashboard
Scroll bar Minimized element Icon palette
Dashboard columns
Element icons
21177
Table 21-1 describes the 9900 WNG Dashboard View components.

Table 21-1 9900 WNG Dashboard View components
Component Description
Dashboard components and controls Dashboard Icon palette Element icons Displays up to 12 element charts at a time Contains an icon for each type of element that you can display in the dashboard. See Dashboard elements for more information. Represent the types of charts that you can plot in the dashboard. Drag and drop an icon to display the element chart in the dashboard. Changes the number of columns in which the elements are displayed. You can view up to ten columns. Toggles the display of the icon palette Returns the view of a new dashboard to the primary dashboard. See section 21.7 for information about how to move a plot to a new dashboard.
Column display control Dashboard columns Palette button Multi-dashboard control
Dashboard element components and controls Element chart Displays a graphical representation of the data that you can plot for each type of element. The x axis of a chart is always time. The y axis is configurable, as described in Procedure 21-2. Displays the intensity level of anomalous events and unidirectional flows
Intensity table (1 of 2)
21-3
21 Dashboard view
Component Element title bar and display controls Element chart controls
Description Title identifies the type of element that is displayed in the dashboard. The displays controls are described in section 21.4. Controls the display of the element chart. You use the context-sensitive drop down menus to plot the contents of the chart. See section 21.3 for information about how to use the controls and options. Changes the time resolution of the element chart Displays the chart in a minimized format to enhance the usability of the dashboard workspace. You can collapse the view of the element chart using the element display controls, as described in Table 21-6
Scroll bar Minimized element
(2 of 2)
Dashboard elements
The dashboard icon palette contains element icons that you drag and drop onto the dashboard view as shown in Figure 21-1. The element icons that appear in the palette depend on the data in the database. For example, UMTS icons do not appear unless one or more of the 9900 WNG Detectors has detected UMTS traffic. If traffic for a particular technology later appears while the GUI is operational, the corresponding icon automatically appear in the icon palette. Table 21-2 lists the dashboard elements that are available and selectable from the icon palette.
Table 21-2 Dashboard elements that are available and selectable from the icon palette
Dashboard element Element charts HA PDSN CDMA RNC GGSN SGSN UMTS RNC Detector Element tables Incidents Displays a view of the intensity and the count of events in the system. Each row represents a type of event. When you place your cursor on an event, a tooltip is displayed with additional information about the event. You can double-click on any row to open a dashboard plot for the specified event. Highlights anomalous changes to unidirectional packet counts observed in the network. Excessive unidirectional traffic may indicate that an outage has occurred. NE types that you can analyze in individual charts. You can select and compare multiple color-coded NEs based on parameters that you choose. See sections 21-3 and 21-5 for information about how to configure element charts. Description
Unidirectional
21-4
21 Dashboard view
21.3
Plotting elements in the Dashboard View

The following subsections describe how to:
plot elements in the dashboard configure the mandatory parameters to display the element chart Maximum number of element plots
You can plot up to 12 elements in the dashboard at a time. This limit applies across all dashboards. For example, if you have 12 dashboards created with one NE in each, you will not be able to drag any additional NEs. Similarly, if you have 12 dashboards created and one dashboard has 12 NEs on it, you will not be able to drag additional NEs on any of the dashboards, including those with no NEs on them. When you reach the maximum number, the icon palette no longer appears and the palette button is dimmed. You can plot only one Incidents table at a time. If you attempt to plot an additional table, the old one is removed and replaced by a new one.
Plotting procedures
Perform Procedure 21-1 to plot an element in the dashboard. After you plot the element, you must configure the parameters that you need to display in the element chart, as described in Procedure 21-2.
Procedure 21-1 To plot an element in the dashboard

1 Drag and drop an element icon to the dashboard from the icon palette. The element appears in the dashboard with the element chart controls displayed, as shown in Figure 21-1. Repeat step 1 as required. You can add multiple plots of the same or of a different type from the icon palette.
Procedure 21-2 To configure mandatory parameters for element charts

1 2 Drag a network icon to the dashboard as described in Procedure 21-1. In the Element Chart control view configure a value in the Plot drop-down menu. The drop-down menus are contextual and depend on the type of element and the value that you choose in the Plot menu. After you choose a value in the Plot, additional menus, if applicable, become active. The plot options are described in Tables 21-3 to 21-5.
21-5
21 Dashboard view Table 21-3 Plot options

Plot value Active Mobiles Handoffs Description Plot all active mobiles Plot all handoffs that occur in a specified direction Options Direction (SGSN, PDSN, UMTS RNC, CDMA RNC):
In Out All Value options: M2I I2M M2M Up M2M Down All M2I I2M M2M Up M2M Down All M2I I2M M2M Up M2M Down All M2I I2M M2M Up M2M Down All Down RTT Max Down RTT Min Down RTT Mean Saturated Throughput Throughput Path Loss
All traffic
Plot all traffic that occurs in a specified direction using a specified unit of measure
Direction options:
Bytes Packets Flows
Uni Directional
Plot all unidirectional traffic that occurs in a specified direction using a specified unit of measure
Direction options:
Value options:
Bytes Packets Flows
TCP Reset
Plot all TCP resets that occur in a specified direction
Direction options:
ICMP Unreachable
Plot all ICMP unreachable events that occur in a specified direction
Direction options:
Performance
Plot performance event of a specified type
KPI options:
Table 21-4 RNC-specific plot options

Plot Connection Events Description Plot all connection events of a specified type Options Event type options
Subscriber Orig Conn Network Orig Conn All
(1 of 2)
21-6
21 Dashboard view
Plot Handoffs All traffic Uni Directional TCP Reset ICMP Unreachable Performance (2 of 2)
Description See Table 21-3.
Options
21-7
21 Dashboard view Table 21-5 Detector-specific plot options

Plot Events Description Plot a specified network anomaly event Options Event type options:
M2I PKTS, Flows, and Bytes I2M PKTS, Flows, and Bytes M2M PKTS, Flows, and Bytes Up M2M PKTS, Flows, and Bytes Down Active Mobiles Uni M2I PKTS, Flows, and Bytes Uni I2M PKTS, Flows, and Bytes Uni M2M PKTS, Flows, and Bytes Up Uni M2M PKTS, Flows, and Bytes Down TCP-Resets I2M PKTS, M2I PKTS, M2M UP PKTS, and M2M Down PKTS ICMP Unreachable I2M PKTS, M2I PKTS, ICMP M2M Up PKTS, Down PKTS
SigAttacks Single Source RNC Overload Battery Attack Single Source Port Scan Vertical Port Scan Horizontal Always Active Sub High Usage Peer-toPeer Mobile Unwanted Src Connection Record Mobile Flow High Signaling Subscribers Battery Attack Distributed Flood Mobile Single Source Flood Mobile Distributed Router Discovery
Handoffs All traffic Uni Directional TCP Reset ICMP Unreachable Performance
See Table 21-3.
Click on the Go button to plot the data. The system generates the chart based on the specified parameters.
21.4
Dashboard View components and controls

This section describes how information is displayed in the Dashboard View, and how you can change the way that charts and tables are presented. The Dashboard elements are automatically refresh every 60 s.
21-8
21 Dashboard view
Element display controls

Table 21-6 describes the element display controls that appear on the right side of the Element title bar, as shown in Figure 21-1.
Table 21-6 Element display controls
Symbol Double caret Wrench icon X Description Expands or minimizes the dashboard element Configures the properties for the element chart or intensity table Removes the dashboard element from the dashboard
Axes controls
The x axis of a chart is always time. The y axis is configurable, as described in Procedure 21-2. You can change the x-axis time scale for a chart from 1 hour to 24 hours (the default is 24 hours). The plots show the data for a 24-hour interval. You can view a shorter interval two ways:
View a smaller region of the plotplace the mouse on the plot, hold down the
left mouse button, and move the mouse down and to the left. To return to the 24-hour view, place the mouse on the plot, hold down the left mouse button, and move the mouse up and to the left. Move the slide bar below the plot to the right
Note The values for the last 1 hour are plotted every minute; values that older than 1 hour are plotted only every 6 minutes to improve the GUI performance.
21.5
Configuring optional properties for dashboard elements

After you plot a chart in the dashboard, you can modify the content of the chart by specifying chart properties or setting the intensity preferences for each type of dashboard element:
Incidents and Unidirectional elementsyou can set intensity preferences.

Perform Procedure 21-3 to configure the intensity preferences for the Incidents or Unidirectional elements. GGSN, HA, PDSN, CDMA RNC, UMTS RNC, SGSN, and Detector NEsyou can specify chart properties including the parameters you need to plot, the NEs you need to compare, and the color to identify each NE. Perform Procedure 21-4 to configure the properties for charts.
21-9
21 Dashboard view
Procedure 21-3 To configure optional preferences for intensity tables

1 Left-click on the middle icon (wrench) on the right side of the title bar. The Intensity Preferences window appears. Figure 21-1 shows the Intensity Preferences window.
Figure 21-2 Intensity Preferences window
2 3
In the Intensity Preferences window, select the anomaly events that you need to plot or click the Select All button to plot all events in the system. Set the intensity for each event type that you choose by doing the following: i ii Highlight an item in the anomaly events list. Set the intensity thresholds by dragging the top pointer (which represents the critical threshold) and the bottom pointer (which represents the warning threshold). The values are expressed in a range of 0 to 100. The value you choose also appears in numeric format in the field that indicates the color code associated with each threshold. Repeat steps i and ii for each event type that you need to plot.
iii 4
Click on the OK button to enable the settings.
21-10
21 Dashboard view
Procedure 21-4 To configure optional properties for element charts

Note You can specify chart properties to display one property for multiple HAs or one HA with multiple parameters.
Left-click on the middle icon (wrench) on the right side of the title bar. The Specify Chart Properties window appears with the Parameter Selection tab displayed. Figure 21-1 shows the Specify Chart Properties window.
Figure 21-3 Specify Chart Properties window
Select the parameters that you need to plot. The parameters are organized by type:
Traffic Load Unidirectional Traffic Only Mobile Metrics Performance KPIs Networking Resets
Click on the Network Elements Selection tab to specify the NEs that you need to plot.
21-11
21 Dashboard view
Click on the Plots color Selection tab to specify the color for each NE that you need to plot. To change the color, perform the following sub-steps: i ii iii Left-click on the color box adjacent to an NE. The Select Color widget opens Choose a color from the Swatches, HSB, or RGB tabs. Click on the OK button.
Click on the OK button to enable the settings.
21.6
Modifying chart display properties

The Dashboard View has a Properties menu that you can access by right-clicking on a selected chart.
Right-click customization options

You can customize the display properties for an element chart by right-clicking on the chart in the dashboard.
Caution Right-click options are lost when the GUI is restarted. The only persistent items are the plots in the dashboard when you exit the GUI.
Table 21-7 describes the dashboard element properties.

Table 21-7 Dashboard element properties
Property Properties Save as Zoom in / Zoom out Auto Range Select entries to plot Specify Chart Duration Open the Specify Chart Properties window, as described in Procedure 21-4 Changes the duration of the plot Description See Procedure 21-5 Save the chart as a PNG image file to a directory Change the resolution of one or both axes in the chart
Configuring chart display properties

The Dashboard View provides full customization of the chart display properties. Perform Procedure 21-5 to configure the chart display properties
21-12
21 Dashboard view
Procedure 21-5 To configure chart display properties

1 2 Right-click on a chart in the dashboard, and choose Properties. The Chart Properties window appears with the Title tab displayed. In the Title tab, modify the title of the chart as follows:
Textenter a title for the chart Fontchoose a font type in which to display the title Colorchoose a color in which to display the title
Click on the Plot tab to modify the chart as follows:
Domain axis tabchoose a label, font, color, and tick (that is, the points in the chart) format Range axischoose a label, font, color, tick and range format Appearancechoose a format and color for the plot line, the background color for the chart, and the orientation (horizontal or vertical) for the plot line.
Click on the Other tab to modify the following:
Background paintchoose a background color for the chart Draw anti-aliasedselect this option to smooth the variations in the plot line. The system automatically adjusts the y axis. Other options in this window are dimmed and are not supported.
Choose OK. All changes take effect after the chart is refreshed.
21.7
Moving a dashboard chart to a new dashboard

Perform Procedure 21-6 to move a chart to a new dashboard.
Procedure 21-6 To move an chart to a new dashboard

1 2 Right-click on the title bar of the dashboard element. A pop-up window is displayed. Click Move to New Dashboard. The NE is moved to a new dashboard. The dashboard also appears in the navigation menu under the Dashboard View. The new dashboard can be renamed. Rename the new dashboard in the navigation tree if required. The default value for new dashboards is Dash#1, Dash#2, Dash#n.
21-13
21 Dashboard view
21-14
22.1 Real-time Events overview 22.2 Anomaly Events view 22-5
22-2
22.3 Performance Events view 22.4 Anomaly History view
22-10
22-12
22-1
22.1
Real-time Events overview

The 9900 WNG GUI supports monitoring and reporting of network events in real-time. You can display data about the following real-time events:
Anomaly events Performance events Anomaly History

Data in the real-time events views are generated automatically by the 9900 WNG system. The real-time events views are intended for monitoring and diagnostic purposes, and are also the starting point for further investigation into anomalous network events.
Common features and components in the Real-time Events View

Figure 22-1 shows the Anomaly History view as an example of a real-time events view. This view contains GUI components that are common to all real-time events views.
Figure 22-1 Real-time Events common GUI components
Table tabs Table column headings (event parameters)
Severity indicators
Table rows (event parameter values) Real-time events table
Table control buttons Event counter Event Details panel
Event Details fields

21176
Real-time Events common components

Table 22-1 describes the common components of the Real-time Events views.
22-2
22 Real-time Events views Table 22-1 Real-time Events common components

Component Real-time events table Severity indicators Table control buttons Description Displays data about the real-time events. Display the severity and the status of the system events Control the behavior of the events table. Filter, clear, or export the data in the events table. Some panels contain additional controls to open other 9900 WNG GUI views. Displays the number of events in the table Displays detailed information about the event that is selected in the events table. The panel is the main location from which you begin to investigate an anomaly or performance event in real-time. Some fields are context-sensitive; they can be used to navigate dynamically to other views for information about the event. See Table 22-2 Table 22-3
Event counter Event Details panel
Table 22-7 Table 22-9
Events Details fields
Columns in the Real-time Events View table
Table 22-2 describes the columns in the Real-time Events View and the types of views in which the columns appear.
Table 22-2 Real-time Events table columns
Column Sev Description Severity of the anomaly event. For more information, see Severity indicators for the Real-time Events View in this section. Type of network anomaly event Intensity of the attack. Each event has an intensity level. Reported values are 0 to 5, with 5 being the most intense. For a cleared event, the value reported is 0. Most recent occurrence of this type of attack Name of the 9900 WNG Detector on which the event was detected Address of attacker Number of incidents from this attacker Date and time that the event was detected. The NE affected by the performance event Anomaly Performance Anomaly History
Event Type Int
Latest Detector Attacker Cnt Creation Network Element (1 of 2)
22-3
Column Param/Network Element
Description The content is context specific. If the event is a CONGESTION_ALERT, the column displays the NE (such as an HA, RNC, or PDSN) where the congestion is detected. If the event is a TREND_ALERT, the column displays the trend name. Name of the 9900 WNG Detector on which the event was detected Depending on event type, the content of the column can display:
Anomaly
Performance
Anomaly History
Detector/NE Attacker/Param/NE

(2 of 2)
NE name (in case of congestion alerts) NAI (in case of port scans, high usage subscriber etc.,) IP Address (if the origin of the event is an Internet source) Multiple Sources (if the event is a distributed battery attack in which the packets originate from multiple sources)
Severity indicators for the Real-time Events View
Table 22-3 describes the severity indicators that are displayed on the 9900 WNG GUI in the real-time events views.
Table 22-3 Severity indicators for real-time events
Icon Severity and status Critical Description Critical Anomaly Event, such as RNC Overload
Major
Major Anomaly Event, such as:

Minor
Signaling Attack Single Src Unwanted Source PortScan Horizontal PortScan Vertical ICMP Router Discovery Abuse Battery Attack Single Src Battery Attack Distributed P2P Mobile Always Active Subscriber High Usage Subscriber Flood Mobile Distributed Flood Mobile Single Src High Signaling Subscriber
Minor Anomaly Event, such as:

Warning
Warning for an Event
(1 of 2)
22-4
Icon
Severity and status Informational
Description Informational System Event
Cleared
Event is cleared
Critical/Cleared
Critical Event that has been cleared
Major/Cleared
Major Event that has been cleared
Minor/Cleared
Minor Event that has been cleared
Warning/Cleared
Warning for an Event has been cleared
Informational/ Cleared (2 of 2)
Informational System Event that has been cleared
22.2
Anomaly Events view

The purpose of the Anomaly Events view is to allow you to view and analyze the details of specific network events. The following detailed information is displayed in this view.
real-time events in the network severity of the event 9900 WNG Detector ID associated with the event IP address of the attacker Mobile ID or Internet source date and time of the event was creation and update historic view of the events that were created and updated
Figure 22-2 shows the components in the Anomaly View.
22-5
22 Real-time Events views Figure 22-2 Real-time Events Anomaly Events components
Anomaly Event table
Table filters Event counter Events Details panel
Mobile Flow button
Active fields
21133
Anomaly Events view components

Table 22-4 describes the components of the Anomaly Events view.
Table 22-4 Anomaly Events view components
Component Anomaly Events table Description A system-generated table of all anomalies that are reported to the 9900 WNG Central from the 9900 WNG Detectors See Table 22-2 for a description of each column in the Anomaly Events table. See Table 22-5 for a list of anomaly events. Table 22-3 Procedure 22-1 Opening the Mobile Flow view Operations in the Anomaly Events Details panel
Severity indicators Table filters Launch Mobile Flow button Event counter Event Details panel Active fields
Indicates the severity of the event Filters the list of anomaly events by event type, Detector, or intensity Opens the Mobile Flow view for a detailed view about how the data traverses the network Displays the number of active events Displays details about the specified event Context-sensitive fields that are used to navigate dynamically to other views for information about the anomaly event.
22-6
Anomaly event types
Table 22-5 lists the Anomaly event types. See chapter 33 for a detailed description of each type of event.
Table 22-5 Anomaly event types
9900 WNG event name Wireless attack events SIGATTACK_SINGLE_SRC BATTERYATTACK_SINGLE_SRC BATTERY_ATTACK_DISTRIBUTED RNCOverload FLOOD_MOBILE_SINGLE_SRC FLOOD_MOBILE_DISTRIBUTED ICMP_ROUTER_DISCOVERY_ABUSE Port scans and unwanted source events PORTSCAN_HORIZ PORTSCAN_VERT UNWANTED_SRC Abusive subscriber events HIGH_USAGE_SUB HIGH_SIGNALING_SUB ALWAYS_ACTIVE_SUB P2P_MOBILE High usage subscriber High signaling subscriber Always active airtime subscriber Peer-to-peer mobile Horizontal port scan Vertical port scan Unwanted source of traffic Signaling attack from a single source Battery attack from a single source Battery attack from a group of sources RNC Overload Flood mobile from a single source Flood mobile from multiple sources ICMP router discovery abuse Event name
Event Details in the Anomaly Events view

When you click on a row in the Anomaly events table, additional information about the event is displayed in the Event Details panel, as described in Table 22-6.
Note The fields that appear in the Events Details panel depend on
the technology (CDMA or UMTS) and the Event Type. A subset of the fields is displayed in the Event Details panel.
Table 22-6 Fields in the Events Details panel
Fields Attacker Attacker IP Event Type (1 of 2) Intensity RNC Id Victim IP Active Time Active Ratio Up Bytes
22-7
Fields Start Time End Time Corr ID Severity DownLink Vol Victim ESN Attack Duration IMSI (2 of 2) Victim #Ports Scanned Port Scanned #Hosts Scanned Attacker ESN Victim MSID Flood Volume MSISDN Down Bytes #Orig Peers #Recv Peers UpLink Vol Attacker MSID Application IMEI
Filtering Anomaly Events

You can filter events in the Anomaly Events view by Event Type, Detector, and Intensity. The filter is performed on the last 500 outstanding records that Anomaly Events view typically shows and does not show every outstanding event that meets the filter criteria.
Note The default setting for records retrieved is 500. To change
the setting, see section 33.9.
Procedure 22-1 describes how to configure the Anomaly Events filter.
Procedure 22-1 To filter Anomaly Events

1 2 Locate the table control panel in the Anomaly Events table. Configure one or more of the following filter preference fields: a b Event type drop down menu. Select one or more event types from the menu by clicking on the appropriate check boxes. Detector drop-down menu. Choose one of the following:
the name of the 9900 WNG Detector that you need to monitor All detectors
Intensity.
The Contents of the Anomaly events table changes according to the filter preferences.
22-8
Working in the Anomaly Events view

This section describes the basic functions and advanced operations that you can perform in the Anomaly Events view.
Operations in the Anomaly Events Details panel
The main purpose of the Events Details panel is to allow you to view anomalies and to drill-down into the details of the problem. When the Event Details panel is populated, some of the event fields become clickable, depending on the type of the event that you select from the Anomaly table. Table 22-7 lists the operations that you can invoke from selected Events Details fields.
Table 22-7 Anomaly Events Details panel clickable fields
Event Details parameter value Left-click on field Forensic View Corr ID Attacker IP Attacker IMSI Attacker IMEI Attacker MS ISDN Attacker ESN Attacker NAI Attacker MSID Victim IP Victim NAI Victim ESN Victim MSID Right-click for contextual menu Copy to Clipboard History Filter Subscriber Report Whois <IP address> Device Details
Opening the Mobile Flow view
You can open the Mobile Flow view for a specified anomaly event by clicking on the Mobile Flow button. See chapter 27 for more information about how to use the features in the Mobile Flow view.
22-9
22.3
Performance Events view

The Performance Events view displays real-time data about the following:
Trend Alerts, which are applicable to specific network elements such as a PDSN
or RNC
Congestion Alerts, which are applicable to the link between two NEs
Performance events are closely coupled with the Network Forensic view that is described in chapter 25.
Performance Events view components

Figure 22-3 shows the components of the Performance Events View.
Figure 22-3 Performance Events view components
Severity indicator Performance Event table
Event counter Event Details panel
Table control buttons
21183
Table 22-8 describes the components of the Performance Events view.

Table 22-8 Performance Events components
Component Performance Event table Severity indicators (1 of 2) Description A system-generated table of all performance events that are reported to the 9900 WNG Central from the 9900 WNG Detectors Indicates the severity of the event See Table 22-2 for a description of each column in the Performance Events table. Table 22-3
22-10
Component Event counter Event details panel Table control buttons
Description Displays the number of outstanding performance events Displays detailed information about the performance event that is selected in the events table. Network Forensic button Table filters
See Operations in the Performance Events Details panel Opening the Network Forensic view Procedure 22-2
(2 of 2)
Configuring a Performance Events filter

You can filter events in the Performance Events view by Event Type and Intensity. Procedure 22-2 describes how to configure the Performance Event filter.
Procedure 22-2 To filter Performance Events

1 2 Locate the table control panel in the Performance Events table. Configure one or more of the following filter preference fields: a Select one of the following event types from the Event Type drop-down menu by clicking on the appropriate check boxes:
All Events Trend_Alert Congestion_Alert
Intensity
The contents of the Performance Events table automatically changes according to the filter criteria.
Working in the Performance Events view

This section describes the basic functions and advanced operations that you can perform in the Performance Events view.
Operations in the Performance Events Details panel
When the Event Details panel is populated, some of the event fields become clickable, depending on the type of the event that you select from the Performance Events table. Table 22-7 lists the operations that you can invoke from selected Performance Events Details fields.
22-11
22 Real-time Events views Table 22-9 Performance Events Details panel clickable fields
Event Details parameter value Right-click for contextual menu Left-click on field Network Forensic View Corr ID Network Element ID Forensic View Copy to Clipboard Network Forensic View
Opening the Network Forensic view
See chapter 25 for more information about how to use the features in the Network Forensic view.
Historic queries for performance events
You can run historic queries on performance events using the Anomaly History view. For information about how to run historic queries, see section 22.4.
Performance events on Network Graphs
Alert and congestion trends are also displayed in the Network Graph view. For more information, see Operations in the Network Graph view.
22.4
Anomaly History view

The Anomaly History view displays a list of past anomaly events and performance events. Anomaly History events are presented in a tabular format as shown in Figure 22-1.
Anomaly History menu components and functions

The History Filter tab is automatically displayed when you click on the Anomaly History navigation menu item for the first time. After the filter query has been processed, you must click the Filter button to display the History Filter window.
Filtering Anomaly History records

The History Filter tab allows you to search for historical data using a variety of parameters. Procedure 22-3 describes how to configure the filter parameters.
22-12
Procedure 22-3 To filter Anomaly History records

1 Click on the Anomaly History item in the navigation menu. The History Filter tab appears, as shown in Figure 22-4.
Figure 22-4 History Filter tab
Select one of the following radio buttons to specify a value for the time period: a Select the Specify Date radio button and enter values in the following fields:
Start Time End Time
You can enter a value for the date and time in the fields or you can left-click on the drop-down icon to display the calendar widget from which you can configure the date and time. b Select the Specify Recent radio button and enter values in the following fields:
Number drop-down menu Unit drop-down menu
22-13
Specify the search criteria by selecting the check boxes adjacent to the following items that appear in the Search by panel:
Event Type Owner Severity Detector Status Intensity
Source Type Correlation ID Attacker ID Attacker IP Victim ID Victim IP
Click on the View button. A tab opens in the Anomaly History view that lists the events that match the search criteria.
Anomaly History view components

Figure 22-1 shows the components of the Anomaly History view and Table 22-1 describes the components of the Anomaly History view.
Working in the Anomaly History view

The Anomaly History view is a historical repository for anomaly events. The view supports features that are the same as the Anomaly Events view. See Working in the Anomaly Events view in section 22.2 for more information.
22-14
23 Forensic View
23.1 Forensic View overview
23-2 23-2
23.2 Forensic View menu components 23.3 Forensic View reports 23-3
23.4 Working in the Forensic View
23-5
23-1
23 Forensic View
23.1
Forensic View overview

You can use the Forensic View page to isolate and display network anomaly or performance events for monitoring and investigative purposes.
Generating Forensic View reports

Forensic View reports are derived from existing reports and must be manually generated. Table 23-1 describes how to generate Forensic View reports, and where to find more information.
Table 23-1 Generating Forensic View reports
Generated from Anomaly View Performance Events Anomaly History View See Working in the Anomaly Events view in chapter 22 Working in the Performance Events view in chapter 22 Working in the Anomaly History view in chapter 22
When you generate an a forensic report, the Forensic View automatically appears with the Forensic View tab displayed. A corresponding sub-menu item appears under the Forensic View item in the navigation menu, as shown in Figure 23-1.
23.2
Forensic View menu components

You can click on the Forensic View menu item to display a window that contains two tabs:
Forensic View Historic View Forensic View tab

Figure 23-1 shows the forensic view tab that appears when you click on the Forensic View menu.
23-2
23 Forensic View Figure 23-1 Forensic View tab
The Forensic View and the Historic View each have a table that presents the data in the following columns:
Forensic Criteriathe ID associated with the anomaly that you are investigating.
You can click on a value in the column to open the corresponding report. Forensic Typethe type of anomaly that you are investigating Executed Atthe time at which you generated the report Removecheck boxes that you can use to remove reports from the view
Historic View tab

The Historic View tab contains a list of forensic queries that are sorted from the most recent to the oldest. A maximum of 25 query items are shown; the oldest query items are automatically discarded. To remove query items manually, select the corresponding check box in the Remove column and then click the Remove button at the bottom of the GUI. To re-execute a query, click on the corresponding hyper link. The query is executed and the results displayed as a submenu item in the Forensic View menu.
23.3
Forensic View reports

The Forensic View reports GUI provides detailed information about specified events in the network. Each Forensic View report can display up to 500 event records. If new events that meet the forensic filter criteria arrive and the number of records exceeds 500, the oldest events are removed. The oldest event that is displayed may not be the oldest event in the database. The start date is the oldest of the 500 displayed events. Figure 23-2 shows the components of a forensic view report.
23-3
23 Forensic View Figure 23-2 Forensic View reports
Forensic View submenu for forensic report
Forensic View reports table
Forensic Summary panel Event Details panel

21178
Forensic reports components

Table 23-2 describes the Forensic View reports components.
Table 23-2 Forensic View reports components
Component Forensic View submenu items Forensic View reports table Description Lists the forensic reports that you generate. You can delete a report by right-clicking on a forensic event in the sub-menu and choosing Delete. Displays the data about each event See
Columns in the Forensic View table in this section
Table column headers (sort function) Forensic Summary panel
You can use the headers to sort the rows in ascending or descending order. Displays the time of the first and last event, the number of event instances, and the number of unique event types. Includes the Mobile Flow button, with which you can open the Mobile Flow report for the selected event. Displays detailed information about the event that is selected in the events table. Supports the following functions:
Opening the Mobile Flow view
Event Details panel Table control buttons
Section 23.4 Common features and functions in chapter 16
Close Undock Export to PDF Export to CSV
23-4
23 Forensic View
Columns in the Forensic View table
Table 23-3 describes the columns that appear in the Forensic View table.
Table 23-3 Forensic View columns
Column Sev Event Type Int Description Severity of the anomaly event. For more information, see Severity indicators for the Real-time Events View in chapter 22. Type of network anomaly event Intensity of the attack. Each event has an intensity level. Reported values are 0 to 5, with 5 being the most intense. For a cleared event, the value reported is 0. Date and time that the event was detected Name of the 9900 WNG Detector on which the event was detected Depending on event type, the content of the column can display:
Creation Detector/NE Attacker/Param/NE

Cnt Status Corr ID
NE name (in case of congestion alerts) NAI (in case of port scans, high usage subscriber etc.,) IP Address (if the origin of the event is an Internet source) Multiple Sources (if the event is a distributed battery attack in which the packets originate from multiple sources)
Number of incidents from this attacker The current status of the event The ID associated with the anomalous event
23.4
Working in the Forensic View

This section describes the basic functions and advanced operations that you can perform in the forensic view.
Operations in the Forensic Events Details panel

The main purpose of the Events Details panel is to allow you to view anomalies and to drill-down into the details of the problem. When the Event Details panel is populated, some of the event fields become clickable, depending on the type of the event that you select from the Forensic report table. Table 23-4 lists the operations that you can invoke from selected Forensic report Events Details fields.
23-5
23 Forensic View Table 23-4 Clickable fields for Forensic reports

Event Details parameter value Event Details parameter value Corr ID Attacker IP Attacker IMSI Attacker IMEI Attacker MS ISDN Attacker ESN Attacker NAI Attacker MSID Victim IP Victim NAI Victim ESN Victim MSID Left-click on field Forensic View Right-click for contextual menu Copy to Clipboard History Filter Subscriber Report Whois <IP address> Device Details
Querying data in the Forensic Events Details panel

You can run a detailed forensic analysis on a specified parameter value by left-clicking on the corresponding field in the Forensic Events Details panel; see Table 23-4. Depending on the field that you choose, you can query the database for the following information:
All event transitions in the same incident (that is, events with same correlation
ID) Other events that were generated by the same Attacker IP address Other events that were generated by the same Attacker ID
mobile network access identifier (NAI) (user@realm) mobile electronic serial number (ESN) mobile subscriber identifier (MSID) Events that attacked the same victim IP address Events attacking the same victim ID mobile NAI (user@realm) mobile ESN mobile MSID Opening the Mobile Flow view
You can open the Mobile Flow by clicking on the Mobile Flow button in the Forensic Summary panel. See chapter 27 for more information about how to use the features in the Mobile Flow view.
23-6
24 Topology view
24.1 Topology view overview 24.2 Element Tables view 24.3 Network Graph view
24-2
24-2 24-6 24-8
24.4 Working in the Network Graphs view
24.5 Provisioning operations using the Network Element tables 24-11
24-1
24 Topology view
24.1
Topology view overview

The Topology view displays data about the NEs that are observed by the 9900 WNG Detector while monitoring the network traffic. The 9900 WNG can auto-discover some NEs; others need to be configured using the CLI. The following NEs are auto-discovered:
HA PDSN GGSN
SGSN Detectors Realms
The following NEs are configured using a CLI command:
CDMA RNC (rncpcfmap CLI command, see Configuring CDMA RNC-to-PCF

IP address mapping in section 12.2) UMTS RNC (rncSaiMap CLI command, see Configuring UMTS RNC-to-SAI mapping in section 12.2) The Topology view provides two views, Element Tables and Network Graph.
24.2
Element Tables view

During initialization, the 9900 WNG retains information about all NEs in the network and displays the information in the Topology Element Tables view. Information about NEs are updated in real-time. When the 9900 WNG Detector detects a new NE, the NE appears on the screen. NEs are identified by the name, provider, and region, as provisioned by the user. The Provider field for SGSN, GGSN, PDSN, and HA network elements in the network element tables are automatically populated based on a list of known IP addresses used by service providers. Unknown provider fields are populated within 6 hours. The provider field can be manually changed directly in the network element table to override any automatic settings. Not all service provider IP addresses are known; in such cases the Provider field for the SGSN, GGSN, PDSN, and HA network elements are not populated. The network element provider field is used when generating the Roaming report. The Topology Element Tables view contains a tab for each type of NE, as shown in 24-1. NEs are removed from the view if no traffic is received for more than one day.
24-2
24 Topology view Figure 24-1 Element Tables view components
Table 24-1 describes the NEs that appear on the Element Table tabs.
Table 24-1 Element Table Home Agents tab
Label Home Agent Name Description Logical name of each Home Agent. You can set the Home Agent Name by double-clicking in the cell of the table and entering in the Name. Once set, this setting appears in the Topology screen for subsequent accesses across all users. Setting this field is optional. IP address of the HA This setting is derived from a whois query on the IP address. This field is automatically populated one day after initial installation. If the 9900 WNG Central does not have network connectivity to do the whois query, this field is not set. To override the result from the whois query, you can change the provider name manually in two ways, if required:
Home Agent IP Address Provider

Region
use the show topology command from the CLI double-click in the Provider cell to edit the text.
You can change the region name by double-clicking in a Region cell and typing a new name for the region. See Figure 24-1, which shows the region cell in row 4 as a text field. This check box specifies whether an NE is included or excluded in a report or a calculation that results in a report. To exclude a specific NE, deselect the check box. By default, NEs are included in reports.
Reporting Enabled
Table 24-2 Element Table PDSN tab

Label PDSN Name Description The logical name that can be given to each PDSN. You can set the PDSN Name by double clicking in the table cell and entering a name. After you configure the name field, the name appears in the Topology screens that are accessed by all users. This field is optional. (1 of 2)
24-3
24 Topology view
Label PDSN IP Address Provider Region Reporting Enabled (2 of 2)
Description IP address of the PDSN See Table 24-1 for information about the Provider. See Table 24-1 for information about the Region. See Table 24-1 for information about the Reporting Enabled check box.
Table 24-3 Element Table Detector tab

Label Detector ID Description The name associated with each detector that has communications with Central. This name is assigned to the detector during initial provisioning of the detector using the detector add CLI command. The IP address of the Detector management interface is used to communicate with the 9900 WNG Central. This field can not be changed. See Table 24-1 for information about the Reporting Enabled check box.
IP Address Detector Region Reporting Enabled
Table 24-4 Element Table Realm Mapping tab

Label Realm ID Realm Value Description An internally assigned number for this realm. The realm part of a subscriber NAI. The realms of roamers may also appear in this list.
Table 24-5 Element Table GGSN tab

Label Name Description A logical name that can be given to each GGSN. This label can be set in the GUI by double clicking in the cell of the table and entering in the name. After the name is configured, the name appears in the Topology screens for subsequent accesses across all users. Setting this field is optional. The IP address of the Detector management interface that is used to communicate with the 9900 WNG Central. See Table 24-1 for information about the Provider. See Table 24-1 for information about the Region. See Table 24-1 for information about the Reporting Enabled check box.
IP Address Provider Region Reporting Enabled
24-4
24 Topology view Table 24-6 Element Table SGSN tab

Label Name Description The name field is a logical name that can be given to each SGSN. This label can be set in the GUI by double clicking in the cell of the table and entering in the name. Once set, this name appears in the Topology screens for subsequent accesses across all users. Setting this field is optional. The IP address of the SGSN See Table 24-1 for information about the Provider. See Table 24-1 for information about the Region. See Table 24-1 for information about the Reporting Enabled check box.
IP Address Provider Region Reporting Enabled
Table 24-7 Element Table CDMA RNC tab

Label RNC/MSC Name Description The CDMA RNC/MSC name is configured through the CLI using the rncPcfMap command which is used to map PCF IP Addresses to their associated CDMA RNC. Only the CDMA RNC ID (not the MSC) appears in this table. PCF IP Address Provider Region Reporting Enabled The PCF IP address of the CDMA RNC. This field cannot be changed in the GUI. See Table 24-1 for information about the Provider. See Table 24-1 for information about the Region. See Table 24-1 for information about the Reporting Enabled check box.
Table 24-8 Element Table UMTS RNC tab

Label RNC Name SAI/CGI/RNC ID Provider Region Reporting Enabled Description The UMTS RNC name is configured through the CLI using the rncSaiMap command which is used to map SAI IP Addresses to their associated UMTS RNC. The identifiers for the UMTS RNC. This field cannot be changed in the GUI. See Table 24-1 for information about the Provider. See Table 24-1 for information about the Region. See Table 24-1 for information about the Reporting Enabled check box.
Working in the Element Tables

This section describes the basic functions that you can perform in the Network Graph view.
24-5
24 Topology view
Sort by column
Each column in an element table is sortable in ascending or descending order.

Right-click operations
The events tables support the right-click operations described in Table 24-9.
Table 24-9 Clickable fields for element tables
Operation Copy Selected Row(s) Copy Single Cell Description Copies the selected table row or rows to the clipboard Copies the selected cell to the clipboard. You can paste the value that you save into other fields. Highlights all rows so that you can perform an operation such as export to CSV Used for bulk provisioning operations. See section 24.5 for more details. Home Agent PDSN GGSN SGSN CDMA RNC UMTS RNC ExportTable as CSV ExportSelection as CSV Whois <IP address> Exports the entire table or the selected rows to a CSV file Performs a whois query on the selected IP address cell All tabs Applies to All tabs
Select All Rows
ProvisionName ProvisionProvider Name ProvisionRegion ProvisionReporting
All IP address table cells except the Detector
24.3
Network Graph view

The network graph feature displays the network elementsHA, PDSN, GGSN, SGSN, RNC, BTSin the network.
Opening the Network Graphs view

From the 9900 WNG GUI tree structure, click on the Network Graph. Depending on the type of deployment, a CDMA tab, UMTS tab, or both tabs are displayed. By default, only elements that are named (grouped) are displayed the graph.
24-6
24 Topology view Figure 24-2 Sample network graph

Tabs NEs and connections
Legend
Graph controls
21179
Network Graph components and controls

Table 24-10 describes the components and controls of the Network Graph.
Table 24-10 Network Graph components
Component Tabs NEs and connections Description Tab view buttonsto switch between CDMA and UMTS views Icons and line connectors. You can mouse-over an NE to:

Legend
display a pop-up window that contains information about the NE, such as NE name, type, address, region, and provider highlight the NEs to which the selected NE is connected
Color code for and number of each type of NE displayed in the graph. The number of cells is contextual; that is, the number of cells associated with an RNC appears as 0 in the Legend until you display the cells associated with the RNC.
(1 of 2)
24-7
24 Topology view
Component Graph controls
Description Refresh buttonreload data on the network graph. Newly discovered and grouped elements are not automatically displayed on the graph. To display the latest snapshot, you must reload data on the network graph. The graph is updated automatically only when the system receives or clears a congestion or trend alert. Distance sliderto increase or decrease the length of the links between NEs. The font size of the NE labels are unchanged. Zoom sliderto zoom in or out of the graph Search fieldto search for a node element in the network graph. Enter the network element name that you need to locate on the map. As you type characters, all the network elements starting with those characters are highlighted in a yellow background color, as shown in Figure 24-2. To clear the text in the field, click on the X symbol in the search field. Legend buttonto toggle the display of the legend on the screen. In Figure 24-2, legends are displayed. Click this button to hide the legends.
(2 of 2)
24.4
Working in the Network Graphs view

You can perform the following operations in the network graph view. This section describes the basic functions and advanced operations that you can perform in the Network Graph view.
switch between supported mobile technologies search a node element in the network graph reload data to the network Graph. expand base stations collapse base stations from a specific RNC use network graph controls view grouped elements in the network graph view grouped and ungrouped elements in the network graph view network forensic from network graph display congestion and trend alerts display mobile flow and subscriber path graphs
Display functions
The following sections describe how to use the display functions of the network graph.
Configuring Network Graph preferences
You can configure the number of base stations that are displayed using the Preferences menu. See Procedure 16-7 for information about how to configure the display preferences for the Network Graph.
24-8
24 Topology view
Mouse-over for NEs
To display information about an individual NE, hover your mouse over a NE. A tool tip appears that indicates the type of NE.
Displaying or collapsing cells associated with an RNC
By default, a cell is displayed on a network graph when there is a congestion alert and cell nodes are expanded. If you attempt to expand or collapse cells while the system is refreshing the graph view because of an alert, you might have to try for a second time before you can successfully expand or collapse the cells.
Note The number of cells associated with an RNC appears as 0 in
the Legend until you display the cells associated with the RNC.
Double-click on the RNC to display the associated cells. See Figure 24-3 for an example of the cell view.
Figure 24-3 Example of an expanded cells view
24-9
24 Topology view
Collapsing cells
To collapse cells (that is, to remove the cells from the display), double-click the RNC icon.
Operations in the Network Graph view

You can view trend alerts and congestion alerts from the Network Graph view. A trend alert is applicable to a network element while a congestion alert applies to a link. The trend and congestion alerts also appear in the Performance Events view, as described in Performance events on Network Graphs.
Trend Alert
A NE with a trend alert is represented on the network graph with a red background. The background color of a network element turns red for any trend configured in the system. If the event clears, the background color is reset to the default color for the NE type. Congestion Alert A link between the nodes turns red when there is a congestion alert. If there is an active congestion alert and if one of the nodes involved is a cell, the cell is displayed on the network graph.
Generating Network Forensic reports from a Network Graph
You can invoke the Network Forensic View screen from a network graph. To invoke the Network Forensic View screen, right-click on an NE or link. Table 24-11 lists the command for each type of NE.
Table 24-11 Interactive controls
NE CDMA Cell HA PDSN RNC UMTS Cell GGSN RNC SGSN Connections Connector Hop Forensic Network Forensic Reports configuration form (for Hop report) 25 BSForensic GGSNForensic UMTS_RNCForensic SGSNforensic Network Forensic Reports configuration form (for NE) 25 BSForensic HAForensic PDSNForensic CDMA_RNCForensic Network Forensic Reports configuration form (for NE report) 25 Right-click Opens See chapter
24-10
24 Topology view
24.5
Provisioning operations using the Network Element tables

A user with Admin privileges can change the setting for the following fields:
Network Element Name Provider Region

When you name a network element, it becomes a part of the group. All groups must have the same provider and region. If you change the setting for the Provider or Region for an NE, the setting is applied to all network elements that belong to that group.
Naming convention
The following characters are allowed for NE, provider, or region fields: ":" , ";" , "" , "`" , "=" , "\"" , "?" , "(", ")", "{", "}", "~", "%", "*", "+", "|", "?", ">", "<", ",", "!", "@", "\\" , "$" , "^" , "[" , "]" If you use an invalid character, the system generates an error message.
Bulk provisioning NE groups from the Element Tables

You can bulk provision a group of NEs from the Element Tables. You can select up to 100 rows for bulk provisioning. If you select more than 100 rows, the system generates an error message.
Note The value under the RNC-MSC Name column indicates the group name. Elements that have the same setting in the RNC-MSC Name column belong to the same group. Group names must be different between EV-DO and UMTS network elements.
Procedure 24-1 To provision NEs in bulk using the Network Element table
1 2 3 Click on the tab in the Network Element view that corresponds to the NEs that you need to provision. Highlight the rows that you need to provision. Right-click on the highlighted rows and choose Provision and one of the following options:
Set tab Nameto provision a name for the selected NEs. The change applies to all members of the group. Set Provider Nameto provision a provider name for the selected NEs. The change applies to all members of the group. Set Regionto provision a common region name for the selected NEs. The change applies to all members of the group. Set Reportingto enable or disable reporting on the selected NEs
24-11
24 Topology view
A window appears that corresponds to the option you chose in which you can specify a value for the parameter option. 4 5 Enter a value in the text field and click on the Save button. The system prompts you to confirm that you are applying the change to the entire group. Choose Yes to apply the setting to all of the NEs that belong to the group (that is, the NEs with the same name).
Searching for NEs using the Network Element table

Perform Procedure 24-2 to search for the NEs that belong to the same group.
Procedure 24-2 To search for NEs using the Network Element table
1 Right-click on a tab and choose Search tabname.
Where tabname represents any tab in the Element Tables view except Detector.
A Search window appears. 2 Choose a search criterion by selecting the radio button beside one of the following parameters:

3 4 5
IP Address Name Provider Region
Enter a value in the text box that corresponds to the parameter you chose. Click on the Search button. The system highlights the first row in the table that corresponds to the search criterion. Click on the Search Next button to search for additional instances of NEs that match the search criterion.
24-12
25.1 Network Forensic view overview
25-2 25-2
25.2 Network Forensic view menu components 25.3 Network Forensic reports components 25.4 Working in the Network Forensic view
25-4 25-7
25-1
25.1
Network Forensic view overview

The Network Forensic view displays detailed data about the NEs that are monitored by the 9900 WNG Detector. The Network Forensic view is closely coupled with the Topology-Network Graphs view that is described in Chapter 24. There are two types of network forensic reports:
Hop Reports Network Element reports Hop reports

Hop reports provide information about the hops between two NEs. To generate hop reports, go to the Network Forensic Report input parameter page; for related information, see Generating a Network Forensic report. Links with no traffic are aged out. You cannot create a hop forensic report for aged links. NEs are not dynamically updated on graphs, so you should refresh a network graph before you run a hop forensic report.
Network Element reports

Network Element reports display a snapshot of the activities for a specified NE and time period. The type of information in the report depends on the type of NE.
25.2
Network Forensic view menu components

You can click on the Network Forensic View menu item to display two tabs:
Network Forensic Report tabused to configure the parameters for the report Historyused to store a list of the 25 most recent network forensic queries
Figure 25-1 shows Network Forensic Report input parameter page that appears when you click on the Network Forensic View menu.
25-2
25 Network Forensics view Figure 25-1 Network Forensic View menu and input parameter page
Generating a Network Forensic report

Network forensic reports are configured in two ways:
dynamically, using the Topology-Network Graph, as described in Generating

Network Forensic reports from a Network Graph in section 24.4. The type of report (NE or hop) and the NE (Network Element name, or Hop Start and Hop End) are automatically filled. The time range for the start and end date is the current time. manually, using the query form in the Network Forensic Report tab. See Procedure 25-1for more information.
Procedure 25-1 To generate a network forensic report

1 2 Click on the Network Forensic menu item in the navigation menu. The Network Forensic Report tab appears in the GUI. Select one of the following preferences: a b 3 Hop Report. Go to step 3. Network Element Report. Go to step 4.
Configure the Hop report parameters:
Query Duration Selection Start Time and End Time. Enter a date and time in the text field, or left-click on the drop-down icon to display the calendar widget. See Calendar and time widget for more information. Hop Start and Hop End
25-3
Go to step 5. 4 Configure the NE parameters:
Query Duration Selection Start Time and End Time. Enter a date and time in the text field, or left-click on the drop-down icon to display the calendar widget. See Calendar and time widget for more information. Network Element. Enter a valid
Select whether you want to generate a concise or detailed report. The options are:
Selectedthe output consists of the information in the Statistics tab, as described in Network Forensic concise report components. Unselectedthe output consists of the information in multiple tabs, including the Statistics tab, Top Servers, Top Applications, Top Mobiles, Top Sources, as described in Network Forensic detailed report components.
Note Detailed reports take longer to process than concise reports. The time period for the report affects the number of records that the 9900 WNG must process.
6 Click on the Generate button to create the report.
History tab
The History tab contains a list of past network forensic queries that are sorted from most recent to oldest. A maximum of 25 query items are shown; the oldest query items are automatically discarded. To remove query items manually, select the corresponding check box in the Remove column and then click the Remove button at the bottom of the GUI. The History tab presents data in a table with the following columns (from left to right):
# (that is, Report Number) Hop Start and Hop End columns Executed At Interval Start and Interval End columns Actual Event Time Remove
To re-execute a query, click on the corresponding hyper link. The query is executed and the results displayed as a submenu item in the Network Forensic menu.
25.3
Network Forensic reports components

The network forensic reports can be generated in a concise or detailed format.
25-4
Network Forensic concise report components

The concise format consists of the Statistics view. Figure 25-2 shows the Forensic view in the concise format.
Figure 25-2 Network forensic report in concise format
Statistics report
The Statistics report displays a snapshot of the activities for the NE for the time period specified in the input parameters page. The report also provides information about the volume of traffic that the network is handling. The type of information in the Statistics report varies depending on the type of network element. From the Statistics report, you can modify the duration covered in the report or specify a concise report or detailed report.
Network Forensic detailed report components

In addition to the Statistics tab, detailed reports include the tabs listed in Table 25-1.
25-5
25 Network Forensics view Table 25-1 Detailed Network Forensic reports tabs
Tab Top Servers Top Application Top Mobiles Top Sources Description Plots four pie charts:
by volume by airtime by signaling by flows by uplink volume by downlink volume
Plots two pie charts:
Figure 25-3 shows the Network Forensic view in the detailed format.
Figure 25-3 Network Forensic report in detailed format
Chart view and table view in the detailed format
By default, the detailed reports tabs display data as charts. You can view information in each tab as a table or as a chart by clicking on the Show Table/Show Chart option. The tabular format supports clickable fields, as described in Operations in the Network Forensic view.
25.4
Working in the Network Forensic view

This section describes the basic functions and advanced operations that you can perform in the Forensic view.
Export functions
The Network Forensic view supports report export functions. You can export the contents of the concise and detailed reports, as described in Common features and functions in section 16.4.
Sort functions for table data

Table data can be sorted in ascending or descending order by clicking on the table column header.
Operations in the Network Forensic view

Detailed Network Forensic reports that you display in tabular format support the clickable fields that are listed in Table 25-2.
Table 25-2 Clickable fields for Network Forensic detailed reports
Event Details parameter value Right-click options Copy to Clipboard Whois <IP address> Subscriber Report
Top Servers Server IP Application Proto Port Sum Top Applications Application Prto Port Sum Top Mobiles Mobiles Top Sources Mobiles (uplink volume) Servers (downlink volume) (1) (2) (2) (1)
25-7

Notes (1) See also Using the whois query in chapter 16 for more information. (2) See also Generating subscriber reports in chapter 29 for more information.
25-8
26 System View
26.1 System View overview 26.2 System View menu icons 26.3 System Events view 26.4 System History view
26-2 26-2
26-2 26-5 26-6
26.5 Working in the System View
26-1
26 System View
26.1
System View overview

The System View is the main interface to monitor the status of the 9900 WNG system. The System View displays alerts that correspond to current and past events that represent potential operational problems. Alerts are integral to problem detection and troubleshooting activities. See chapter 38 for detailed descriptions about specific types of system events. The System View has two menu items, each of which opens a GUI window:
System Events System History
26.2
System View menu icons

Table 26-1 describes the status indicators that may appear in the navigation menu next to the System Events and System History menu items.
Table 26-1 System View navigation menu status indicators
Indicator Arrow on a red background Arrow on a green background Arrow on a purple background Exclamation point
Description Indicates an outstanding event condition that has caused a system event. This may include an Info severity system event condition such as Process Started or Packets Dropped which requires a manual clear to remove. Indicates that there are no outstanding system event conditions Indicates that you have viewed all system events that are currently outstanding. If the GUI is on the System Event page, this symbol is always an arrow. Indicates that there has been a change to the system events: a previously viewed event is cleared or a new system event is detected. An exclamation point (!) on a green background indicates that the last outstanding system event condition has cleared. When you view the System Event page, the exclamation point reverts back into an arrow.
26.3
System Events view

This section describes the System Events view and the corresponding preferences that you can configure to manipulate the view. Figure 26-1 shows the System Events view.
26-2
26 System View Figure 26-1 System Events view
System Events table
Table control buttons Event counter Event details panel

21180
System Events components

Table 26-2 describes the components of the System Events view.
Table 26-2 9900 WNG System Events components
Component System Events table Description Lists the current system events Use to Display the active system events See Columns in the System Events table in this section
Displays two buttons:
Ack Clear
Acknowledge or remove events in the table
Event counter Event Details
Lists the number of events in the table Displays detailed information about individual events in the table Includes the following:
Monitor the number of outstanding events View details about the event. You can right-click on the Correlation ID to copy the value to the clip board or to filter the data using the System Events Display Preferences window.
Procedure 26-1
Severity of the event Reporting element Status of the event Correlation ID Sub Object A description of the event
26-3
26 System View
Columns in the System Events table
Table 26-3 describes the columns that appear in the System Events table.
Table 26-3 Columns in the System Events table
Field Severity Specifies Severity of the event. Varies depending on the type of event:
Critical: red Major: orange Minor: yellow Clear: green Warning: Cyan Info: Dark Blue
Info severity events are generated only during an active GUI session. You can manually clear Info events. When you close the GUI, Info severity events are cleared. Event type Type of system event. See chapter 38 for a description of each of the following system events:

Object ID Subobject ID
License Violation Link Down Process Down Process Start CPU Usage Disk Usage Memory Usage No packet Packet Drop Hardware Failure Swap Usage Queue Usage Line rate threshold
The device where the system event was detected. The values indicate if the condition is associated with 9900 WNG Central or a specific 9900 WNG Detector. Further qualifies the Event Type. The values vary depending on the type of system event. For more information, see the description page for the specific system event later in this chapter. Not all system events report a value for the Subobject ID field. Condition of the event Varies according to the type of event. For more information, see the description page for the specific system event later in this chapter. Date and time that the event was detected GUI user or administrator who acknowledged or cleared the event Correlation ID
Condition Value Create Time Owner Co_ID
System Events display preferences

Perform Procedure 26-1to set the preferences for the System Events display.
26-4
26 System View
Procedure 26-1 To filter system events

1 2 Right-click on the value in the Correlation ID field and choose Filter from the contextual menu. The System Events Display Preferences window appears. Configure the parameters in the table. The available search parameters are:
Time Periodspecify a date and time range or the most recent N number of days, hours, minutes, and seconds The following parameters:
Event typesee Table 26-3 for a list of event types Owner Severitysee Table 26-3 for a list of severity indicators Object IDCentral, specific Detector ModuleMIP, tracker, detector, or GUI Statusauto_cleared, active, acknowledged, manual_cleared, or reset_cleared Correlation ID
Click on the View button to view the filtered results. A tab appears in the System History view. The tab is identified as follows: Query: date and time stamp. The results are presented in a tabular format that is the same as the System Events table shown in Figure 26-1.
26.4
System History view

The System History view displays a list of past system events. System History events are presented in a tabular format that is the same as the System Events table shown in Figure 26-1. The History Filter tab window is automatically displayed when you click on the System History navigation menu item for the first time, as shown in Figure 26-2.
26-5
26 System View Figure 26-2 History Filter tab in System History view
The History Filter tab window has the same parameters as the System Events Display Preferences window, that is described in Procedure 26-1. After the filter query has been processed, you must click the Filter button to display the System Events Display Preferences window. The event data can be exported to a CSV format report by clicking on the Report to CSV button. You can save the report to a directory.
26.5
Working in the System View

This section describes the basic functions and advanced operations that you can perform in the System View.
Operations
The System View is intended mainly a monitoring interface. However, to investigate a particular system event further, you can right-click on the Correlation ID field that appears in the Events Details panel of the System Events and System History views and copy the value to the clipboard. You can paste the value into another form to generate other reports.
26-6
27 Mobile Flow view
27.1 Mobile Flow records overview 27.2 Mobile Flow record components 27.3 Working in the Mobile Flow view
27-2 27-3 27-7 27-8
27.4 Considerations regarding Mobile Flow measurements
27-1
27 Mobile Flow view
27.1
Mobile Flow records overview

Mobile Flow records are flow usage records that combine the typical TCP/IP-based network flow information with wireless-specific information. Wireless specific information includes resource usage, air time, signaling overhead, and traffic related to individual subscribers and devices.
Mobile Flow menu and query form components

Figure 27-1 shows the Mobile Flow query form that you can use to generate mobile flow records for IP addresses over a specified period of time.
Figure 27-1 Mobile Flow query form page
After you generate a mobile flow, a record for the query is produced and a corresponding submenu item appears in the navigation menu under Mobile Flow.
Generating Mobile Flow reports

Mobile Flow reports are generated from a form in the Mobile Flow tab. You can populate the Mobile Flow form as follows:
Dynamically, using the Mobile Flow button that appears in the following views: Anomaly Events, as described in Opening the Mobile Flow view in chapter 22 Anomaly History, as described in Working in the Anomaly History view in
chapter 22
Forensic Events, as described in Opening the Mobile Flow view in chapter 23 Manually in the input parameters tab, as described in Procedure 27-1.
Procedure 27-1 To generate a Mobile Flow report
1 2 Click on the Mobile Flow menu item in the navigation menu. The Mobile Flow input parameters tab appears in the GUI. Configure the input parameters, as described in Table 27-1.
27-2
27 Mobile Flow view Table 27-1 Mobile flow input parameters

Parameter Query Duration Selection Flow Peer #1 Option Start Time End Time IP_1 Description Text field and calendar widget. Enter a date and time in the text field, or left-click on the drop-down icon to display the calendar widget. IP address check box and text field. Select the check box and enter an IP address in the text field to filter by IP address. Mobile ID check box and text field. Select the check box and enter a mobile ID in the text field to filter by mobile ID. IP address check box and text field. Select the check box and enter an IP address in the text field to filter by IP address. Mobile ID check box and text field. Select the check box and enter a mobile ID in the text field to filter by mobile ID. Radio button. Select to specify only flows originated from Peer #1. Radio button. Select to specify only flows that are responded to by Peer #1 Radio button. Select to specify either flow direction
ID_1
Flow Peer # 2
IP_2
ID_2
Select Flow Indicator
Peer #1 Orig Peer #1 Resp Peer #1 Either
Click on the Mobile Flow Summary button to generate the report. The Mobile Flow records for the specified dates are displayed, as shown in Figure 27-2.
27.2
Mobile Flow record components

When mobile flow records are retrieved for a subscriber, the Mobile Flow Event Details, Performance, and Path tabs are displayed. Figure 27-1shows the components of a mobile flow record.
27-3
27 Mobile Flow view Figure 27-2 Mobile flow record components

Mobile Flow input parameters tab Mobile Flow record tab
Flow direction indicator
Mobile Flow event table
Mobile Flow filter panel Mobile Flow summary panel Event details panel tab Mobile Flow event details panel Table control buttons
Mobile Flow summary button
21134
Table 27-2 describes the components of the Mobile Flow record.

Table 27-2 Mobile flow record components
Component Mobile Flow Event table Description Contains headings and columns that display the parameters of the mobile flow. Each row represents an individual event in the network. The columns display the following information:

(1 of 2)
Direction of the flow Start time Originator IP address Originator port number Responder IP address Responder port number Protocol Application type Originator Packets Responder Packets
27-4
27 Mobile Flow view
Component Flow direction indicators
Description Indicate the direction of the flow. The icons that appear in the event table and in the Mobile Flow Summary panel represent the following (displayed from left to right):

Clickable fields Mobile Flow Filter Criteria panel
M to I (unidirectional) M to I (bidirectional) M to M (bidirectional) I to M (unidirectional) I to M (bidirectional) I to M (mobile-originated) M to M (unidirectional)
Perform other operations. Supports right-click commands on the Orig IP and Resp IP fields. See Section 27.3 for more information.
Start and end time of the attack Originators IP address and/or ID Responders IP address and/or ID Flow of the attack (for example, Originator to Responder or Responder to Originator or bidirectional)
Mobile Flow Summary button Mobile Flow Summary panel
Retrieve new data if you change the filter parameters in the Mobile Flow Filter Criteria panel
Recordsthe total number of records and a breakdown of the number by flow direction Distinctthe total number of individual peers and protocols involved in the mobile flow Totalthe total number of bytes, packets, airtime and connections Mobile Flow Event Details Performance Path
Event details panel
Contains three tabs:
Analyze details, performance indicators, and the associated network path. See Event Details panel in this section for more information. Table Control buttons Common control buttons:
Close UnDock Export to CSV
See Common features and functions in chapter 16. (2 of 2)
Event Details panel

The following subsections describe the tabs of the Event Details panel.
Mobile Flow Event Details tab
Table 27-3 list the fields that can appear in the Mobile Flow Events Details tab.
27-5
27 Mobile Flow view Table 27-3 Mobile Flow Events Details tab
Field Duration Orig IMSI Resp IMSI Airtime O2R_Bytes Description Indicates the duration of the flow. The format is hh:mm:ss.ms. IMSI of the originator IMSI of the responder Indicates the up and down airtime of the flow. The format is hh:mm:ss.ms/hh:mm:ss.ms. The number of bytes transmitted from the originator to the receiver. If the flow is I2M, the originator is an Internet source and the receiver is a mobile device. MSISDN of the originator MSISDN of the responder Number of connections The number of bytes transmitted from the receiver to originator IMEI of the originator IMEI of the responder Indicates the method of opening a connection. For most TCP connections it is 'tcpSyn'. Typically TCP sockets are established when an originator sends a TCP packet with the SYN flag set, thus initiating a sequence number. The name of the 9900 WNG Detector that captures the data GGSN of the originator GGSN of the responder Indicates that a flow was terminated. A value of finClose, which is a bit in the TCP header, indicates that the sender has no more data to send and is closing a TCP session. A value of flowTimeout indicates that the system waited for a specified period of time with no data flow; the flow was terminated.
Orig MSISDN Resp MSISDN #Conn setup R2O Bytes Orig IMEI Resp IMEI Open
Detector Orig GGSN Resp GGSN Close
Performance tab
Table 27-4 lists the fields that can appear in the Performance tab.
Table 27-4 Performance tab
Field Throughput (kbps) Description Indicates the downlink TCP throughput for the flow. The throughput is calculated based on the amount of downlink bytes transferred over the busy interval. For more information about throughput measurements, see RTT measurements (in the Performance tab). Indicates the downlink TCP saturated throughput for the flow. The value is based only on the flows that saturate TCP. For more information about the saturated throughput measurement, see Throughput measurement (in the Performance tab). Down TCP Bytes (1 of 2) Downlink data sent to mobile for this flow
Saturated Throughput (kbps)
27-6
27 Mobile Flow view
Field Duration RAN Loss Rate Downlink RAN Loss Downlink Total Pkts Srvr Syn RTT (ms) RAN Syn RTT (ms)
Description Total duration of this flow (hours:minutes:seconds:milliseconds) The TCP packet loss rate for the data sent to mobile Number of TCP packets lost in the downlink Total number of packets sent to the mobile Round Trip Time seen for TCP Syn messages between the detector and the remote server Round Trip Time taken for TCP Syn messages between the detector and the mobile. For information about how RAN RTT is calculated, see RTT measurements (in the Performance tab). Average Round Trip Time Minimum Round Trip Time Maximum Round Trip Time Number of samples (packets) considered while computing the above RTT parameters Number of TCP Syn Acks Number of TCP Syn sent message Number of TCP Syn Timeouts
Avg Data RTT (ms) Min Data RTT (ms) Max Data RTT (ms) RTT Samples Syn Acks Syn Sent Timeout (2 of 2)
Path tab
The Path tab shows the path taken by the selected mobile flow.
Note There may be a slight delay in displaying the path.
The Path tab displays a graphical representation of the Cell ID, RNC, PDSN/SGSN, or the HA/GGSN through which packets for the flow traverse. The Path tab shares the same right-click and mouse-over features as the Network Graph. See Table 24-10 for information about mouse-over functions, and Generating Network Forensic reports from a Network Graph for information about interactions with Network Forensic reports.
27.3
Working in the Mobile Flow view

This section describes the basic functions and advanced operations that you can perform in the Mobile Flow View.
Operations in the Mobile Flow Event Details panel

The Mobile Flow Event Details tab supports right-click operations that allow you to retrieve information about the mobile device that is involved in the mobile flow. Right-click on Orig ESN field and chose Device Detail. A pop-up appears that lists the manufacturer, model, and band of the device identified by the ESN.
27 Mobile Flow view
Opening Network Forensic reports from the Path tab

The Path tab shares the same features as the Network Graph in the Topology view. The right-click operations that open the Network Forensic reports from the Network Graph, which are described in Table 24-11, are supported from the NEs and paths that appear in the Path tab of the Mobile Flow Event Details panel.
27.4
Considerations regarding Mobile Flow measurements

RTT measurements (in the Performance tab)
RTTs are measured based on the shortest TCP Ack messages seen in the network. Standard TCP implementations implement delayed ACKs to save resources. Figure 27-3 shows the TCP ACK messages exchanged between the mobile and the server.
Figure 27-3 TCP ACK messages exchanged between the mobile and the server
The message, t1, is not acknowledged by the mobile due to Delayed ACK implementations. Since the t3 message is the acknowledgement for message t2, the RTT is measured as the interval between t3 and t2. The diagram also depicts message t5 acknowledged in response to t4 after a brief delay of 'td' duration. Therfore, measuring RTT as (t5 - t4) is not accurate. If accurate RTT cannot be calculated, the 9900 WNG does not report them.
Throughput measurement (in the Performance tab)

Throughput is calculated based on the volume of traffic that was transferred over the busy interval.
27-8
27 Mobile Flow view
Figure 27-4 shows that the traffic from the server to the mobile is sent and the mobile in turn sending responses (such as TCP Ack) over the interval t1 to t6. This interval is termed as busy time, since the data transfer is active during this interval.
Figure 27-4 Traffic from the server to the mobile
In contrast, the interval between t6 and t7 is not considered busy, since there is no data transfer. The interval between t8 and t9 is busy as well. The throughput is calculated as the ratio of data transferred over the busy interval and the busy interval. Some applications such ssh, telnet, and so forth, have a lot of idle time and hence calculating the throughput (as data transferred over the duration of the session) yields values that are much smaller than the 'true' throughput of the link. While computing the throughput, if the 9900 WNG detects inaccuracies (such as when the ACK from mobile is much later than the 'busy' traffic, potentially indicating delayed ACKs), the throughput is not reported.
27-9
27 Mobile Flow view
27-10
28 CLI view
28.1 CLI view
28-2
28-1
28 CLI view
28.1
CLI view
The CLI item in the navigation menu allows you to open the command line interface to the 9900 WNG Central server in the GUI workspace. The first time that you log in to the CLI interface in each session a dialog box appears that asks you to confirm that you have the correct RSA authentication key. Click on the yes button to continue. The welcome screen for the CLI view appears and the CLI cursor appears at the central prompt:
Last login: Mon Jun 7 13:17:59 2010 from machine.com
Welcome 9900 WNG user! Last login: pts/15 central> caottx01234.ca.a Mon Jun 7 13:42:14 -0400 201
You can use the CLI to issue 9900 WNG OA&M commands to the 9900 WNG Central and Detector. See chapter 14 for a complete list of all CLI commands for the 9900 WNG.
28-2
29 Subscriber view
29.1 Subscriber overview
29-2 29-2 29-4
29.2 Subscriber menu components
29.3 Characteristics of subscriber reports 29.4 Generating subscriber reports 29-4
29.5 Components of subscriber reports 29.6 Statistics tab 29-8 29-8
29-7
29.7 Top Applications tab 29.8 Top Servers tab
29-10 29-11 29-11 29-14
29.9 Anomaly Events tab 29.10 Flow/Session tab
29.11 Path tab components 29.12 Billing tab 29-15
29-1
29 Subscriber view
29.1
Subscriber overview
You can generate reports from the Subscriber view by manually executing queries based on data that you derive from existing reports. Subscriber reports provide a broad range of information about the following:
subscriber activities, including the applications used by a subscriber and the

anomalous events associated with a subscriber as either attacker or victim network elements and paths traversed by the traffic generated by a subscriber network resources, such as traffic volume, airtime, signaling that a subscriber consumes servers, such as Google, or mail servers that the subscriber used traffic flows for specific sessions billing mismatches that may occur for a subscriber
29.2
Subscriber menu components

You can click on the Subscriber menu item in the navigation menu to display the following tabs:
Subscriber Reports Active Reports Historic Reports

Figure 29-1 shows the Subscriber Reports query form that appears when you click on the Subscriber menu item.
Figure 29-1 Subscriber reports query form
29-2
29 Subscriber view
Subscriber view components

When you click on Subscriber in the navigation menu, the Subscriber Reports tab appears, as shown in Figure 29-2. Table 29-1 describes the components of the Subscriber tab.
Table 29-1 9900 WNG Subscriber view components
Component Subscriber Reports tab Active Reports tab Description Query form to specify the parameters for the subscriber report Displays the reports that are in progress. You can click on the hyperlink in the Report Criteria column to display the report. You can remove one or more of the reports from the list. Displays the completed reports. You can click on the hyperlink in the Report Criteria column to display the report. You can remove one or more of the reports from the list. Menu item that is created when you generate a report about a specific subscriber Use to Generate a report for a specific time period and subscriber Monitor and manage a list of current reports See Section 29.4 Active Reports and Historic Reports tabs
Historic Reports tab
Monitor and manage a list of historic reports
Subscriber menu sub item
Navigate to a specific subscriber report
Active Reports and Historic Reports tabs

The Active and Historic Reports tabs contain a list of subscriber queries that are sorted from the most recent to the oldest. Each tab has a table that presents the data in the following columns:
Report Criteria Report Type Executed At Start Date End Date Remove
A maximum of 100 query items are shown; the oldest query items are automatically discarded. To remove query items manually, select the corresponding check box in the Remove column and then click the Remove button at the bottom of the GUI. To re-execute a query, click on the corresponding hyper link. The query is executed and the results displayed as a submenu item under Subscriber in the Navigation menu.
29-3
29 Subscriber view
29.3
Characteristics of subscriber reports

Subscriber Report output is based on a time window. If Flow/Session activity is outside the requested time window, implementation is as follows:
Flows: flows that start in window, statistics include any interim period that
happened in +/- 1 hour window
Sessions: sessions that start/end in +/- 4 hour window, gets statistics for interim
session records that occur Anomalies: shows anomalies that were active any time in the window Reported values:
The value that is reported for Effective Rate for Flows is calculated as bytes/flow
duration, so the accuracy of the calculation as a rate depends on nature of flow traffic. The value that is reported for Effective Rate for Sessions is calculated as bytes/actual airtime and duration, which makes it more accurate measure than flow effective rate. The Cumulative Resource usage plot in the Flow/Session tab assumes linear usage over the life of flow. The following limitations apply:
If a flow or session has started, but does not have an interim or end record,
statistics are not reported for that flow/session. A session can display zero volume, but flows show traffic. For accurate numbers, specify a time period that includes the session end to capture all information for one or more subscriber sessions.
29.4
Generating subscriber reports

You can generate subscriber reports for one or more subscribers in a specific time period. Depending on the event type and the subscriber activity, a subscriber is classified as an attacker or a victim.
Acquiring subscriber IDs

Subscriber reports are queries based on a specified mobile or device ID. You can acquire the IDs in two ways:
copy a mobile or device ID from a report and paste it into the appropriate field in
the Subscriber Reports tab, as described in Procedure 29-1
open the Subscriber Reports tab directly by clicking on a field in one of the
following:
Events Details panel of a report Top Mobiles or Top Sources tables in the Network Forensics view
29-4
29 Subscriber view
Procedure 29-1 To configure and generate a subscriber report

1 Perform one of the following: a b 2 To generate a subscriber report from data that you cut and paste from another report table or Events Details panel, go to step 2. To open the Subscriber Reports query form directly from a field in an Events Details panel, go to step 8.
Click on Subscriber in the navigation menu. The Subscriber Reports tab appears, which contains a query form to configure the time period and subscriber criteria for the report. Specify the time period for the report, as described in Table 29-2.
Note The duration of the time period can affect the 9900 WNG system performance. The longer the duration, the longer the 9900 WNG needs to return results. Queries consume computational resources such as CPU, swap space, database connections, and temporary table space on the 9900 WNG Central server. Only one query per GUI is allowed at a time for the Network Forensic, Subscriber report, or Mobile Flow. If you attempt to run a list of Subscriber and Network Forensic queries, the queries are queued one at a time for execution.
Table 29-2 Subscriber report input parameters - Time Period
Parameter Query Duration Selection Option Start Time End Time Description Enter a date and time in the text field or left-click on the drop-down icon to display a calendar. You can specify a time period of up to 30 days.
Configure the Subscriber Criteria in the query form by performing one of the following: a b c Go to step 5 to configure the By Mobile ID (NAI/IMSI) option. Go to step 6 to configure the By Device ID (ESN/IMEI) option. Go to step 7 to configure the By Multiple Mobile IDs (NAI/IMSI) option.
Configure the By Mobile ID (NAI/IMSI) option. i ii iii Click on the By Mobile ID (NAI or IMSI) radio button. For the first field, enter an ID. For the second field, perform one of the following:
Choose a provider from the drop-down menu or enter a provider. Enter an known ID in the field. Paste an ID in the field that you have copied from another form.
Go to step 9.
29 Subscriber view
Configure the By Device ID By Device ID (ESN/IMEI) option. i ii Click on the By Device ID By Device ID (ESN/IMEI) radio button. Perform one of the following:
Enter an known ID in the field. Paste an ID in the field that you have copied from another form.
Go to step 9. 7 Configure the By Multiple Mobile IDs (NAI/IMSI) option. i ii iii Click on the By Multiple Mobile IDs (NAI/IMSI) radio button. Click on the combo box. The Type in a multiple line string window appears. Enter an ID on each line. For example, multiple NAIs must appear as follows:
123456789@provider.com 345678901@provider.com 456789012@roamer.com
iv v
Click on the OK button. Choose one of the following radio buttons:
Individual, to create one report for each Mobile ID Group, to create one report for the group of Mobile IDs
Go to step 9. 8 Open the Subscriber Reports page directly from one of the following forms. The data for the ID that you select is automatically entered in the query form. a Real-time Events anomaly event view. Right-click the NAI, IMSI, ESN or IEMI field in the Event Details panel and choose Subscriber Report. See Table 22-7 for more information. Network Forensics view. Right-click on the Mobiles field in the Top Mobiles or Top Sources tables and choose Subscriber Report. See Table 25-2 for more information.
Click on the Generate button. A progress bar appears. You can access completed reports during the generation of a report. After the data is collected, the Subscriber Reports window appears with the Statistics tab displayed, as shown in Figure 29-2.
29-6
29 Subscriber view Figure 29-2 Subscriber Report showing the statistics tab
Subscriber report tab buttons
Subscriber report filters
Subscriber menu with subscriber report submenu Plots
Subscriber reports workspace
Report control buttons

21181
29.5
Components of subscriber reports

Table 29-3 describes the components of the Subscriber reports view.
Table 29-3 Subscriber reports view common components
Component Subscriber Reports filters Subscriber menu with Subscriber Report submenu Report control buttons Description Displays the values for the time and subscriber parameters that you configure in the Subscriber Reports tab Lists the subscriber reports that you generate in the navigation menu Flow Details buttongenerates a detailed flow report. Applies only to the Flow/Session tab. Exportexports all data in the subscriber report to a CSV formatted file. Applies to all of the tabs except Path. Closecloses all tabs in the subscriber report. Confirmation required. Applies to all tabs (1 of 2) See Procedure 29-1
Section 29.10 Common features and functions in chapter 16
29-7
29 Subscriber view
Component Subscriber reports workspace Plots
Description The area of the GUI where the subscriber data is plotted Detailed data about the subscriber. The format depends on the type of data, and can include tables, pie charts, bar graphs, or line graphs
See Sections 29.6 to 29.12 for information about the type of data that is displayed in the workspace
(2 of 2)
29.6
Statistics tab
Table 29-4 describes the specific plots in the Subscriber Statistics tab. Figure 29-4 shows an example of the Statistics tab.
Table 29-4 Subscriber Reports window - Statistics tab
Component Subscriber Totals Description Summary that lists:
uplink, downlink, and total statistics for: bytes airtime signaling flows and volumes for: internet to mobile scans total and completed number of sessions average duration of a sessionA subscriber may have more than one session. If there are multiple sessions, the average duration specifies the average time that the sessions lasted.
Protocol Breakdown by Volume Mobile Originated Flow Distribution Internet Originated Flow Distribution
Pie chart that displays the protocol breakdown, such as, TCP, UDP, ICMP, by volume Bar graph that displays the percentage of flows by packets per flow that originated from the subscriber Line graph that displays the percentage of flows by packets per flow that the subscriber received from the Internet
29.7
Top Applications tab

The Top Applications tab displays four pie charts that represent data for the five most used applications by the mobile, as shown in Figure 29-3.
29-8
29 Subscriber view Figure 29-3 Subscriber Reports window - Top Applications tab
The data in the pie charts are from the destination port numbers in flows that were originated by the mobile in the time period that was specified in the subscriber report. The tab also includes any applications that were configured using the applicationMap CLI command. Internet originated flows are not used to determine the top applications, and therefore, the pie charts may not include some streaming traffic. Table 29-5 describes the components of the Top Applications view.
Table 29-5 Subscriber Reports window - Top Applications tab
Component Applications by Volume Applications by Airtime Applications by Signaling Applications by Flow Description Pie chart that displays the top applications used in the network by percentage Pie chart that displays the percentage of airtime consumed by the top applications Pie chart that displays the percentage of signaling consumed by the top applications Pie chart that displays the percentage of flows associated with the top applications
29-9
29 Subscriber view
You can export the contents of the Top Applications reports, as described in Common features and functions in section 16.4. When you export the subscriber report to a CSV file, the file contains the top 50 applications. The top applications are exported in four separate .csv files; one file for each of the following volume, airtime, signaling, and flow count.
29.8
Top Servers tab

The Top Servers tab displays four pie charts that represent data for the five most accessed servers in flows that were initiated by the mobile, in the time period that was specified for the subscriber report. Figure 29-4 shows the Top Servers tab.
Figure 29-4 Subscriber Reports window - Top Servers tab
Internet originated flows are not used to determine the top servers and therefore, the pie charts may not include some streaming traffic. Table 29-6 describes the components of the Top Servers tab.
29-10
29 Subscriber view Table 29-6 Subscriber Reports window - Top Servers tab
Component Servers by Volume Servers by Airtime Servers by Signaling Servers by Flow Description Pie chart that displays the top servers by IP address and the percentage of the total traffic processed by the server Pie chart that displays the top servers by IP address and the percentage of the total airtime processed by the server Pie chart that displays the top servers by IP address and the percentage of the total signaling processed by the server Pie chart that displays the top servers by IP address and the percentage of the mobile flows processed by the server
You can export the contents of the Top Servers reports, as described in Common features and functions in section 16.4. When you export the subscriber report to a CSV file, the file contains the top 50 servers. The top servers are exported in four separate .csv files; one file for each of the following: volume, airtime, signaling, and flow count.
29.9
Anomaly Events tab

The Anomaly Events tab lists the anomaly events that were active for the specified subscriber during the specified the time period. The subscriber can be an attacker or victim. There is one row for each incident. See Anomaly Events view in chapter 22 for information about the Anomaly Events table. You can export the contents of the Top Servers reports, as described in Common features and functions in section 16.4.
29.10
Flow/Session tab
The Flow/session displays three time-based plots that measure the flow of the specified session. Figure 29-5 shows the components of the Flow/Session view.
29-11
29 Subscriber view Figure 29-5 Subscriber Reports window - Flow/Session tab
Plots
Y axis drop-down menu Plot controls
Plot control legend X axis time

21182
Table 29-7 describes the components of the Flow/Session tab.

Table 29-7 Subscriber Reports window - Flow/Session tab
Component Plots Description Three graphs: See Plots in the Flow/Session tab in this section
Mobile Flow Session Cumulative Resources Flow Details Export Close
Flow Details button in this section Table 29-3
Plot control legends
Mobile Flow legendindicates whether the flow originated from the mobile or from the Internet and whether the flow was unidirectional or bidirectional Cumulative Resource legendindicates the direction of the data as uplink or downlink
(1 of 2)
29-12
29 Subscriber view
Component Change Y axis drop-down menu
Description Specifies the parameter for the Y axis. You can change the Y axis in the plot.
See Plots in the Flow/Session tab in this section for information about the parameters that you can plot Procedure 29-1
X axis (time)
Specifies the time range for the report. All plots share the same X axis. A flow or session can start before or after the beginning of the specified time period.
(2 of 2)
You can export the contents of the Flow/Session report, as described in Common features and functions in section 16.4.
Plots in the Flow/Session tab

The Flow/Session tab of the Subscriber report contains the following plots, which share the same time x-axis:
Mobile Flow chart (upper chart) Session chart (middle chart) Cumulative Resources chart (lower chart)
Mobile Flow chart
Each flow is represented by a horizontal line spanning the duration of the flow. Short flows or flows with one packet often appear as a dot (.) on the plot. The Y-axis represents a parameter selected from the Change Y axis drop-down on the right side of the plot. By default, the number of flows that can be displayed is 200. You can change the limit by using the Preferences menu on the GUI, as described in Procedure 16-6. Table 29-8 lists the Y-axis parameters that you can display in the Mobile Flow plot.
Table 29-8 Mobile Flow plot Y-axis options
Parameters Uplink bytes Downlink bytes Total bytes Saturated Throughput (kbps) Uplink bytes per packet Downlink bytes per packet Downlink TCP Packet Loss Count Downlink TCP Packet Loss Rate (%) Average TCP RTT (ms) Minimum TCP RTT (ms) Maximum TCP RTT (ms) TCP RTT Samples Server TCP Syn RTT (ms) RAN TCP Syn RTT (ms) TCP Syn Retries
29-13
29 Subscriber view
Session chart
Each session (PPP session for CDMA or PDP context for UMTS) is represented by a horizontal line spanning the duration of the session. The y-axis represents a parameter selected from the Change Y axis drop-down menu on the right side of the plot. Table 29-9 lists the available Y-axis parameters that you can display in the Session plot.
Table 29-9 Session plot Y-axis options
Parameters Uplink bytes Downlink bytes Total bytes Effective Uplink Rate(kbps) Average TCP RTT Saturated Throughput(kbps) Downlink Throughput(kbps) Downlink TCP packet loss count Downlink TCP loss
Cumulative Resources chart
The bottom plot represents the cumulative volume, airtime, or signaling (selected from the Change Y axis drop-down menu on the right side of the plot) caused by the subscriber's flows in the time window. The Y-axis parameters that you can display in the Cumulative Resources plot are:
Cumulative Volume(bytes) Cumulative Airtime(seconds) Cumulative Signaling(connections) Flow Details button

You can click on the Flow Details button to display the flow in a table format in a separate tab. The data is presented in the same way as mobile flow data. See chapter 27 for information about how to use and interpret flow data.
29.11
Path tab components

The Path tab displays the network map and isolates the NEs associated with the subscriber activity. The data is presented in the same way as network graph. See Network Graph view in chapter 24 for information about how to use and interpret the network graph. You can export the contents of the Flow/Session report, as described in Common features and functions in section 16.4.
29-14
29 Subscriber view
Path panel interactions with Graphics view and Forensic reports

The right-click operations that open the Forensic reports parameters input page, which are described Generating Network Forensic reports from a Network Graph in chapter 24 are supported for the NEs and paths that appear in the network path tab.
29.12
Billing tab
The Billing tab displays the billing mismatch summary data and information for each session mismatch. Figure 29-6 shows the components of the Billing tab.
Figure 29-6 Subscriber Reports window - Billing tab
Table 29-10 describes the components of the Subscriber billing tab.

Table 29-10 Subscriber Reports window - Billing tab
Column or field Start Time End Time Excess Bytes Orig Bytes Acct Orig Bytes Recv Bytes Acct Recv Bytes Conns Acct Conns Airtime (secs) Acct Airtime (secs) Orig Pkts Acct Orig Pkts Recv Pkts Acct Recv Pkts
You can export the contents of the Billing report, as described in Common features and functions in section 16.4. See Billing Discrepancy report in section 31.7 for more information.
29-15
29 Subscriber view
29-16
Browser-based reporting and management
30 Browser-based reporting overview 31 Configuring browser-based reports 32 Subscriber Group Manager 32-1
30-1 31-1
30.1 Browser-based reporting overview 30.2 Generating a browser-based report 30.3 Input parameters page components 30.4 Report presentation page 30.5 Report types 30-7 30-12 30-6
30-2 30-2 30-3
30.6 Exporting reports
30-1
30.1
Browser-based reporting overview

Browser-based reports are intended to provide operators and network analysts with information about short and long-term trends in network events and activities. The reports collate and present the data that is collected by the 9900 WNG Detectors. The reports are web-based and accessed from a link on the 9900 WNG Central Home page using a browser. The web reports page is divided into two tabs:
Standard Reports tabcontains a sublist of the most commonly used reports.

You use the categorized hyperlinks to open the reports parameter input page. Repositorycontains a list of all of the reports that can be generated using the web interface. In each case, the reports are organized according to the following categories:
Network resource usage reports Network statistic reports Network elements reports Hop reports
Security reports Subscriber reports Applications reports Devices reports
See Table 31-1 for a lists the types of reports that you can generate and where you can find more information.
Legacy reports
If your system has reports generated by Release 1.2 or earlier, the link Get Legacy Reports (from Release 1.2 or earlier) appears on the 9900 WNG Central webpage. For information about how to use Release 1.2 reports, see the Release 1.2 User Guide.
30.2
Generating a browser-based report

Procedure 30-1 describes the high-level steps to generate a report.
Procedure 30-1 To generate a browser-based report

1 2 3 4 Navigate to the 9900 WNG Central webpage, as described in Procedure 17-1. Click on the Get Reports link. The Reports page appears with the Standard Reports tab displayed. Click on the link for the report that you need to generate. Configure the input parameters for the report. The general characteristics and behaviors of the parameter fields are described in Section 30.3. The input parameters for each report are listed in chapter 31.
30-2
5 6
Click on the Run Report button. The report is created and displayed in a report summary window. To change the input parameters, click on the Report Options button to return to the input parameters form.
30.3
Input parameters page components

The report input parameters page allows you to specify the parameters for the report that you need to generate. The fields vary, depending on the type of report. To access the input parameters for a report, click on any of the report links on the Standard Reports page. Figure 30-1 shows an example of the input parameters page.
Figure 30-1 Example of an input parameters screen
The following subsections describe the behavior of the commonly used fields.
30-3
Report controls
The following control buttons appear in the input parameter page, as listed in Table 30-1.
Table 30-1 Report controls
Button Reset Run Report Description Returns the input parameter form to the default values Executes the request based on the parameters that you configure. The report is generated and is displayed in a presentation page. Figure 30-2 shows an example of a chart report and Figure 30-3 shows an example of a table report. Cancels the request and returns to the Standard Reports page. You can also click on the Standard Reports tab to cancel and return to that page.
Cancel
Filters
You can specify input parameters for filters for some reports. Typically, the default values for the filters is #All#, which specifies that all data of the specified type is admitted in the report. You can change the default to allow only a subset of the data to be admitted in the report. Filter input parameters are displayed in list boxes. You can specify more than one filter criteria by holding down the CTRL button and clicking on multiple choices in the list box. To specify that all data be admitted, use the wildcard, which is a percentage sign (%).
Time parameter fields

This section describes the fields that are common to all input parameter pages.
Time Period, Start Day/Time, and End Day/Time
The first field of every input parameters page is Time Period. The field has a drop-down menu that enables you to select a time period that is relative to the current execution time, for example, Today, Yesterday, or Last Week (Sun to Sat) inclusively. This feature is particularly useful when you are scheduling a report. For example, to schedule a report to run early tomorrow morning, select Yesterday. When the report is executed, the report pulls data for yesterday relative to the report execution time.
Default settings for the Time period field
The default setting for the Time Period parameter is called Specified Below (the first selection). The Specified Below parameter indicates that the time period is specified in the following time-related fields which appear directly below the Time Period Parameter:
Start Day (or Start Day and Time) End Day (or End Day and Time)
30-4
You use the Users running a report interactively (as opposed to scheduling the report), most likely specified the start day/time and end day/time using the preceding fields. Reports that pull data from a single day includes only one time-related field, Choose a date (located below the Time Period field). The Overall subscriber cumulative distribution report is an example of this type of report.
Start Day/End Day versus Start Time/End Time fields
Reports that do not support sub-day time resolutions (that is Minute and Hour) display the Start Day and End Day fields. Reports that supports sub-day time resolutions display the Start Day Time and End Day and Time fields.
Calendar widgets
To display a calendar widget, click on the calendar icon on the input parameter. If the field is a Date and Time field, a Time field is also displayed below the monthly calendar. You can click on the hour and minute fields to increase the value, or shift-click on the hour and minute fields to decrease the value. You can also click on the hour and minute fields, and then drag right to increase the value; or click and then drag left to decrease the value. For the end day (or date/time), the specified value is always used inclusively for the time range. For example, to display data for the first two days of 2009, set the start date to January 1, 2009 and the end date to Jan 2, 2009 (not Jan 3, 2009). If the report supports sub-day resolutions (minute or hour), set the start date and time to Jan 1, 2009 00:00, and the end date to Jan 2, 23:59. Data for until the end of minute is included (that is, from 23:59:00.000 to 23:59.59.999).
Time zones
When you specify a time range and when you are reading a report, keep in mind that in browser-based reports, the time zone is always the local time zone of the Central machine.
Lag period to current time

Some reports pull data from database tables that are updated in real-time; others pull data from database tables that are updated at a regular hourly or daily intervals. For the latter, there is a lag period before you can see the data. For example, if a report depends on a daily summarization, you cannot see the data for the current day until after a daily summarization is completed after the end of the current day. If you query for todays data, you may get a report with no data. The description page for each report describes the lag period for each report.
30-5
Impact of daily summarization on early morning queries

The summarization process takes time to complete. If the data is not yet in the database table, generating a report retrieves no data. If you run a query for yesterday in early morning (immediately after midnight), the summarization process may not be complete, and you may generate a report with no data.
Note In general, for reports that require daily summarization,
Alcatel-Lucent recommends that you query for yesterdays data after 7:00 AM. If you generate a report in the early morning, the default end date/time on the input parameter page is the day before yesterday. In contrast, if you generate a report later in the day, the default end date/time on the input parameter page is yesterday. You can override the system default and select the end date/time.
30.4
Report presentation page

Reports are generated and displayed in a presentation page in two general formats: as graphical chart-based reports, as shown in Figures 30-2 to 30-5, or as table-based report, as shown in Figure 30-6.
Tool tips
Graphical charts are embedded with tool tips. If you move your cursor over a certain data point in a time-series plot or a data pie in a pie chart, you can display the data values of that data point. Tool tips offer a convenient way to display exact data values for certain data points.
Navigation icons on the presentation page

Table 30-2 describes the two navigation icons (from left to right) on the top left of each reports presentation page; see for example, Figure 30-2. For the remaining five icons that support export functions, see Table 30-3.
Table 30-2 Navigation icons
Name Report options Description Returns you to the input parameters page for the report. The parameter settings that you configured are preserved. Return you to the Standard Reports page where all standard reports are listed. The parameter settings that you configured are not preserved. Use to Adjust the original parameter settings that you used to generate the report. To return all fields to the system default values, click on the Reset button, as described in Table 30-1. Close the input parameters page and return to the Standard Reports page.
Back
30-6
30.5
Report types
The 9900 WNG web reports interface can generate report is several formats, depending on the type of data that you need to analyze or export. The report types are:
time-series charts stacked area charts cumulative distribution function charts pie charts tables
Time-series charts
Time-series charts are a type of line graph in which the x axis is always time, and the y axis is a variable that you can choose. Some time-series charts, such as those that treat NEs, allow you to view information about multiple NE for the purpose of comparison and trend analysis. Comparative charts use colored plots and lines and a color-coded legend to distinguish and identify the NEs. Figure 30-2 shows an example of a typical time-series chart.
30-7
30 Browser-based reporting overview Figure 30-2 Example of a time-series chart
Stacked area charts

A stacked area chart is used to view the overall distribution of network resources at-a-glance. Figure 30-3 shows an example of a typical stacked area chart.
30-8
30 Browser-based reporting overview Figure 30-3 Example of a stacked area chart
Cumulative distribution function charts

A CDF chart plots data points on an x-y axis. A data point at (x,y) indicates that means that there are y% of subscribers that have a value that is equal to or smaller than x. The x-axis is in log scale. Figure 30-4 shows an example of a typical CDF chart.
30-9
30 Browser-based reporting overview Figure 30-4 Example of a CDF chart
Pie charts
A pie chart is a graphical display of data that shows at-a-glance the relative proportion among the measured parameters. Each part of the chart is color-coded and explained in the legend. Key data for each part of the pie chart is identified by callout. You can also use the mouse-over function to view detailed information about each part. Figure 30-5 shows an example of a typical pie chart.
30-10
30 Browser-based reporting overview Figure 30-5 Example of a pie chart
Table reports
Reports in tabular format allow you to compare items (such as a type of entity or event) that share the same KPIs. The rows in the table can be configured to rank the entries. Figure 30-6 shows an example of a typical table report.
30-11
30 Browser-based reporting overview Figure 30-6 Example of a table report
30.6
Exporting reports
The available export functions depend on the type of report that you generate: graphical chart-based or table-based.
Export icons on the presentation page

Table 30-3 describes the five export icons that are adjacent to the two navigation icons on the top left of each reports presentation page.
Table 30-3 Export icons
Name Export to PDF Export to Excel Description Exports a PDF image of the presentation page. You can export chart- or table-based reports to a PDF file. Exports data from a table-based report to a Microsoft Excel file. See Exporting graphical reports to an Excel or a CSV file in this section if you need to export a chart-based report. Exports chart- or table-based reports to an RTF file. See Exporting graphical reports to an Excel or a CSV file in this section if you need to export the data in a chart-based report. Exports data from a table-based report to a CSV file. See Exporting graphical reports to an Excel or a CSV file in this section if you need to export a chart-based report.
Export to RTF
Export to CSV
(1 of 2)
30-12
Name View as Flash (2 of 2)
Description Displays the presentation page in a browser in Flash format. You can export chart- or table-based reports
Exporting graphical reports to an Excel or a CSV file

Chart-based reportsthat is, time-series plot or pie chartsare displayed as graphics and are exported as graphics. You cannot export graphics to RTF or CSV files. To export the raw data used to create the graphic, select the Show only raw data (no chart) option in the report input parameters when you create the report. If you have already run a report, but need to view or process the raw data behind a graphical charts, you must rerun the report in the Show only raw data mode. On the report presentation page, click on the Report Options button on the upper left of the presentation page to return the input parameters page. All of the previously chosen parameter values are retained. Select the Show only raw data (no chart) check box, and click Run Report to re-run the report. The report is presented as a table of raw data. On the presentation page, you can click on Export to Excel to get the raw data Similarly, the Export to CSV option generates CSV files that contains only the text data that surrounds the graphical chart, that is, the title and text in the header section. To display the raw data behind the graphical chart must first re-run the report in the Show only raw data mode using procedures as discussed earlier in this topic.
30-13
30-14
31.1 Browser-based reports parameters overview 31.2 Network resource usage reports 31.3 Network statistics reports 31.4 Network elements reports 31.5 Hop reports 31-25 31-28 31-29 31-36 31-5 31-10 31-2
31-2
31.6 Security reports 31.7 Subscriber reports
31.8 Applications reports 31.9 Devices reports 31.10 Troubleshooting
31-41 31-47
31-1
31.1
Browser-based reports parameters overview

This chapter describes the browser-based reports and the parameters, filters, and options that you can configure to customize the output. Table 31-1 lists the reports by category and where to find more information.
Table 31-1 Browser-based report types
Report type Network resource usage reports Network statistics reports Network elements reports Hop reports Security reports Subscriber reports Applications reports Devices reports See section 31.2 31.3 31.4 31.5 31.6 31.7 31.8 31.9
31.2
Network resource usage reports

Network resource usage reports provide information about the resources that are consumed in the network. The following sections describe of the reports that you can generate, the parameters that you can plot, and the filters that you can configure for network usage reports.
Description of network resource usage reports

You can generate the following network resource usage reports:
Incident breakdown by event type (pie chart) report Incident breakdown by event type (time plot) report Resource breakdown by event type report Resources breakdown by top application report
Incident breakdown by event type (time plot) report
This report is a time-series chart that shows the distinct count of incidents, broken down by event type. The counts are distinct counts. Distinct counts of different time periods cannot be summed to get the distinct counts of the combined periods.
31-2
31 Configuring browser-based reports Table 31-2 Incident breakdown by event type (time plot) report
Component Lag period to current time Input parameters and filters Report type Description None You can apply a filter on an event type to select a subset of incidents for the report. See the list of event types in Parameters overview for network resource usage reports in this section. Time resolution can be displayed in hours, days, or months. This report can be displayed in the following formats:
a time-series plotused for accurately comparing the relative counts of different event types stacked-area plotused to view the overall distribution at-a-glance
See Figure 30-2 for an example of a time-series chart and Figure 30-3 for an example of a stacked area chart. Raw data option Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30.
Incident breakdown by event type (pie chart) report
This report displays a pie chart that shows the distinct counts of different incidents, broken down by event type.
Table 31-3 Incident breakdown by event type (pie chart) report
Component Lag period to current time Input parameters Report type Raw data option Remarks Description None The field parameters are set and cannot be changed. See the list of event types in Parameters overview for network resource usage reports in this section. See Figure 30-5 for an example of a pie chart report. Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30. The counts are distinct counts; distinct counts of different time periods cannot be summed to get the distinct counts of the combined periods.
Resource breakdown by event type report
This report shows three pie charts that compare the consumption of resourcesTraffic Volume, Airtime, and Number of Connection Setups by different event types.
Table 31-4 Resource breakdown by event type report
Component Lag period to current time (1 of 2) Description None
31-3
Component Input parameters Report type Raw data option Remarks
Description The event type parameters are set and cannot be changed. See the list of event types in Parameters overview for network resource usage reports in this section. See Figure 30-5 for an example of a pie chart report. Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30. When the Show the OTHER category field is checked, pie charts compare the relative resource consumption of anomaly events to the total resource consumption in the network, which can result in anomaly-event pies too small to compare. To display only the breakdown of anomaly-event consumption, uncheck the box; in this scenario, the total value of each pie chart is all the resource consumption due only to anomaly events. Because of space limitation, some pie charts do not have call-out labels. Mouse-over a section of the chart to display a tooltip with information about the data in the chart.
(2 of 2)
Resources breakdown by top application report
This report shows three pie charts that compare the resources consumptionsTraffic Volume, Airtime, and Number of Connection Setupsby different top applications.
Table 31-5 Resources breakdown by top application report
Component Lag period to current time Input parameters Description 7 to 31 hours. After 7:00 AM, the report can report data collected as late as last midnight; before 7:00 AM, the report can report data collected as late as two midnights before. The input parameters are set and cannot be changed:

Filters and options
Total traffic volume (Mbytes) Total airtime (hours) Total number of connection setups filter by realmto limit the data in the report to one or more realms Top Nto set the number of top application that are plotted. You can choose up to 20 top application to plot.
The following filters are available:

Report type Raw data option Remarks
See Figure 30-5 for an example of a pie chart report. Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30. For any given value of N (as in Top N), the report displays pie charts with more than N pies. This occurs because the set of Top N applications for the different types of resource consumption differ, and this report displays a consistent set of top applications that is a union of the sets of Top N applications for all three types of resource consumption. In each of the three big pie charts on the report, the total value is the total resource consumption for the top applications (that is, excluding those for the other applications). To display how the resource consumptions of this top set compare to the set of the other applications, use the three small pie charts (Top Apps versus Others) on the lower right corner. Because of space limitation, some pie charts do not have call-out labels. Mouse-over a section of the chart to display a tooltip with information about the data in the chart.
Parameters overview for network resource usage reports

The following subsections describe the values that are monitored in the Event type and Resource type fields.
Event types for network resource usage reports
The 9900 WNG can monitor the following types of events.
SIGATTACK_SINGLE_SRC BATTERYATTACK_SINGLE_SRC P2P_MOBILE ALWAYS_ACTIVE_SUB HIGH_USAGE_SUB HIGH_SIGNALING_SUB PORTSCAN_HORIZ PORTSCAN_VERT UNWANTED_SRC FLOOD_MOBILE_SINGLE_SRC BATTERYATTACK_DISTRIBUTED FLOOD_MOBILE_DISTRIBUTED ROUTER_DISCOVERY_ABUSE MIP_SIGNALING_ABUSE
Resource types for network resource usage reports
The 9900 WNG can monitor the following types of resources:
Traffic Volume (Mbytes) Airtime (Hours) Number of Conn Setups
31.3
Network statistics reports

This section describes the different types of reports that display network statistics. The following sections describe of the reports that you can generate, the parameters that you can plot, and the filters that you can configure for network statistics reports.
Description of network statistics reports

You can generate the following network resource usage reports:
Overall network time plot (traffic) report Overall network time plot (sessions and events) report Detector time plot (traffic) report Detector time plot (sessions and events) report Roaming traffic report
Overall network time plot (traffic) report
This report is a time-series plot that shows the overall network traffic data volume, data rate, packets, or flows).
31-5
31 Configuring browser-based reports Table 31-6 Overall network time plot (traffic) report
Component Lag period to current time Input parameters Report type Raw data option Description None The Time Resolution parameter enables fractional-day time resolutions by day, hour, and minute. For a list of traffic parameters that you can plot, see Traffic parameters in this section. See Figure 30-2 for an example of a time-series chart. Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30.
Overall network time plot (sessions and events) report
This report is a time-series plot that shows information about the overall network with respect to one of the following categories:
number of sessions events TCP reset packets ICMP unreachable packets

Table 31-7 Overall network time plot (sessions and events) report
Component Lag period to current time Input parameters Report type Raw data option
Description None The Time Resolution parameter enables fractional-day time resolutions by day, hour, and minute. For a list of fields that you can plot, see Sessions and events parameters in this section. See Figure 30-2 for an example of a time-series chart. Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30.
Detector time plot (traffic) report
This report is a time-series plot that shows the traffic datavolume, data rate, packets, or flowsas measured by one or more 9900 WNG Detectors. You can also plot the sum of the data that is measured across all 9900 WNG Detectors.
Table 31-8 Detector time plot (traffic) report
31-6
Component Input parameters
Description The Time Resolution parameter enables fractional-day time resolutions by day, hour, and minute.You can choose multiple detectors to compare according to the traffic parameters. For a list of traffic parameters that you can plot, see Traffic parameters in this section. See Figure 30-2 for an example of a time-series chart. Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30.
Report type Raw data option (2 of 2)
Detector time plot (sessions and events) report
This report is a time-series plot that shows one of the following categories as measured by one or more 9900 WNG Detectors:
number of sessions events TCP reset packets ICMP unreachable packets

Table 31-9 Detector time plot (sessions and events) report
Component Lag period to current time Input parameters
Description None The Time Resolution parameter enables fractional-day time resolutions by day, hour, and minute. You can choose multiple detectors to compare according to the session and event parameters. For a list of parameters that you can plot, see Sessions and events parameters in this section. See Figure 30-2 for an example of a time-series chart. Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30.
Report type Raw data option
Roaming traffic report
This report presents For either format, the numbers are broken down by providers. For multi-day reports, you can show the data as a daily average or a multi-day total.
Table 31-10 Roaming traffic report
Component Lag period to current time (1 of 2) Description 7 to 31 hours. After 7:00 AM, the report can report data collected as late as last midnight; before 7:00 AM, the report can report data collected as late as two midnights before
31-7
Component Input parameters, filters, and options
Description The following options and filters are available:

Time Period filterto display data about multiple cells during specified time period or range of dates. The options are Today, Yesterday, Last Week (Sunday to Saturday), Last Month, or a specified date range. Provider nameto generate the report with data for one or more specified providers Order by (mandatory field)to sort the table data according to one of the following Number of concurrent sessions Volume Organization name Packets Flows Network families filterto filter on 3GPP, 3GPP2, or all networks Roaming-inshows the traffic data (volume, packet count, flow count, number of concurrent sessions) of other providers subscribers on your network. Roaming-outshows the traffic data of your subscribers being served by other providers in their networks. a daily average a multi-day total
This report can be generated in the following formats:
You can configure the report to present the data as:
See Figure 30-6 for an example of a table report. Not applicable You must always exclude the name of your service provider, otherwise the traffic data of your non-roaming subscribers are included in the report. (Check the field, My provider name(s) to be excluded.) Visibility of data depends on the location of the 9900 WNG Detectors that probe the network. For example, if the Detectors are probing from the south of a GGSN/HA, the roaming-in reports may show no data.
(2 of 2)
Parameters overview for network statistics reports

The parameters that can be plotted and/or tabulated are listed below.
Traffic parameters
Data in any permutations of the attributes All traffic, Total (Uplink+Downlink), and Volume (Mbytes):
All traffic or unidirection only All traffic Unidirection only
31-8
Direction Total (Uplink + Downlink) Uplink Downlink M2I (Mobile to Internet) I2M (Internet to Mobile) M2M Uplink (Uplink Mobile to Mobile) M2M Downlink (Downlink Mobile to Mobile) Traffic measure type: Volume (Mbytes) Data Rate (Mb/s) Packets Flows
Sessions and events parameters
The following types of sessions and events can be plotted and/or tabulated:
Number of concurrent sessions Number of SIGATTACK_SINGLE_SRC Number of RNC_OVERLOAD Number of BATTERYATTACK_SINGLE_SRC Number of PORTSCAN_VERT Number of PORTSCAN_HORIZ Number of ALWAYS_ACTIVE_SUB Number of HIGH_USAGE_SUB Number of P2P_MOBILE Number of UNWANTED_SRC Number of MOBILE_FLOW Number of HIGH_SIGNALING_SUB Number of BATTERYATTACK_DISTRIBUTED Number of FLOOD_MOBILE_SINGLE_SRC Number of FLOOD_MOBILE_DISTRIBUTED Number of ROUTER_DISCOVERY_ABUSE Number of MIP_SIGNALING_ABUSE TCP Reset Packets I2M TCP Reset Packets M2I TCP Reset Packets M2M Uplink TCP Reset Packets M2m Downlink ICMP Unreachable Packets I2M ICMP Unreachable Packets M2I ICMP Unreachable Packets M2M Uplink ICMP Unreachable Packets M2M Downlink
31-9
31.4
Network elements reports

Network element reports retrieve all data associated with one or more network elements. The following sections describe of the reports that you can generate, the parameters that you can plot, and the filters and options that you can configure for network elements reports.
Description of network element reports

You can generate the following network elements reports:
Tier 1 cells Cell comparison table (CDMA) report Cell comparison table (UMTS) report Cell time plot (traffic) report Cell time plot (sessions and performances) report Cell multi-element time-trend table (CDMA) report Cell multi-element time-trend table (UMTS) report Cell cumulative dist. (CDMA; traffic) report Cell cumulative dist. (CDMA; session & perf) report Cell cumulative dist. (UMTS; traffic) report Cell cumulative dist. (UMTS; session & perf) report Tier 2 RNCs RNC comparison table report RNC time plot (traffic) report RNC time plot (sessions and performances) report RNC multi-element time-trend table report Tier 3 SGSNs (UMTS systems), PDSNs (CDMA systems), or both SGSN/PDSN comparison table report SGSN or PDSN time plot (traffic) report SGSN or PDSN time plot (sessions and performances) report SGSN/PDSN multi-element time-trend table report Tier 4 GGSNs (UMTS systems) and HAs (CDMA systems) GGSN/HA comparison table report GGSN or HA time plot (traffic) report GGSN or HA time plot (sessions and performances) report GGSN/HA multi-element time-trend table report
Cell comparison table (CDMA) report
This report is a table that shows the total activity for a specified CDMA cell or group of cells, including key indicators that measure traffic, sessions, and performance, such as total traffic, throughput, number of concurrent session, and number of handoffs. See Parameters overview for network element reports in this section for a list of the parameters that are plotted in this report.
31-10
31 Configuring browser-based reports Table 31-11 Cell comparison table (CDMA) report
Component Lag period to current time Input parameters, filters, and options Description None The following filters are available:
Hours of the day filterto display data about the cell during specified hours of the day, such as peak hours Hierarchical filterto display only the cells that are connected to one or more specified RNCs. ID filtersto specify the SID, NID, CID for CDMA cells in decimal format. The ID fields support the wildcard search function, in which a percentage symbol (%) represents the wildcard.
See Figure 30-6 for an example of a table report. Not applicable
Cell comparison table (UMTS) report
This report is a table that shows the total activity for a specified UMTS cell or group of cells, including key indicators that measure traffic, sessions, and performance, such as total traffic, throughput, number of concurrent session, and number of handoffs. See Parameters overview for network element reports in this section for a list of the parameters that are plotted in this report.
Table 31-12 Cell comparison table (UMTS) report
Time of day filterto display data about the cell during specified periods of the day, such as peak hours Hierarchical filterto display only the cells that are connected to one or more specified RNCs. ID filtersto specify the MCC, MNC, LAC, and Cell-ID for UMTS cells in decimal format. The ID fields support the wildcard search function, in which a percentage symbol (%) represents the wildcard.
Cell time plot (traffic) report
This report is a time-series plot that shows the traffic data (volume, data rate, packets, or flows) as seen on one or more cell sites. See Parameters overview for network element reports in this section for a list of the parameters that are plotted in this report.
31-11
31 Configuring browser-based reports Table 31-13 Cell time plot (traffic) report
Component Lag period to current time Input parameters, filters, and options Description 7 to 31 hours. After 7:00 AM, the report displays data collected as late as last midnight; before 7:00 AM, the report displays data collected as late as two midnights before. The following filters are available:
Time Periodto specify an inclusive time period. The options are Last Week (Sunday to Saturday), Last Month, or a specified date range. Traffic filtersSee Parameters overview for network element reports in this section for information about traffic measures and traffic measure types that you can plot Top N cellsSee Specifying network elements in network element reports in this section for information about how to specify and sort the cells on which to report Time resolutionSee Specifying time resolutions in network element reports in this section for information about the characteristics of different time resolutions
See Figure 30-2 for an example of a time-series chart. Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30.
Cell time plot (sessions and performances) report
This report is a time-series plot that shows one of the following categories as seen on one or more cell sites:
number of sessions number of connection setups airtime, number handoffs number TCP reset number ICMP unreachable downlink RTT downlink loss rate downlink subscriber throughput.
Table 31-14 Cell time plot (sessions and performances) report
Component Lag period to current time Input parameters, filters, and options
Description 7 to 31 hours. After 7:00 AM, the report displays data collected as late as last midnight; before 7:00 AM, the report displays data collected as late as two midnights before. The following filters are available:
Time Periodto specify an inclusive time period. The options are Last Week (Sunday to Saturday), Last Month, or a specified date range. Session and performance filtersSee Sessions and performance parameters for network element reports in this section for a list of the parameters that you can plot Top N cellsSee Specifying network elements in network element reports in this section for information about how to specify and sort the cells on which to report Time resolutionSee Specifying time resolutions in network element reports in this section for information about the characteristics of different time resolutions
31-12
Cell multi-element time-trend table (CDMA) report
This report is a time trend table that displays data about one or more CDMA cells in one table.
Table 31-15 Cell multi-element time-trend table (CDMA) report
Time Period filterto display data about multiple cells during specified time period or range of dates. The options are Today, Yesterday, Last Week (Sunday to Saturday), Last Month, or a specified date range. Hour of day filterto display data about multiple cells during specified periods of the day, such as peak hours Hierarchical filterto display only the cells that are connected to one or more specified RNCs. ID filtersto specify the SID, NID, CID for CDMA cells in decimal format. See Specifying cells by ID in this section for more information. Time resolutionto modify the reporting interval by minute, hour, or day for the specified range of dates
Cell multi-element time-trend table (UMTS) report
This report is a time trend table that displays data about one or more UMTS cells in one table.
Table 31-16 Cell multi-element time-trend table (UMTS) report
Time of day filtersto display data about multiple cells during specified time period or range of dates. The options are Today, Yesterday, Last Week (Sunday to Saturday), Last Month, or a specified date range. Hour of day filterto display data about multiple cells during specified periods of the day, such as peak hours Hierarchical filterto display only the cells that are connected to one or more specified RNCs. ID filtersto specify the MCC, MNC, LAC, and Cell-ID for UMTS cells in decimal format. See Specifying cells by ID for more information Time resolutionto modify the reporting interval by minute, hour, or day for the specified range of dates
31-13
Cell cumulative dist. (CDMA; traffic) report
This report is a cumulative distribution function plot in which the x axis is a specified traffic KPI and the y axis is the percentage of cells that have the field value equal to or smaller than x.
Table 31-17 Cell cumulative dist. (CDMA; traffic) report
Time Period filterto display data for a specified day Traffic filtersSee Parameters overview for network element reports for information about traffic measures and traffic measure types that you can plot Hierarchical filterto display only the cells that are connected to one or more specified RNCs ID filtersto specify the SID, NID, CID for CDMA cells in decimal format. See Specifying cells by ID for more information. Top N cellsSee Specifying network elements in network element reports for information about how to specify and sort the cells on which to report
See Figure 30-4 for an example of a CDF report. Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30.
Cell cumulative dist. (CDMA; session & perf) report
This report is a cumulative distribution function plot in which the x axis is a specified session and performance KPI and the y axis is the percentage of cells that have the field value equal to or smaller than x.
Table 31-18 Cell cumulative dist. (CDMA; session & perf) report
Time Period filterto display data for a specified day Session and performance filtersSee Sessions and performance parameters for network element reports for a list of the parameters that you can plot Top N cellsSee Specifying network elements in network element reports for information about how to specify and sort the cells on which to report Time resolutionSee Specifying time resolutions in network element reports for information about the characteristics of different time resolutions
31-14
Cell cumulative dist. (UMTS; traffic) report
This report is a cumulative distribution function plot in which the x axis is a specified traffic KPI and the y axis is the percentage of cells that have the field value equal to or smaller than x.
Table 31-19 Cell cumulative dist. (UMTS; traffic) report
Time Period filterto display data for a specified day Traffic filtersSee Parameters overview for network element reports in this section for information about traffic measures and traffic measure types that you can plot Hierarchical filterto display only the cells that are connected to one or more specified RNCs ID filtersto specify the MCC, MNC, LAC, and Cell-ID for UMTS cells in decimal format. See Specifying cells by ID in this section for more information. Top N cellsSee Specifying network elements in network element reports in this section for information about how to specify and sort the cells on which to report
Cell cumulative dist. (UMTS; session & perf) report
This report is a cumulative distribution function plot in which the x axis is a specified session and performance KPI and the y axis is the percentage of cells that have the field value equal to or smaller than x.
Table 31-20 Cell cumulative dist. (UMTS; session & perf) report
Time Period filterto display data for a specified day Session and performance filtersSee Sessions and performance parameters for network element reports in this section for a list of the parameters that you can plot Hierarchical filterto display only the cells that are connected to one or more specified RNCs ID filtersto specify the MCC, MNC, LAC, and Cell-ID for UMTS cells in decimal format. See Specifying cells by ID in this section for more information. Top N cellsSee Specifying network elements in network element reports in this section for information about how to specify the top cells on which to report
31-15
RNC comparison table report
This report is a table that shows the total activity for a specified RNC or group of RNCs, including key indicators that measure traffic, sessions, and performance, such as total traffic, throughput, number of concurrent session, and number of handoffs.
Table 31-21 RNC comparison table report
Time Period filterto display data for a specified day Hour of day filterto display data about the RNC during specified periods of the day, such as peak hours Hierarchical filterto display only the RNCs that are connected to one or more SGSN or PDSN NEs. RNC comparison filterto specify specific RNCs for comparison Top NsSee Specifying network elements in network element reports in this section for information about how to specify and sort the top RNCs on which to report
RNC time plot (traffic) report
This report is a time-series plot that shows the traffic data (volume, data rate, packets, or flows) on one or more RNCs.
Table 31-22 RNC time plot (traffic) report
Component Lag period to current time Input parameters Input parameters, filters, and options Description 7 to 31 hours. After 7:00 AM, the report displays data collected as late as last midnight; before 7:00 AM, the report displays data collected as late as two midnights before. See Parameters overview for network element reports in this section for a list of available parameters. The following filters are available:
Time Periodto specify an inclusive time period. The options are Last Week (Sunday to Saturday), Last Month, or a specified date range. Traffic filtersSee Parameters overview for network element reports in this section for information about traffic measures and traffic measure types that you can plot RNC comparison filterto specify specific RNCs for comparison Top NSee Specifying network elements in network element reports in this section for information about how to specify and sort the RNCs on which to report Time resolutionSee Specifying time resolutions in network element reports in this section for information about the characteristics of different time resolutions
See Figure 30-2 for an example of a time-series chart. Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30. For information about how to specify network element reports, see section 31.4.
31-16
RNC time plot (sessions and performances) report
This report is a time-series plot that shows one of the following statistics on one or more RNCs:
number of sessions number of connection setups airtime, number handoffs number TCP reset
number ICMP unreachable downlink RTT downlink loss rate downlink subscriber throughput
Table 31-23 RNC time plot (sessions and performances) report

Time Periodto specify an inclusive time period. The options are Last Week (Sunday to Saturday), Last Month, or a specified date range. Session and performance filtersSee Sessions and performance parameters for network element reports in this section for a list of the parameters that you can plot RNC comparison filterto specify specific RNCs for comparison Top NSee Specifying network elements in network element reports in this section for information about how to specify and sort the RNCs on which to report Time resolutionSee Specifying time resolutions in network element reports in this section for information about the characteristics of different time resolutions
RNC multi-element time-trend table report
This report is a time trend table that displays data about one or more RNCs in one table.
Table 31-24 RNC multi-element time-trend table report
31-17
Description The following filters are available:
Time Period filterto display data about the RNC during specified time period or range of dates. The options are Today, Yesterday, Last Week (Sunday to Saturday), Last Month, or a specified date range. Hour of day filterto display data about multiple cells during specified periods of the day, such as peak hours Hierarchical filterto display only the RNCs that are connected to one or more specified SGSNs or PDSNs RNC comparison filtersto specify one or more RNCs for comparison Time resolutionto modify the reporting interval by minute, hour, or day for the specified range of dates
SGSN/PDSN comparison table report
This report is a table that shows the total activity for a specified SGSN or PDSN or group of SGSNs or PDSNs, including key indicators that measure traffic, sessions, and performance, such as total traffic, throughput, number of concurrent session, and number of handoffs.
Table 31-25 SGSN/PDSN comparison table report
Time Period filterto display data for a specified day Hour of day filterto display data about the SGSNs or PDSNs during specified periods of the day, such as peak hours SGSN and PDSN comparison filterto specify specific SGSNs and PDSs for comparison Top NsSee Specifying network elements in network element reports in this section for information about how to specify and sort the top SGSNs and PDSNs on which to report
SGSN or PDSN time plot (traffic) report
This report is a time-series plot that shows the traffic datavolume, data rate, packets, or flow dataas seen on one or more SGSNs (UMTS systems) or PDSNs (CDMA systems).
31-18
31 Configuring browser-based reports Table 31-26 SGSN or PDSN time plot (traffic) report
Time Periodto specify an inclusive time period. The options are Last Week (Sunday to Saturday), Last Month, or a specified date range. Traffic filtersSee Parameters overview for network element reports in this section for information about traffic measures and traffic measure types that you can plot SGSN and PDSN comparison filterto specify specific SGSNs and PDSs for comparison Top NsSee Specifying network elements in network element reports in this section for information about how to specify and sort the top SGSNs and PDSNs on which to report Time resolutionSee Specifying time resolutions in network element reports in this section for information about the characteristics of different time resolutions
SGSN or PDSN time plot (sessions and performances) report
This report is a time-series plot that shows one of the categories of information as seen on one or more SGSNs (UMTS systems) or PDSNs (CDMA systems):
number of sessions number of connection setups airtime, number handoffs number TCP reset number ICMP unreachable downlink RTT downlink loss rate downlink subscriber throughput.
Table 31-27 SGSN or PDSN time plot (sessions and performances) report
Time Periodto specify an inclusive time period. The options are Last Week (Sunday to Saturday), Last Month, or a specified date range. Session and performance filtersSee Sessions and performance parameters for network element reports for a list of the parameters that you can plot SGSN and PDSN comparison filterto specify specific SGSNs and PDSs for comparison Top NsSee Specifying network elements in network element reports in this section for information about how to specify and sort the top SGSNs and PDSNs on which to report Time resolutionSee Specifying time resolutions in network element reports in this section for information about the characteristics of different time resolutions
Report type (1 of 2)
See Figure 30-2 for an example of a time-series chart.
31-19
Component Raw data option (2 of 2)
Description Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30.
SGSN/PDSN multi-element time-trend table report
This report is a time trend table that displays data about one or more SGSN or PDSNs in one table.
Table 31-28 SGSN/PDSN multi-element time-trend table report
Time Period filterto display data about the NE during specified time period or range of dates. The options are Today, Yesterday, Last Week (Sunday to Saturday), Last Month, or a specified date range. Hour of day filterto display data about multiple cells during specified periods of the day, such as peak hours SGSN/PDSN filterto specify a SGSN or PDSN, or to compare multiple SGSNs or PDSNs Time resolutionto modify the reporting interval by minute, hour, or day for the specified range of dates
GGSN/HA comparison table report
This report is a table that shows the total activity for a specified GGSN or HA or group of GGSNs or HAs, including key indicators that measure traffic, sessions, and performance, such as total traffic, throughput, number of concurrent session, and number of handoffs.
Table 31-29 GGSN/HA comparison table report
Time Period filterto display data for a specified day Hour of day filterto display data about the GGSNs or HAs during specified periods of the day, such as peak hours GGSN and HA comparison filterto specify specific GGSNs and HAs for comparison Top NsSee Specifying network elements in network element reports in this section for information about how to specify and sort the top GGSNs and HAs on which to report
Report type (1 of 2)
See Figure 30-6 for an example of a table report.
31-20
Component Raw data option (2 of 2)
Description Not applicable
GGSN or HA time plot (traffic) report
This report is a time-series plot that shows the traffic datavolume, data rate, packets, or flowsas seen on one or more GGSNs (UMTS systems) or HA (CDMA systems).
Table 31-30 GGSN or HA time plot (traffic) report
Time Periodto specify an inclusive time period. The options are Last Week (Sunday to Saturday), Last Month, or a specified date range. Traffic filtersSee Parameters overview for network element reports in this section for information about traffic measures and traffic measure types that you can plot GGSN and HA comparison filterto specify specific GGSNs and HAs for comparison Top NsSee Specifying network elements in network element reportsin this section for information about how to specify and sort the top GGSNs and HAs on which to report Time resolutionSee Specifying time resolutions in network element reports in this section for information about the characteristics of different time resolutions
GGSN or HA time plot (sessions and performances) report
This report is a time-series plot that shows one of these information as seen on one or more SGSNs (UMTS systems) or PDSNs (CDMA systems):
number of sessions number of connection setups airtime number handoffs number TCP reset
number ICMP unreachable downlink RTT downlink loss rate downlink subscriber throughput
Table 31-31 GGSN or HA time plot (sessions and performances) report

Component Lag period to current time (1 of 2) Description 7 to 31 hours. After 7:00 AM, the report displays data collected as late as last midnight; before 7:00 AM, the report displays data collected as late as two midnights before.
31-21
Description The following filters are available:
Time Periodto specify an inclusive time period. The options are Last Week (Sunday to Saturday), Last Month, or a specified date range. Session and performance filtersSee Sessions and performance parameters for network element reports for a list of the parameters that you can plot GGSN and HA comparison filterto specify specific GGSNs and HAs for comparison Top NsSee Specifying network elements in network element reports for information about how to specify and sort the top GGSNs and HAs on which to report Time resolutionSee Specifying time resolutions in network element reports for information about the characteristics of different time resolutions
GGSN/HA multi-element time-trend table report
This report is a time trend table that displays data about one or more GGSN or HAs in one table.
Table 31-32 GGSN/HA multi-element time-trend table report
Time Period filterto display data about the NE during specified time period or range of dates. The options are Today, Yesterday, Last Week (Sunday to Saturday), Last Month, or a specified date range. Hour of day filterto display data about multiple cells during specified periods of the day, such as peak hours GGSN/HA comparison filterto specify a GGSN or HA, or to compare multiple GGSNs or HAs Time resolutionto modify the reporting interval by minute, hour, or day for the specified range of dates
Parameters overview for network element reports

For each tier of NEs there are two types of time-series and cumulative distribution charts: one for traffic, and one for sessions and performance.
31-22
Traffic parameters for network element reports
Shows a data field with any permutation of the attributes All traffic, Total (Uplink+Downlink), and Volume (Mbytes)
All traffic or unidirection only All traffic Unidirection only Direction Total (Uplink + Downlink) Uplink Downlink M2I (Mobile to Internet) I2M (Internet to Mobile) M2M Uplink (Uplink Mobile to Mobile) M2M Downlink (Downlink Mobile to Mobile)
Traffic measure types parameters for network element reports
The following are measure types:
Volume (Mbytes); Bytes for RNCs Data Rate (Mb/s) Packets Flows
Sessions and performance parameters for network element reports
Displays one of the following types of data:
Number of Concurrent Sessions Min Number of Concurrent Sessions Max Number of Concurrent Sessions Number of Connection Setups Total (Up+Down) Min Number of Connection Setups Uplink Min Number of Connection Setups Downlink Airtime Number of Handoffs In Number of Handoffs Out TCP Reset Packets I2M TCP Reset Packets M2I TCP Reset Packets M2M Uplink TCP Reset Packets M2M Downlink ICMP Unreachable Packets I2M ICMP Unreachable Packets M2I ICMP Unreachable Packets M2M Uplink ICMP Unreachable Packets M2M Downlink
31-23
Downlink RTT (Mean) Downlink RTT (Min) Downlink RTT (Max) Downlink TCP Loss Rate Downlink TCP Packets Downlink TCP Loss Saturated Downlink Subscriber Throughput Average Downlink Subscriber Throughput Common configuration options for network reports
The following sections describe common configuration options for the network element reports
Specifying network elements in network element reports
You can specify the network elements on which to report using one of the following methods:
Explicitly named network elementsYou can also choose specific network

elements to be reported on. For cell reports (Tier 1 network element), use the text field to enter the cell IDs; for reports of the other three tiers of network elements, choose NE name from the drop-down menu. In both cases, you can specify more than one NE. For cell (Tier 1) reports, use commas to separate the cell IDs; for the other three tiers, press Ctrl + click to select more than one entry from the drop-down menu. Top Npick the top N (where N is the number of NEs) network elements as sorted by one of the following metrics:
The sorting field for the Top N. The field represents the index parameter for the
table, and can be chosen from the available traffic and session and performance parameters listed in Parameters overview for network element reports in this section. ascending or descending order for the top N
Specifying cells by ID
You can specify the SID, NID, CID for CDMA cells and the MCC, MNC, LAC, and Cell-ID for UMTS cells. To activate the fields, you must select the Select cells by name pattern check box. All ID values are expressed in decimal format. The ID fields support the wildcard search function, in which a percentage symbol (%) represents all IDs of the specified type.
Specifying time resolutions in network element reports
You can select one of the following time resolutions:
Minute (for Tier 2-4 reports) or Two-minute (for cell reports) Hour Day
31-24
Reports with a sub-day time resolution have no lag period to current time, whereas reports that rely on a daily summarization procedure have a lag period to current time.
Note Sub-day time resolution reports may take longer to execute. For sub-day reports, a limit is imposed on the number of days that the report covers. See Table 31-33 for more information.
Characteristics of time resolutions
Table 31-33 lists the characteristics for time resolution options.

Table 31-33 Characteristics of time resolutions
Option Sub-day time resolution Time Resolution Minute (for Tier2-4 network elements) 2 Minutes (for cells only) Hour Daily time resolution Day Execution time Slower Lag period to current time None Limit on number of days to be reported 7 days
Slower Slower Faster
None None 7 to 31 hours
7 days 40 days None
31.5
Hop reports
Network hop reports are time-series charts that report on one of three types of hops, as described in Table 31-34.
Table 31-34 Types of network hops by tier
Tiers of network elements linked by the hop Tier-2 to Tier-1 Tier-3 to Tier-2 Tier-4 to Tier-3 Hop From network element RNC SGSN (UMTS systems) PDSN (CDMA systems) GGSN (UMTS systems) HA (CDMA systems) SGSN (UMTS systems) PDSN (CDMA systems) To network element Cell RNC
The following sections describe of the reports that you can generate, the parameters that you can plot, and the filters that you can configure for hop reports.
31-25
Description of hop reports

You can generate the following hop reports:
RNC-to-cell hop time plot report RNC-to-cell hop time plot report RNC-to-cell hop time plot report
RNC-to-cell hop time plot report
This report displays a time-series plot that shows data as seen on one or more hops from an RNC to a cell site.
Table 31-35 RNC-to-cell hop time plot report
Component Lag period to current time Input parameters Report type Raw data option Description For daily time resolutions, the lag period to current time is 7 to 31 hours. After 7:00 AM, the report displays data collected as late as last midnight; before 7:00 AM, the report displays data collected as late as two midnights before. See Parameters overview for hop reports in this section for more information. See Figure 30-2 for an example of a time-series chart. Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30.
SGSN/PDSN-to-RNC hop time plot report
This report displays a time-series plot that shows data as seen on one or more hops from an SGSN (on UMTS systems) or a PDSN (on a CDMA system) to an RNC.
Table 31-36 SGSN/PDSN-to-RNC hop time plot report
Component Lag period to current time Input parameters Report type Raw data option Description For daily time resolutions, the lag period to current time is 7 to 31 hours. After 7:00 AM, the report displays data collected as late as last midnight; before 7:00 AM, the report can displays data collected as late as two midnights before See Parameters overview for hop reports in this section for more information. See Figure 30-2 for an example of a time-series chart. Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30.
GGSN-to-SGSN or HA-to-PDSN hop time plot reports
This report displays a time-series plot that shows data as seen on one or more hops from the GGSN to the SGSN or from the HA to the PDSN.
31-26
31 Configuring browser-based reports Table 31-37 GGSN-to-SGSN or HA-to-PDSN hop time plot reports
Component Lag period to current time Input parameters Report type Raw data option Description For daily time resolutions, the lag period to current time is 7 to 31 hours. After 7:00 AM, the report displays data collected as late as last midnight; before 7:00 AM, the report can displays data collected as late as two midnights before See Parameters overview for hop reports in this section for more information. See Figure 30-2 for an example of a time-series chart. Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30.
Parameters overview for hop reports

The following parameters can be plotted and/or tabulated for hops reports from the mandatory Field drop-down menu:
Number of Concurrent Sessions Min Number of Concurrent Sessions Max Number of Concurrent Sessions Total (Up+Down) Volume Uplink Volume Downlink Volume Total (Up+Down) Data Rate Uplink Data Rate Downlink Data Rate Loss Rate
Specifying hops
You can specify hops using one of the following methods.
Top Nto pick the top N hops as sorted by the field that is being plotted Explicitly specifying hopsto select specific hops on which to report
For RNC-to-base-station hop reports, enter the RNC names and base-station IDs on free-text fields. The syntax of the string for each hop is as follows: RNC_name-BSID For example, test_rnc_lai1-310410a041090b where test_rnc_lai1 is the RNC name and 310410a041090b is the base station ID. For reports of the other two types of hops, select from the drop-down menu of possible hops. In both cases, you can specify more than one network element. For RNC-to-base-station reports, use comma-separated the strings using the syntax described above. For reports of the other two types of hops, you can use Ctrl + click to select more than one entry from the drop-down menu.
31-27
Time Resolution
Hop reports can be plotted with fractional-day time resolutions by minute, hour and day:
by minute for a duration of up to 7 days (2 minutes intervals for hops that involve
cells) by hour for a duration of up to 40 days by day. There is no limit on duration.
31.6
Security reports
This sections describes security-related reports. The following sections describe of the reports that you can generate, the parameters that you can plot, and the filters that you can configure for security reports.
Description of security reports

You can generate the following security reports:
Top attackers at or above a specified intensity level report Top scanners report
Top attackers at or above a specified intensity level report
This report displays a table that lists the top attackers according to the following criteria:
Rank Intensity Attacker Type Event Type
# of Incidents Attacker Max Duration (Hrs)
Table 31-38 Top attackers at or above a specified intensity level report

Attacker typeto filter by internet source, mobile source or both Event typesSee Event types for network resource usage reports in section 31.2 for a list of event types. Intensity levelto set the level at or above which to report an attacker. Attackers of the same intensity level are sorted by duration and then by attacker identity.
31-28
Component Remarks
Description Max Duration shows the maximum possible attack duration from an attacker from the moment the attacker launched the attack to the last moment that the same attacker had an ongoing attack, including idle time in between the attacks. This duration is bound by the report time range, so attacks before or after the report time range are not included.
(2 of 2)
Top scanners report
This report displays a table that lists the top scanners according to the following criteria:
Rank Mobile Scanner NAI Application Number of Scans
Scan Volume (Mbytes) Number of Conn Setups Scan Airtime (Hours)
Table 31-39 Top scanners report

Component Lag period to current time Input parameters, filters, and options Description 7 to 31 hours. After 7:00 AM, the report displays data collected as late as last midnight; before 7:00 AM, the report displays data collected as late as two midnights before. You can specify one of the following scanner types for the top N scanners:
mobile scanners Internet scanners
The number of top scanners (N) is limited to 1000 for a single day report, and 50 for a multi-day report. You can sort by one of the following:

number of scans scan volume number of connection setups scan airtime
31.7
Subscriber reports
This section describes Subscriber reports. The following sections describe of the reports that you can generate, the parameters that you can plot, and the filters that you can configure for subscriber reports.
31-29
Description of subscriber reports

You can generate the following subscriber reports:
Overall subscriber cumulative distribution report Subscriber time plot report Single subscriber time trend table report Top mobile (single day; multiple params) report Top Mobiles reports Top servers report Realm/APN comparison table report Billing Discrepancy report
Overall subscriber cumulative distribution report
This report displays the overall distribution of a specified field in a CDF plot. A data point at (x,y) means that there are y% of subscribers having the field value equal to or smaller than x. The x-axis is in log scale.
Table 31-40 Overall subscriber cumulative distribution report
Subscriber group filterto display data about the subscribers that are included in a specified group. See Chapter 32 for information about subscriber groups. Network families filterto filter on 3GPP or 3GPP2 networks Network technology by sessionto filter on 2.5G, 3G, and 4G access or a combination.(1) Device manufacturer or modelto filter on one or more devices Mobile ID or IMSI filterto specify a mobile ID or IMSI. This field supports the use of the percentage sign (%) as a wildcard.
See Figure 30-4 for an example of a CDF report. Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30. This report always displays data for a single day. The number of included subscribers is displayed on the header of the report. The total number of subscribers can be less than the population size for one of the following reasons:
Some subscribers did not meet a filter criterion and were excluded from the plot For performance-related data fieldsthroughput, RTT, loss ratethere may not be enough measurable samples for some subscribers to make a reliable inference on the data value.
Note
(1)
If a subscriber has accessed more than one technology during the day, the web report interface displays the combined cumulative subscriber usage data and does not separate the data according to the mobile technology. See section 29.10 for more information about how to view the technology used by a subscriber on a per-flow basis using the GUI-based subscriber reports.
Subscriber time plot report
This report displays the time-series plot of one or more subscribers.

31 Configuring browser-based reports Table 31-41 Subscriber time plot report

Component Lag period to current time Input parameters, filters, and options Description 7 to 31 hours. After 7:00 AM, the report displays data collected as late as last midnight; before 7:00 AM, the report displays data collected as late as two midnights before. You must configure the Field parameter with one of the values listed in Fields that can be plotted or tabulated for subscriber reports in this section. You can select the subscribers to be plotted from either the drop-down menu or you can specify them in the text box field. The drop-down menu lists the top subscribers by their recent traffic volume. If you know the subscribers IDs, you can also type them in the text box. You can enter more than one subscriber IDs by using commas to separate the IDs. Do not enter the @ suffixthe system ignores this part of the address. See Figure 30-2 for an example of a time-series chart. Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30.
Single subscriber time trend table report
This report generates a table that six different fields for a single specified subscriber. Each row in the table displays the data for a specified day.
Table 31-42 Single subscriber time trend table report
Component Lag period to current time Input parameters, filters, and options Description 7 to 31 hours. After 7:00 AM, the report displays data collected as late as last midnight; before 7:00 AM, the report displays data collected as late as two midnights before. Six input fields are designated as Field1 to Field 6. For each field, choose one of the parameters that are listed in Fields that can be plotted or tabulated for subscriber reports in this section. You must select one subscriber:
by choosing the ID from the Mobile ID drop-down menu By entering a mobile ID in the text field
If you enter a mobile ID in the text field, the selection from the drop-down menu is ignored. In the drop-down menu, the top 10 subscribers (by their recent traffic volumes) are listed first; then, the next 990 top subscribers are listed in the order of their IDs. Report type Raw data option See Figure 30-6 for an example of a table report. Not applicable
Top mobile (single day; multiple params) report
This report displays a table listing four different fields of the top subscribers. You can select four fields and specify the field that are used as index to find the top subscribers. For the list of fields that can be tabulated, see section 31.7.
31-31
31 Configuring browser-based reports Table 31-43 Top mobile (single day; multiple params) report
Component Lag period to current time Input parameters, filters, and options Description 7 to 31 hours. After 7:00 AM, the report displays data collected as late as last midnight; before 7:00 AM, the report displays data collected as late as two midnights before. See Fields that can be plotted or tabulated for subscriber reports in this section. The following filters are available:
Subscriber group filterto display data about the subscribers that are included in a specified group. See Chapter 32 for information about subscriber groups. Network families filterto filter on 3GPP or 3GPP2 networks Network technology by sessionto filter on 2.5G, 3G, and 4G access or a combination thereof. Mobile realmto filter on one or more mobile service providers Mobile ID or IMSI filterto specify a mobile ID or IMSI. This field supports the use of the percentage sign (%) as a wildcard.
Four fields can be used to sort the data: the Order by field and the additional output fields. For each field, choose one of the parameters that are listed in Fields that can be plotted or tabulated for subscriber reports in this section. Report type Raw data option Remarks See Figure 30-6 for an example of a table report. Not applicable The report covers a period of one day. The related report, Top Mobiles reports, can cover a multi-day period, but with fewer choices of fields that can be tabulated. If the system cannot derive the manufacturer and/or model name, the column Device Manufacturer/Model is left blank.
Top Mobiles reports
Unlike the Top mobile (single day; multiple params) report, which shows one day of data, the Top Mobiles report can tabulate multiple days of data. The report always contains the following fields:
Rank (Mobile ID / IMSI) @ (Realm / APN) Total Traffic Volume (Mbytes) Total Number of Conn Setups Total Airtime (Hours) Total Number of Flows Total Number of Packets
Table 31-44 Top Mobiles report
Component Lag period to current time (1 of 2)
Description 7 to 31 hours. After 7:00 AM, the report displays data collected as late as last midnight; before 7:00 AM, the report displays data collected as late as two midnights before.
31-32
Description You can select one of the following fields as the sorting index:
Traffic volume Number of conn setups Airtime Number of flows Number of packets The sorting field is indicated in the report by an asterisk (*) on the column header.
Report type Raw data option Remarks (2 of 2)
See Figure 30-6 for an example of a table report. Not applicable This report runs faster than the Top mobile (single day; multiple params) report.
Top servers report
This report displays seven tabulated field values for the top servers. The set of fields cannot be changed; the report always contains the following fields:
Rank Server Application Average Number of Distinct Active Sessions (per day) Total Traffic Volume (Mbytes)
Total Number of Conn Setups Total Airtime (Hours) Total Number of Flows Total Number of Packets
Table 31-45 Top servers by traffic volume report

Component Lag period to current time Input parameters, filters, and options Description 7 to 31 hours. After 7:00 AM, the report displays data collected as late as last midnight; before 7:00 AM, the report displays data collected as late as two midnights before. You can choose to tabulate only Internet servers, only mobile servers, or both. For Internet servers, the report displays their IP addresses; for mobile servers, the report displays the NAI of the mobile subscribers. You can select one of the following fields as the sorting index:

Number of Distinct Active Sessions Traffic Volume Number of Conn Setups Airtime Number of Flows Number of Packets The sorting field is indicated in the report by an asterisk (*) on the column header.
See Figure 30-6 for an example of a table report. Not applicable The Application field is derived from the protocol and port number that the server was serving. A server can serve multiple applications; in such a scenario, if there is a predominant application, the report shows the applications configured name or its protocol/port pair; if no application is predominant, the report displays #multiple#.
31-33
Realm/APN comparison table report
This report compiles all of the data associated with UMTS APNs or CDMA realms in one table.
Table 31-46 Realm/APN comparison table report
Component Lag period to current time Input parameters, filters, and options Description 7 to 31 hours. After 7:00 AM, the report displays data collected as late as last midnight; before 7:00 AM, the report displays data collected as late as two midnights before. Choose the realms that you need to compare from the Choose realms list. The following filter is available:
Network families filterto filter on 3GPP or 3GPP2 networks Network technology by sessionto filter on 2.5G, 3G, and 4G access or a combination thereof. Mobile realmto filter on one or more mobile service providers Mobile ID or IMSI filterto specify a mobile ID or IMSI. This field supports the use of the percentage sign (%) as a wildcard.
You can sort the data using the Realm name parameter or one of the parameters listed in Fields that can be plotted or tabulated for subscriber reports in this section. Report type Raw data option Remarks See Figure 30-6 for an example of a table report. Not applicable The time period for the comparative table is limited to one day.
Billing Discrepancy report
This report shows the discrepancies between the traffic data and accounting records detected by the 9900 WNG system. The data is displayed in a table with the following columns:
Mobile NAI Excess Bytes (MB) Uplink Seen (MB) Uplink Acct (MB)
Downlink Seen (MB) Downlink Acct (MB) Seen Pkts Acct Pkts
Table 31-47 Billing Discrepancy report

Component Lag period to current time Input parameters, filters, and options Report type Raw data option (1 of 2) Description 7 to 31 hours. After 7:00 AM, the report displays data collected as late as last midnight; before 7:00 AM, the report displays data collected as late as two midnights before. You can configure the number of table rows to display.
31-34
Component Remarks (2 of 2)
Description The table is sorted in descending order according to the Excess Bytes field.
Parameters overview for subscriber reports

The following sections describe the available parameters.
Fields that can be plotted or tabulated for subscriber reports
You can use the following fields to filter the output of subscriber reports.
Total (Orig. + Recv.) Volume Orig. Volume Recv. Volume Total (Orig. + Recv.) # Conn Setups Orig. # Conn Setups Recv. # Conn Setups Total (Orig. + Recv.) Flows Orig. Flows Recv. Flows Total (Orig. + Recv.) Pkts Orig. Pkts Recv. Pkts Airtime Duration Uni. Orig. Volume Uni. Recv. Volume Uni. Orig. Flows Uni. Recv. Flows Uni. Orig. Packets Uni. Recv. Packets Average RAN RTT Minimum RAN RTT Maximum RAN RTT Downlink TCP Packet Loss Rate Average RAN Handshake RTT Minimum RAN Handshake RTT Maximum RAN Handshake RTT Average Inet Handshake RTT Minimum Inet Handshake RTT Maximum Inet Handshake RTT Avg. Saturated TCP Thruput Min. Sat. Down TCP Thruput Max. Sat. Down TCP Thruput
31-35
Avg. Downlink TCP Thruput Min. Downlink TCP Thruput Max. Downlink TCP Thruput
31.8
Applications reports
This section describes the reports that you can generate for the different types of applications. The following sections describe of the reports that you can generate, the parameters that you can plot, and the filters that you can configure for applications reports.
Description of applications reports

You can generate the following application reports:
Hour-of-day trend comparing applications report Hour-of-day trend comparing days report Hour-of-day trend comparing days of week report Time plot comparing applications report Top applications reports
Application Comparison Table report
This report compares different applications using six configurable fields.

Table 31-48 Application Comparison Table report
Component Lag period to current time Input parameters, filters, and options Description Approximately 6 hours Six input fields are designated as Field1 to Field6. For each field, choose one of the parameters that are listed in Fields that can be plotted and/or tabulated for application reports in this section. The following filters are available:

Time Period filterto display data about the applications during specified time period or range of dates. The options are Today, Yesterday, Last Week (Sunday to Saturday), Last Month, or a specified date range. Network type filterto display data about a specified type of mobile network, such as 1xRTT, CDMA, EVDO, GPRS, and UMTS Realm filterto display data for specified realms RNC filtersto specify one or more RNCs Device manufacturers and models ApplicationsSee Application choosers in this section for more information.
See Figure 30-6 for an example of a table report. Not applicable Application categories are indicated by pair of square brackets [ ].
31-36
Hour-of-day trend comparing applications report
This report displays a time-series chart that plots and compares the hour-of-day trend of different applications. Hour-of-day trends are always measured from midnight to midnight.
Table 31-49 Hour-of-day trend comparing applications report
Component Lag period to current time Input parameters, filters, and options Description Approximately 6 hours For a list of fields that can be plotted, see Fields that can be plotted and/or tabulated for application reports in this section. The following filters are available:

Time Period filterto display data about the applications during specified time period or range of dates. The options are Today, Yesterday, Last Week (Sunday to Saturday), Last Month, or a specified date range. Network type filterto display data about a specified type of mobile network, such as 1xRTT, CDMA, EVDO, GPRS, and UMTS Realm filterto display data for specified realms RNC filtersto specify one or more RNCs Device manufacturer ApplicationsSee Application choosers in this section for more information
See Figure 30-2 for an example of a time-series chart. Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30. For a list of fields that can be plotted and information about how to choose applications for comparison, see section 31.8.
Hour-of-day trend comparing days report
This report displays a time-series chart that plots and compares the hour-of-day trend for up to 5 different days.
Table 31-50 Hour-of-day trend comparing days report
Component Lag period to current time Input parameters, filters, and options Description Approximately 6 hours You can choose to compare up to five specified days. For a list of fields that can be plotted, see Fields that can be plotted and/or tabulated for application reports in this section. The following filters are available:

(1 of 2)
Network type filterto display data about a specified type of mobile network, such as 1xRTT, CDMA, EVDO, GPRS, and UMTS Realm filterto display data for specified realms RNC filtersto specify one or more RNCs Device manufacturer ApplicationsSee Application filters in this section for more information
31-37
Component Report type Raw data option Remarks
Description See Figure 30-2 for an example of a time-series chart. Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30. You can compare 1 to 5 days of data by setting the Compare how many days? field. On the input parameter page, however, there are always five Input parameters for Days 1-5 respectively; the input parameters for the extra days are ignored. Hour-of-day trends are always from midnight to midnight. This report does not have the Time Period field, because unlike other reports that have only one start time and end time, this report can have up to five start times and five end times.
(2 of 2)
Hour-of-day trend comparing days of week report
This report displays a time-series chart that plots the hour-of-day trend for the days of the week. If you select a time range that contains more than one day for a given day of week (for example, Monday), the data plotted is the average value of these days.
Table 31-51 Hour-of-day trend comparing days of week report
Component Lag period to current time Input parameters, filters, and options Description Approximately 6 hours For a list of fields that can be plotted, see Fields that can be plotted and/or tabulated for application reports in this section. The following filters are available:

Time Period filterto display data about the applications during specified time period or range of dates. The options are Last Week (Sunday to Saturday), Last Month, or a specified date range. Network type filterto display data about a specified type of mobile network, such as 1xRTT, CDMA, EVDO, GPRS, and UMTS Realm filterto display data for specified realms RNC filtersto specify one or more RNCs Device manufacturer ApplicationsSee Application filters in this section for more information
See Figure 30-2 for an example of a time-series chart. Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30. Hour-of-day trends are always from midnight to midnight.
Time plot comparing applications report
This report displays a time-series chart that compares different applications.
31-38
31 Configuring browser-based reports Table 31-52 Time plot comparing applications report
Component Lag period to current time Input parameters Input parameters, filters, and options Description Approximately 6 hours See Fields that can be plotted and/or tabulated for application reports in this section. For a list of fields that can be plotted, see Fields that can be plotted and/or tabulated for application reports in this section. The following filters are available:

Time Period filterto display data about the applications during specified time period or range of dates. The options are Today, Yesterday, Last Week (Sunday to Saturday), Last Month, or a specified date range. Time resolution filterto plot data by hour or day Network type filterto display data about a specified type of mobile network, such as 1xRTT, CDMA, EVDO, GPRS, and UMTS Realm filterto display data for specified realms RNC filtersto specify one or more RNCs Device manufacturer and models ApplicationsSee Application choosers in this section for more information
Top applications reports
This report displays a table that lists the top applications. The fields listed on this report are set and cannot be changed:
Rank Application / [App-Category] Average Number of Distinct Active

Sessions (per day)
Total Airtime (Hours) Total Number of Flows Total Number of Packets Realm(s)
Total Traffic Volume (Mbytes) Total Number of Conn Setups

Table 31-53 Top applications reports
Component Lag period to current time Input parameters, filters, and options Description 7 to 31 hours. After 7:00 AM, the report displays data collected as late as last midnight; before 7:00 AM, the report displays data collected as late as two midnights before. You can select one of the following fields as the sorting index:
Number of Distinct Active Sessions Traffic Volume Number of Conn Setups Airtime Number of Flows Number of Packets The sorting field is indicated in the report by an asterisk (*) on the column header.
(1 of 2)
31-39
Component Report type Raw data option Remarks
Description See Figure 30-6 for an example of a table report. Not applicable Limits to the number of applicationsIf the specified day range contains more than one day, the maximum number applications N is 50. If the specified day range is exactly one day, the maximum number applications N is 1,000.
(2 of 2)
Parameters overview for applications reports

Fields that can be plotted and/or tabulated for application reports
Following are the fields that you can use to plot and/or tabulate applications reports:
Flow Count Total (Up+Down) Volume Uplink Volume Downlink Volume Total (Up+Down) Data Rate Uplink Data Rate Downlink Data Rate Total (Up+Down) # Conn Setups (Sum) Uplink (Up+Down) # Conn Setups (Sum) Downlink (Up+Down) # Conn Setups (Sum) Total (Up+Down) # Conn Setups (Rate) Uplink (Up+Down) # Conn Setups (Rate) Downlink (Up+Down) # Conn Setups (Rate) Total (Up+Down) Packets Uplink (Up+Down) Packets Downlink (Up+Down) Packets Airtime Path Loss Rate Downlink Thruput Average RAN Handshake RTT Average RAN RTT Configuring application parameters
There are two general types of configuration options for application parameters:
Application choosers Application filters
31-40
Application choosers
For most reports in this section, three fields serve as application choosers. By making choices on these input parameters, you specify the applications to be compared by specifying the following application properties:
Application categoriesApplication categories are configured using the

9900 WNG GUI client. If an application category is chosen, on the final chart of table, the label of the category is enclosed in a pair of square bracket, so that you can distinguish it from other labels for individual applications. Configured applicationConfiguration of application (giving a combination of protocol, port number, and/or server address a symbolic name such as streaming, VPN, and so forth) is done using the 9900 WNG GUI client. Unconfigured applications The set of applications defined by three fields are combined to create a final set of applications to be compared. Although none of the three input parameters is mandatory, you should specify at least one non-empty answer for one of these three fields. If you do not select any application from these fields, you can generate a report with no data.
Application filters
For the Hour-of-day trend comparing days and Hour-of-day trend comparing days of week reports, applications are specified using application filters instead of application choosers. The main difference between application filters and choosers is that, for reports using applications filters, in the final plot or table, you do not see individual applications or application categories. Rather, you see the overall traffic data after these filters are applied. Similar to application choosers, application filters also are comprised of the following fields:
Application categories Configured applications Unconfigured applications

Parameters for application choosers start with the word Choose ..., and parameters for application filters start with the word Filtered . For each application chooser, there is an option, #None# (do not choose any), whereas for each application filter, there is a option, #All# (filter in all).
31.9
Devices reports
This section describes reports that you can generate for devices. The following sections describe of the reports that you can generate, the parameters that you can plot, and the filters that you can configure for devices reports.
31-41
Description of device reports

You can generate the following device reports:
Hour-of-day trend comparing manufacturers report Hour-of-day trend comparing models report Time plot comparing manufacturers report Time plot comparing models report Table comparing manufacturers report Table comparing models report Performance KPI by manufacturer/model report
Hour-of-day trend comparing manufacturers report
This report displays a time-series chart that plots and compares the hour-of-day trend of devices from different manufacturers.
Table 31-54 Hour-of-day trend comparing manufacturers report
Component Lag period to current time Input parameters, filters, and options Description Approximately 6 hours For the list of fields that can be plotted, see Fields that can be plotted and/or tabulated in device reports in this section. The following filters are available:

Time period filtersto display data about the cell during specified time period or range of dates. The options are Today, Yesterday, Last Week (Sunday to Saturday), Last Month, or a specified date range. Network type filterto display data about a specified type of mobile network, such as 1xRTT, CDMA, EVDO, GPRS, and UMTS Realm filterto display data for specified realms RNC filtersto specify one or more RNCs Application categories Configured applications Unconfigured applications Device manufacturers to compare
See Figure 30-2 for an example of a time-series chart. Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30. Hour-of-day trend is always from midnight to midnight. If the specified time range contains more than one day, the data within the same hour (for example, 0:00-1:00) for the different days is averaged and the resulting value is displayed in this report.
Hour-of-day trend comparing models report
This report displays a time-series chart that plots and compares the hour-of-day trend for different device models.
31-42
31 Configuring browser-based reports Table 31-55 Hour-of-day trend comparing models report

Network type filterto display data about a specified type of mobile network, such as 1xRTT, CDMA, EVDO, GPRS, and UMTS Realm filterto display data for specified realms RNC filtersto specify one or more RNCs Application categories Configured applications Unconfigured applications Device models to compare
See Figure 30-2 for an example of a time-series chart. Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30. Hour-of-day trend is always from midnight to midnight. If the specified time range contains more than one day, the data within the same hour (for example, 0:00-1:00) for these different days is averaged and the resulting value is displayed in this report.
Time plot comparing manufacturers report
This report displays a time-series chart that plots and compares traffic data of devices from different manufacturers.
Table 31-56 Time plot comparing manufacturers report

Network type filterto display data about a specified type of mobile network, such as 1xRTT, CDMA, EVDO, GPRS, and UMTS Realm filterto display data for specified realms RNC filtersto specify one or more RNCs Application categories Configured applications Unconfigured applications Device manufacturers to compare
31-43
Time plot comparing models report
This report displays a time-series chart that plots and charts traffic data from different devices.
Table 31-57 Time plot comparing models report

See Figure 30-2 for an example of a time-series chart. Yes. See Exporting graphical reports to an Excel or a CSV file in chapter 30. For more information about bout Manufacturers versus Models and a list of fields that can be plotted, see Manufacturers versus Models in this section.
Table comparing manufacturers report
This report displays a table that lists six different fields that compare traffic data from devices of different manufacturers.
Table 31-58 Table comparing manufacturers report
Component Lag period to current time Input parameters, filters, and options Description Approximately 6 hours Six input fields are designated as Field1 to Field 6. For each field, choose one of the parameters that are listed in Fields that can be plotted and/or tabulated in device reports in this section. The following filters are available:

(1 of 2)
Network type filterto display data about a specified type of mobile network, such as 1xRTT, CDMA, EVDO, GPRS, and UMTS Realm filterto display data for specified realms RNC filtersto specify one or more RNCs Application categories Configured applications Unconfigured applications Device manufacturers to compare
31-44
Component Report type Raw data option (2 of 2)
Description See Figure 30-6 for an example of a table report. Not applicable
Table comparing models report
This report displays a table that compares traffic data for different device models.
Table 31-59 Table comparing models report
Component Lag period to current time Input parameters, filters, and options Description Approximately 6 hours Six input fields are designated as Field1 to Field 6. For each field, choose one of the parameters that are listed in Fields that can be plotted and/or tabulated in device reports in this section. The following filters are available:

See Figure 30-6 for an example of a table report. Not applicable For more information about Manufacturers versus Models and a list of fields that can be plotted, see Manufacturers versus Models in this section.
Performance KPI by manufacturer/model report
This report compares the following data for different manufacturers or models:
Saturated Throughput (Kbps) Packet Loss % Average RTT (ms) Device Count
Volume (MB) Signaling ('000) Airtime (Hrs)
Table 31-60 Performance KPI by manufacturer/model report

Component Lag period to current time (1 of 2) Description 7 to 31 hours. After 7:00 AM, the report displays data collected as late as last midnight; before 7:00 AM, the report displays data collected as late as two midnights before.
31-45
Description You must choose to compare the data as follows:
by manufacturer or model by subscriber group. See chapter 32 for information about subscriber groups.
You can sort the tabular data according to one of seven numeric fields and in ascending or descending order. Report type Raw data option (2 of 2) See Figure 30-6 for an example of a table report. Not applicable
Parameters overview for device reports

Fields that can be plotted and/or tabulated in device reports
The following fields can be plotted in the device reports. You can choose one of the following parameters:
Flow Count Total (Up+Down) Volume Uplink Volume Downlink Volume Total (Up+Down) Data Rate Uplink Data Rate Downlink Data Rate Total (Up+Down) # Conn Setups (Sum) Uplink (Up+Down) # Conn Setups (Sum) Downlink (Up+Down) # Conn Setups (Sum) Total (Up+Down) # Conn Setups (Rate) Uplink (Up+Down) # Conn Setups (Rate) Downlink (Up+Down) # Conn Setups (Rate) Total (Up+Down) Packets Uplink (Up+Down) Packets Downlink (Up+Down) Packets Airtime Path Loss Rate Downlink Thruput Average RAN Handshake RTT Average RAN RTT
31-46
Manufacturers versus Models
Most reports in this section come in pairs of variants: comparing manufacturers and comparing models. Two different manufacturers can assign the same model name to two different phone models, therefore in these reports, the term Model refers to the manufacturer name concatenated with model name.
Note In this release, the 9900 WNG system cannot decode CDMA device ESNs and MEIDs to their model names; the model name field for all CDMA devices displays an empty string. For CDMA networks, the two variants of the same report are effectively identical.
31.10
Troubleshooting
Table 31-61 provides tips for troubleshooting report errors.
Table 31-61 Troubleshooting
Problem No data is shown on the report Solution Verify that the parameter values are correct or try different parameter values. If you applied filters to the report, modify the filters to gather more data. Send the exception message as well as the report name and chosen parameter values to your 9900 WNG technical support representative. Run the report with a smaller date range. Re-run the report using a smaller number of data points. For example, specify a smaller date range or change the time resolution from minute to hour. You can also try to run the report with Show only raw data option selected.
An exception is displayed when you generate a report The report is taking a long time to run (more than 15 minutes) The report appears with broken links instead of charts
31-47
31-48
32.1 Subscriber Group Manager overview
32-2 32-2
32.2 Subscriber Group Manager page components 32.3 Creating a subscriber group 32.4 Searching for a subscriber 32-3 32-4 32-4
32.5 Changing the subscriber group view 32.6 Importing subscriber data 32-5
32-1
32.1
Subscriber Group Manager overview

The Subscriber Group Manager page provides operators and network analysts with the capability to create subscriber groups by which to manage a large number of subscribers. The Subscriber Groups page is web-based and is accessed from the Group Manager link on the 9900 WNG Central Home page.
Interactions with web-based subscriber reports

The groups that you configure in the Subscriber Group Manager can be used as filter criteria in the following web-based reports:
Overall subscriber cumulative distribution report Top Mobiles reports Performance KPI by manufacturer/model report
32.2
Subscriber Group Manager page components

Figure 32-1 shows the Subscriber Group Manager page.
Figure 32-1 Subscriber Groups Manager page
Subscriber Group tab Group Editor tab Sort ascending/ descending button Subscriber data table
Group Types selector Search panel
Status icons
Group Editor table controls
Create new group button
Delete group Subscriber Group control button panel
Import data button

21184
32-2
Table 32-1 lists the components in the Subscriber Groups Manager page.
Table 32-1 Subscriber Groups Manager page components
Component Group Type selector panel Subscriber Groups tab Group Editor tab Subscriber Group control panel Description Pick list from which you can select the type of groups to manage. The supports the following Group type: Subscriber Lists the subscriber groups Workspace to create a group, or to add or remove subscribers to/from a group Contains three buttons:

Subscriber data table
Create new groupSee section 32.3 for information about how to use the create new group function. Delete groupto delete a selected group. Import datato import a list of subscribers. See section 32.6 for information about how to use the import function.
Data for the members of the subscriber group are arranged in a table with the following columns:
Group Editor table controls
Identifiers such as: IMSI/NAI IMEI/MEID/ESN MSISDN/MSID Severity
See Procedure 32-3
32.3
Creating a subscriber group

Procedure 32-1 describes how to create a subscriber group.
Procedure 32-1 To create a subscriber group

1 2 3 4 5 Navigate to the 9900 WNG Central webpage, as described in Procedure 17-1. Click on the Group Manager link. The subscriber group page appears with the Subscriber Groups tab displayed. Click on the Create new Group button. The Create Group pop-up window appears. Enter a group name and click OK. The subscriber group that you created appears as a folder in the Subscriber Group panel. Add subscribers to the group by doing one of the following: a Search for a subscriber, as described in Procedure 32-2. Select the subscriber from the results list and drag and drop the data to the member list in the Edit Group panel Add a list of imported subscribers, as described in Procedure 32-4.
32-3
32.4
Searching for a subscriber

Procedure 32-2 describes how to search for a subscriber.
Procedure 32-2 To search for a subscriber

1 2 3 Navigate to the 9900 WNG Central webpage, as described in Procedure 17-1. Click on the Group Manager link. The subscriber group page appears with the Subscriber Groups tab displayed. Configure the following search parameters: i Choose one of the following:

ii iii 4
IMSI/NAI IMEI/MEID/ESN MSISDN/MSID
Enter a value in the Search String field Choose a value from the Filter by Realm/APN drop-down menu.
Click on the Search button. The search results appear in a tab in the Subscriber Group panel.
32.5
Changing the subscriber group view

Procedure 32-3 describes how to use the features in the Group Editor panel to change the view of a subscriber group.
Procedure 32-3 To change the subscriber group view

1 2 3 4 Navigate to the 9900 WNG Central webpage, as described in Procedure 17-1. Click on the Group Manager link. The subscriber group page appears with the Subscriber Groups tab displayed. Double-click on the subscriber group in the Subscriber Group tab that you need to manage. The data for the group appears in a tab in the Group Editor panel. Right-click on the column header to perform one of the following, as required: a b Sort the columns in ascending or descending order. Choose the columns that you need to display.
32-4
c d
Group the data in a column. Freeze the data in a column.
32.6
Importing subscriber data

Procedure 32-4 describes how to import subscriber data into the Subscriber Group Manager.
Procedure 32-4 To import subscriber data

1 2 3 4 5 Navigate to the 9900 WNG Central webpage, as described in Procedure 17-1. Click on the Group Manager link. The subscriber group page appears with the Subscriber Groups tab displayed. Click on the Import data button. The file upload pop-up window appears. Click on the Browse button to navigate to a pre-prepared list of subscribers Click on the Submit button to retrieve the data.
32-5
32-6
Network anomaly reporting and management
33-1
33.1 Threat detection and network anomalies overview 33.2 Threat detection in a CDMA network 33.3 Threat detection in a UMTS network 33-2 33-3
33-2
33.4 High-level workflow to investigate an anomaly event 33.5 Network anomaly events 33.6 Wireless attack events 33-6 33-7 33-14
33-5
33.7 Port scans and unwanted source events 33.8 Abusive subscriber events 33-17
33.9 Specifying the threshold values for anomaly events
33-21
33-1
33.1
Threat detection and network anomalies overview

See chapter 22 for information about real-time events and the
33.2
Threat detection in a CDMA network

The 9900 WNG system monitors mobile data traffic sessions in CDMA networks, analyzes the session behavior, and raise alarms based on previously defined threats. Figure 33-1 shows a high-level overview of where threats occur in a CDMA network.
Figure 33-1 Threats in a CDMA network
In a CDMA network, the 9900 WNG Detector snoops mirrored traffic on the following interfaces:
The interface between the PDSN and the AAA (bidirectional traffic) The interface between the PDSN and the HA
Figure 33-2 9900 WNG Detector in a CDMA network
33-2
The 9900 WNG detector snoops the accounting records sent by the PDSNs to the AAA server, which allows the detector to relate IP traffic to wireless network elements such as HAs, PDSNs, RNCs, and Mobile device/subscription. The 9900 WNG Detector obtains the packets from the mirrored ports and extracts the necessary information from the packet headers such as source/destination IP addresses and port, protocol, packet size, and arrival time.
Inputs and outputs

The inputs to the 9900 WNG Detector include the following:
All incoming and outgoing subscriber data traffic Simple IP traffic Mobile IP (MIP) IP-IP tunneled Signaling traffic to relate IP traffic to subscriber/device/network elements MIP signaling traffic AAA/RADIUS
The output of the 9900 WNG Central device includes the following:
Anomaly events Mobile Flow records: flow records enhanced with wireless-specific information Network statistics: top mobile/server, traffic/resource usage classification Network elements status updates, for example, HA, PDSN, and CDMA RNC Reports
Maximum number of CDMA monitored sessions
Each 9900 WNG Detector can observe up to 1Gb of bidirectional traffic and up to 500 000 active sessions.
33.3
Threat detection in a UMTS network

The 9900 WNG system provides the capability for observing mobile data traffic sessions in UMTS networks, analyze the session behavior and raise alarms based on the threats defined previously. Figure 33-3 shows a high-level overview of where threats occur in a UMTS network.
33-3
33 Threat detection and network anomaly events Figure 33-3 Threats in a UMTS network
In a UMTS network, the 9900 WNG Detector observes mirrored traffic on the following interfaces:
The interface between the SGSN and the AAA (bidirectional traffic) The interface between the SGSN and the GGSN
Figure 33-4 9900 WNG Detector in a UMTS network
The 9900 WNG detector snoops the accounting records sent by the SGSNs to the AAA server, which allows the detector to relate IP traffic to wireless network elements such as GGSNs, SGSNs, RNCs, and Mobile device/subscription. The 9900 WNG Detector obtains the packets from the mirrored ports and extracts the necessary information from the packet headers such as source/destination IP addresses and port, protocol, packet size, and arrival time.
33-4
Inputs and outputs

The inputs to the 9900 WNG Detector include the following:
All incoming and outgoing subscriber data traffic - Simple IP traffic Signaling traffic to relate IP traffic to subscriber/device/network elements - GTP
traffic The output of the 9900 WNG Central device includes the following:
Anomaly events Mobile Flow records: flow records enhanced with wireless-specific information Network statistics: top mobile/server, traffic/resource usage classification Network elements status updates, for example, GGSN, SGSN, and RNC Reports
Maximum number of UMTS monitored sessions
Each 9900 WNG Detector can observe up to 1Gb of bidirectional traffic and up to 500,000 active sessions.
33.4
High-level workflow to investigate an anomaly event

Perform Procedure 33-1 to investigate an anomaly event.
Procedure 33-1 To investigate an anomaly event

1 2 3 Log in to the 9900 WNG Central webpage, as described in Procedure 17-1. Choose the Anomaly Events from the Navigation menu. From the Recent Anomaly Events tab, select an anomaly event from the list of events by clicking on its row. The Event Details panel displays details for the event. The fields that appear depend on the type of event. Double-click on the Corr ID or Attacker IP field in the Event Details panel to display the Forensic View page. Select an event by clicking on a row, then click on the Mobile Flow button in the Forensic view to display the mobile flow records for the event.
4 5
33-5
6 7
Analyze the mobile flow data and the resource usage. Take corrective action to mitigate:
Filter the malicious source
Add filter rules to Firewall/IPS Add filter rules to the Router ACL
Contact or disable accounts for abusive subscribers for the following event type:
Overload RNC
33.5
Network anomaly events

9900 WNG Detector events are functional events that are monitored by the 9900 WNG system, not the events that are related to the operation of the WNG 9900 system itself. See chapter 38 for information about operational system events. Network anomaly events are events that are detected by algorithms in the 9900 WNG Detector that indicate an attack on a specific wireless device, a security event such as a port scan, or a potential fraud or violation of a service agreement. Table 33-1 lists the anomaly events.
Table 33-1 Network anomaly events
9900 WNG event name Wireless attack events SIGATTACK_SINGLE_SRC BATTERYATTACK_SINGLE_SRC BATTERY_ATTACK_DISTRIBUTED RNCOverload FLOOD_MOBILE_SINGLE_SRC FLOOD_MOBILE_DISTRIBUTED ICMP_ROUTER_DISCOVERY_ABUSE Port scans and unwanted source events PORTSCAN_HORIZ PORTSCAN_VERT UNWANTED_SRC Abusive subscriber events HIGH_USAGE_SUB HIGH_SIGNALING_SUB ALWAYS_ACTIVE_SUB P2P_MOBILE High usage subscriber High signaling subscriber Always active airtime subscriber Peer-to-peer mobile Horizontal port scan Vertical port scan Unwanted source of traffic Signaling attack from a single source Battery attack from a single source Battery attack from a group of sources RNC Overload Flood mobile from a single source Flood mobile from multiple sources ICMP router discovery abuse Event name
33-6
33.6
Wireless attack events

The 9900 WNG system monitors the following wireless attack events.
Signaling attacks from a single

source Battery attacks from a single source Distributed battery attacks RNC overloads
Single source mobile floods Distributed mobile floods ICMP router discovery abuses
Signaling attacks from a single source

A malicious source triggers excessive amount of radio connection setup and release. For example, the source sends one unsolicited packet per mobile to a large number of mobiles triggering one connection setup per mobile. Attacking packets can be any form, for example, a TCP, UDP, or ICMP packet.
Severity
Major
Impact to the network
A signaling attack from a single source has the following impact to the network:
Causes an overload signal processing unit at RNC Congests paging channels at BTS Wastes air time
Event reporting
When an RNC signaling attack is detected, the following information related to the event is reported:
Internet source: IP address Mobile source: IP source, Network access Identifier (NAI), Mobile Station
Identifier (MSID), Electronic Serial Number (ESN), International Mobile Equipment identifier (IMEI), International Mobile Subscriber Identity (IMSI), Mobile Station integrated Services Digital Network Number (MSISDN) Intensity
Event thresholds
The event is reported when the number of connection setups exceeds the specified threshold. To display current settings, enter the following command:
detector:detector99# show detectionThresholds sigAttack 4 signalAttackThresholds
33-7
600 800 900 1000
To modify the threshold settings, see section 33.9.

Related events
A single source attack may trigger the following related anomaly events:
RNCOverload PORTSCAN_HORIZ UNWANTED_SRC Battery attacks from a single source

A malicious source forces a mobile device to hold radio resources unnecessarily long by periodically sending a small packet to a mobile device to reset the inactivity timer.
Severity
Minor
A battery attack has the following impact to the mobile device and the network:
Drains the battery of the mobile device Wastes air resources that otherwise would be used by other mobiles Can cause a call to be blocked due to channel exhaustion when multiple mobile
devices are attacked at the same time
Event information
The following information is reported for a battery attack event:
Internet source: IP address Mobile source: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN Victim mobile: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN Intensity
Event thresholds
To display current thresholds, enter the following command:

detector:detector99# show detectionThresholds batteryAttack 4 batteryAttackThresholds
33-8
0.01 0.05 0.1 0.5

Related events
A battery attack may trigger the following related anomaly events:
PORTSCAN_VERT P2P_MOBILE Distributed battery attacks

A group of sources force a mobile to hold radio resources unnecessarily long, for example, the aggregated traffic from multiple sources drain the mobile battery.
Severity
Minor
A battery_attack_distributed event has the following impact to the network:
Drain mobile battery Waste air resources which otherwise would be used by other mobiles Could cause call blocks due to channel exhaustion when attacking many mobiles
at the same time
Thresholds
To display current thresholds, enter the following command:

detector:detector99# show detectionThresholds batteryAttack 5 batteryAttackThresholds 0.5 0.6 0.7 0.8 0.99
33-9
Event information
A battery-attack event reports the following information:
Victim mobile: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN Intensity
Related events
A battery-attack event may trigger the following related anomaly events:
P2P_MOBILE RNC overloads

The number of connection setups an RNC handles approaches or exceeds its design capacity.
Severity
Critical
An RNC overload can cause denial of service to a new connection request, resulting in call drops.
Thresholds
The threshold for an RNC overload event is the number of connection setups/sec the RNC comfortably handles. To display current settings, enter the following command:
detector:detector99# show detectionThresholds rncOverload 5 rncLoadThresholds 6000 12000 18000 24000 36000

Event information
An overload event reports the following information:
Intensity Victim RNC IDeshold <

Related events
An RNC Overload event may also trigger a single source signaling attack event (SIGATTACK_SINGLE_SRC).
Single source mobile floods

A source sends unsolicited traffic to a mobile exceeding/close to mobiles link capacity.
Severity
Minor
A flood_mobile_single_src event has the following impact to the network:
Traffic denial of server to mobile, possibly also network Waste network resource
Event information
A flood_mobile_single_src event reports the following information:
Attacker: IP address Mobile source: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN Victim mobile: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN Intensity Total unsolicited bytes contributed by the source
Thresholds
This event is generated when a source sends unsolicited traffic to mobile exceeding/close to mobiles link capacity. To display the current thresholds, enter the following command:
detector:detector# show detectionThresholds floodMobileSingleSrc 5 floodMobileSingleSrcThresholds 5000000 10000000 20000000 40000000 80000000
33-11
Related events
A flood_mobile_single_src event may trigger the following related events:
UNWANTED_SRC Distributed mobile floods

Unsolicited traffic from multiple sources to mobile exceeding or close to the link capacity.
Severity
Minor
A floodMobileDistributed event has the following impact to the network:
Traffic denial of server to mobile, possibly also network Waste network resource
Event information
A floodMobileDistributed event reports the following information:
Victim mobile: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN Intensity Total unsolicited bytes contributed by the sources
Thresholds
This event is generated when unsolicited traffic from multiple sources to a mobile is equal to or exceeds the mobiles link capacity in a specified time period. To display the current thresholds, enter the following command:
detector:detector# show detectionThresholds floodMobileDistributed 5 floodMobileDistributedThresholds 10000000 20000000 40000000 80000000 160000000

Related events
A floodMobileDistributed event may trigger an UNWANTED_SRC event.

ICMP router discovery abuses

Illegitimate ICMP router discovery messages going to mobiles.
Severity
Major
A routerDiscoveryAbuse event has the following impact to the network:
Victim mobile gets disconnected from the network

Event information
A routerDiscoveryAbuse event reports the following information:
Source of ICMP message Intensity

Thresholds
This event is generated when the number of illegitimate ICMP router discovery messages equals or exceeds a defined threshold within a specified period. To display the current thresholds, enter the following command:
detector:detector# show detectionThresholds routerDiscoveryAbuse 5 routerDiscoveryAbuseThresholds 2 5 10 20 50
To modify the threshold settings, see 33.9.

Related events
A routerDiscoveryAbuse event may trigger the following related events:
None
33-13
33.7
Port scans and unwanted source events

The 9900 WNG system monitors the following port scan and unwanted source events.
Horizontal port scan events Vertical port scan events Unwanted source Horizontal port scan events
A malicious source sends probe packets of same destination port to a large number of victims to explore potential vulnerability, such as in an Internet worm propagation or Botnet compromise.
Severity
Major
A horizontal port scan exposes mobile devices to a security risk. In addition, it wastes bandwidth, air time, and signaling resources.
Event information
A horizontal port scan event reports the following information:
Internet source: IP attacker Mobile source: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN Intensity Scanned port Number of distinct hosts scanned
Event threshold
This event is generated when the number of distinct hosts probed exceeds a specified threshold. To display the current thresholds, enter the following command.
detector:detector99# show detectionThresholds portScanHoriz 5 portscanHorizontalThresholds 240 360 480 640 720
33-14

Related events
A horizontal port scan event may trigger the following related anomaly events:
SIGATTACK_SINGLE_SRC RNCOverload UNWANTED_SRC Vertical port scan events

In a vertical port scan event, a malicious source sends probe packets of different destination port of the same host to explore potential vulnerability, for example, Botnet compromise.
Severity
Major
A vertical port scan exposes mobile devices to a security risk. In addition, it wastes bandwidth, air time, and signaling resources.
Threshold for vertical ports scan
The threshold for a vertical port scan is the number of distinct ports probed at the same victim. To display current settings, enter the following command:
detector:detector99# show detectionThresholds portScanVert 5 portscanVerticalThresholds 120 240 360 480 640

Event information
A vertical port scan event reports the following information about the malicious source:
Internet source: IP Mobile source: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN Intensity
Victim mobile: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN Number of distinct ports scanned
Related events
A vertical port scan event may trigger the following related events:
BATTERYATTACK_SINGLE_SRC UNWANTED_SRC Unwanted source

A source contributes a large amount of unsolicited traffic.
Severity
Major
An unwanted source has the following impact to the network:
wastes network resources poses potential security threats

Threshold
Measures the amount of unsolicited traffic (bytes) from the source during a 2 hour interval. To display current thresholds, enter the following command:
detector:detector99# show detectionThresholds unwantedSrc 4 unwantedThresholds 10000000 20000000 30000000 40000000

Event information
An unwanted source event reports the following information:

33-16
Internet source: IP Mobile source: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN Intensity Number of distinct destinations of unsolicited traffic Total unsolicited bytes contributed by the source
Related events
All anomaly events could contribute to unwanted traffic.
33.8
Abusive subscriber events

The 9900 WNG system monitors the following abusive subscriber events.
High-usage subscriber events High signaling subscriber event Always-active subscriber Peer-to-peer mobile traffic events
High-usage subscriber events

A subscriber consumes excessive amounts of bandwidth.
Severity
Minor
The impact of a high-usage subscriber is as follows:
Abuses network resources Congests the network

Thresholds
The threshold measured is the total traffic volume (bytes) during a two hour period. To display the current settings, enter the following command:
detector:detector99# show detectionThresholds highUsage 5 highUsageThresholds 20000000 40000000 60000000 80000000 100000000
33-17
Event information
A high-usage event reports the following information:
Offending subscriber identity: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN Intensity Upload volume (in bytes) Download volume (in bytes)
Related events
A high-usage event may trigger the following related anomaly events:
P2P_MOBILE ALWAYS_ACTIVE_SUB High signaling subscriber event

A mobile subscriber triggers excessive connection setups.
Severity
Minor
A highSignalingSubscriber event has the following impact to the network:
Overload RNC Occupy radio channels

Thresholds
The threshold measured is the number of connection setups during a specified watching window (2 hours). To display the current settings, enter the following command:
detector:detector99# show detectionThresholds highSignalingSubscriber 5 highUsageThresholds 240 360 480 600 720
33-18
Event information
A highSignalingSubcriber event reports the following information:
Offending subscriber identity: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN Intensity Number of connection setups triggered
Related events
A highSignalingSubcriber event may trigger the following related anomaly events:
P2P_MOBILE Always-active subscriber

A mobile subscriber consumes excessive amounts of air time.
Severity
Minor
An always-active device holds on a radio channel that would otherwise be used by other mobile device.
Thresholds
This event is generated when a subscriber is active for a period that exceeds the specified thresholds. To display the current threshold settings, enter the following command:
detector:detector99# show detectionThresholds alwaysActive 5 highAirtimeThresholds 0.5 0.6 0.7 0.8 0.9

Event information
An always-active event reports the following information:
Offending subscriber identity: IP, NAI, MSID, ESN, IMEI, IMSI, MSISDN Intensity
Fraction of active time - The fraction of active time for a mobile is the fraction of
time that the mobile holds the radio channel with respect to a pre-defined watching window. The fraction of active time is calculated as: active_time_in_watching_window/watching_window_length. Current session start time
Related events
An always-active subscriber event may trigger the following related anomaly events:
HIGH_USAGE_SUB P2P_MOBILE Peer-to-peer mobile traffic events

A mobile subscriber uses P2P file sharing application, such as, EDonkey, BitTorrent, or Kazaa.
Severity
Minor
Peer-to-peer traffic consumes significant amounts of network capacity and increases bandwidth cost per subscriber, and can therefore lead to significant lost revenue for the service provider.
Event information
The system reports the following information about P2P event:
The following information about the offending subscriber: IP address NAI MSID ESN IMEI IMSI MSISDN Intensity Number of originating peers Number of responding peers Type of applications Uplink volume Downlink volume
33-20
Thresholds
This event is generated when the volume of a subscribers traffic volume (in bytes) exceeds the specified threshold. To display the current thresholds, enter the following command:
detector:detector# show detectionThresholds p2pMobile 5 p2pMobileThresholds 100 200 400 600 1000

Related events
A P2P event may trigger the following related events:
High usage subscriber event (HIGH_USAGE_SUB) Always-active subscriber (ALWAYS_ACTIVE_SUB) Single source battery attack (BATTERYATTACK_SINGLE_SRC)
33.9
Specifying the threshold values for anomaly events

Perform Procedure 33-2 to specify the threshold values for an anomaly event.
Procedure 33-2 To specify the threshold values for an anomaly event

1 2 3 Log in to the CLI with the admin privilege, as described in Procedure 14-1 or 14-2. Log in to the 9900 WNG Detector, as described in Procedure 14-3. Type the following command:
detector:central99# detectionThresholds event thresh1 [thresh2] [thresh3] [thresh4] [thresh5]
where: event is the type of anomaly event thresh is the threshold value
Table 33-2 lists the anomaly events (event) and the threshold values (thresh) for each event. You can specify up to five threshold values.
33-21
33 Threat detection and network anomaly events Table 33-2 Threshold and threshold values for each anomaly event
Setting for event Threshold measured Threshold (thresh) value range 0.0 to 1.0 0.0 to 1.0
alwaysActive batteryAttackSingleSrc
The fraction of active time within the watching window. Measures the air resource efficiency, that is, how efficient the air resource is used for data transfer. This value represents a fraction of time within the watching window. The fraction of active time within the watching window. Measures the amount of unsolicited traffic (bytes) from the source going to the mobile during a watching window. Measures the number of connection setups during a specified watching window. Measures the total traffic volume (byte) used in a watching window. The number of connection setups triggered by source in watching window. Total traffic volume (byte) used in watching window. Number of distinct hosts probed during a two hour period Number of distinct hosts probed in watching window. Number of connection setups/sec the RNC comfortably handles. Number of illegitimate ICMP router discovery messages equal to or exceeding a defined threshold within a specified period. Measures the amount of unsolicited traffic (bytes) from the source during the watching window. Amount of unsolicited traffic (bytes) from the source during 2 hour interval.
batteryAttackDistributed floodMobileDistributed
0.6 to 0.99 10M to 160M
highSignalingSubscriber highUsage sigAttackSingleSrc p2pMobile portScanHoriz portScanVert rncOverload routerDiscoveryAbuse
240 to 720 0 to 100 000 000 0 to 1000 0 to 1000 0 to 1000 0 to 1000 0 to 10 000 000 2 to 50
floodMobileSingleSrc
5M to 80M
unwantedSrc
0 to 500 000 000
33-22
SYSTEM ADMINISTRATION AND SECURITY GUIDE
Alcatel-Lucent 9900
SYSTEM ADMINISTRATION AND SECURITY GUIDE
Disclaimers
Security and user account administration
34 Security overview 35 Managing licenses
34-1 35-1 36-1
34.1 Security overview
34-2
34-1
34.1
Security overview
Figure 34-1 shows the external interfaces of the 9900 WNG system and the protocols that are implemented to help secure these external interfaces.
Figure 34-1 9900 WNG external interfaces
Table 34-1 describes the features and protocols that you can use to secure the 9900 WNG system from unauthorized access.
Table 34-1 9900 WNG security features and protocols
Protocol or feature SSL Purpose SSL provides authentication and encryption for TCP clients and is used to secure HTTP connections. In addition, SSL provides CLI access. The HTTPS protocol provides a secure web client and server for web-based reporting. (1 of 2)
34-2
Protocol or feature SSH protocol SNMPv3 Role-based access control Strong password authentication rules Security logging (2 of 2)
Purpose SSH is a software solution for unsafe network commands such as rlogin, rsh, rcp, and Telnet. SSH is used to access the 9900 WNG Detector from 9900 WNG Central using shared key pairs. SNMPv3 provides encryption and encapsulation for management traffic between the NMS and 9900 WNG Central. Ensures that each user performs only those tasks that are allowed by their role. See chapter 36 for more information. Helps to prevent other users or programs from guessing a password Tracks user access data, such as user ID and number of login attempts, is stored in log files. Unauthorized user access is reported.
34-3
34-4
35.1 Viewing the current license status
35-2 35-2
35.2 Viewing license violation system events
35-1
35.1
Viewing the current license status

Information about the installed license and the current status relative to the license limits can be observed using the CLI. The show license command displays the license limit, current observed sessions, as well as the maximum number of sessions seen so far. This command also indicates whether there is a license violation. For more information, see section 35.2. Perform Procedure 35-1 to view licensing information using the CLI.
Procedure 35-1 To view licensing information using the CLI

1 2 Log into the CLI, as described in Procedure 14-1 or 14-2. Show the license by typing:
show license
The following is an example of the output:

central# show license License Information: -------------------License Version: 1.2 Maximum number of active subscriber sessions allowed: 2000000 License expiration date: Mon Jan 18 22:14:07 EDT 2038 Current License Violation Status: --------------------------------No Violation Current active subscriber sessions: 756 Maximum number of subscriber sessions seen so far: 912 License Quantity: 2000000 central#
35.2
Viewing license violation system events

Table 35-1 describes license system events. The events appear in the System Event View of the GUI and are sent as SNMP traps to northbound NMS.
35-2
35 Managing licenses Table 35-1 License system events

License system event License Violation/Invalid License License Violation/Expired License License Violation/Max Sessions Exceeded Description This event is generated if the license is not valid or if the hostid is incorrect. This event generates a warning alarm if the license expires in 5 days. A critical alarm is generated if the license has expired. This warning event is generated when the number of mobile sessions is greater than or equal to 85% of the maximum session limit as determined in the license file. A critical system event is generated when the maximum session limit is exceeded. The warning system event is cleared when the number of sessions is less than or equal to 80%. The number of observed mobile sessions is calculated by adding all of the sessions that are observed by all 9900 WNG Detectors that are in the network.
35-3
35-4
36.1 User account management overview 36.2 Managing user accounts 36.3 Monitoring user accounts 36-4 36-10
36-2
36-1
36.1
User account management overview

Using the CLI, accounts are created on 9900 WNG Central by a user with the sudo privilege. The accounts that are created for internal interfaces have three types of roles, which are CLI, GUI, and Reports. When you create the CLI role, the GUI and Reports roles are automatically created.
Roles
Each role has privileges, which determines the tasks that can be performed and the information that can be displayed. Table 36-1 describes the roles that can be created.
Table 36-1 Roles
Role Description
Internal interface CLI GUI Reports Creates GUI and Reports roles. See chapter 14 for more information about the CLI role. Used to access the GUI Used to access the web-based reports
External interface SNMP Motive API Sends SNMP messages to various components in a network For customer care technicians to quickly access actual usage data for the subscribers
Privileges
Each role has associated privileges. The CLI role has only one associated privilege, but the GUI and Reports roles can have multiple privileges. Table 36-2 describes the privileges for each role.
Table 36-2 Privileges for each role
Privilege As it appears on the CLI CLI role sudo admin user reportsOnly demoonly (1 of 2) To create the Reports role To create the DemoOnly role See Table 14-2 As it appears on the GUI Description
36-2
Privilege As it appears on the CLI GUI NE ano subs Network Anomaly Subscriber To access the Dashboard and Network Forensics views To view Performance Events. If you do not have the Anomaly privilege, you cannot view the Current and History events. To view subscriber identity information and to start a subscriber report or mobile flow query using an IMSI or NAI of the subscriber. If you do not have the Subscriber privilege, anomaly events do not display the identify of the subscriber To configure NEs, and acknowledge and clear system events IP addresses are not displayed As it appears on the GUI Description
admin demo Reports NE subs
Admin DemoOnly
Network Subscriber
If you do not have the Network privilege, you cannot start a Network Elements or Hops report To create subscriber groups. If you do not have the Subscriber privilege, you cannot start a subscriber report that requires the identity or a subscriber. The identify of the subscriber does not appear. If you do not have the AppsDevices privilege, you cannot start a Applications or Device report To access the Group Manager interface. The Subscriber privilege is required to create subscriber groups. IP addresses are not displayed
apps admin demo (2 of 2)
AppsDevices Admin Demo
See Table 14-8 for a list of commands that are available for each account type on the 9900 WNG Central and Detector. The CLI prompt indicates your privilege and whether you are on the 9900 WNG Central or Detector. See Table 14-5 for more information about the different prompts.
Modes
You can switch modes to move up or down a level in CLI. Mode switching ensures that accounts are identified and authenticated at login, and all activity is logged. See section 14.3 for more information.
Passwords
During initial installation, you must change the default password for the root login. Contact your Alcatel-Lucent technical support representative for the default password. Passwords must be a minimum of 6 characters and a maximum of 41 characters for all roles. The password can also contain one more of the special characters that are listed in Table 36-3.
36 User account management Table 36-3 Special characters for passwords

Special characters ~ & { * [ ! ( } < @ ) ] , # _ | > $ \ . % + ; ? ^ = : /
The 9900 WNG supports password aging. Passwords are set to expire in 42 days. When your password expires, you are prompted to change your password at your next CLI log in. The sudo privilege in the CLI is required to change the password for another account, but you can change your own password in the CLI. See Procedure 36-2 to change the password for another user and Procedure 36-4 to change your password.
36.2
Managing user accounts

You can use CLI commands to manage roles and privileges. Table 36-4 lists where to find information about how to manage roles and privileges.
Table 36-4 Procedures for managing roles
Task CLI, GUI, or Reports role To create a user account with CLI, GUI, and Reports roles To change the password for another user To change your password using the GUI To modify the privileges for a role To modify the name of an account To reset the default timeout for all passwords To reset the default timeout for a specific password To set the idle timeout for user accounts To disconnect one or all users from active GUI sessions To delete a user account SNMP role To create an SNMP user account To create a n SNMP group To delete an SNMP user account To delete an SNMP group Motive API role (1 of 2) 19-2 19-2 19-5 19-6 36-1 36-2 36-4 36-5 36-6 36-7 36-8 36-9 36-10 36-11 See Procedure
36-4
Task To create a Motive API user account To delete a Motive API user account (2 of 2)
See Procedure 20-1 20-2
Creating a user account

Perform the following procedures to create different types of user accounts.
Procedure 36-1 To create a user account with CLI, GUI, and Reports roles
This procedure does not apply to SNMP or Motive API user accounts. See Procedures 19-2 or 20-1. By default, the CLI role is created with default privileges for the GUI and Reports roles. 1 2 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Type:
user add id password [cli_role] [firstname] [lastname]
where id is user login ID (username) that must have a minimum of 3 and a maximum of 31 alphanumeric characters password is the password for the account, which must contain a minimum of 6 and a maximum of 41 characters. See Table 36-3 for a list of special characters. cli_role is the CLI role for the user. The options are user, admin, sudo, reportonly, or demo. firstname is the first name of the user and can contain one or more special characters lastname is the last name of the user can contain one or more special characters
For example, the following command adds the new account jasadmin and assigns the password pwdjas02. The user, John Smith, has admin privileges.
user add jasadmin pwdjas02 admin John Smith
Perform Procedure 36-5 to modify the default privileges for the GUI and Reports roles.
Changing passwords
Perform Procedure 36-2 to change the password for another user account. You must have the sudo privilege to change the password for another user. Perform Procedure 36-4 to change your password.
36-5
Procedure 36-2 To change the password for another user

1 2 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Change the password by typing:
user changepassword id
where id is the name of an existing account
For example, the following command changes the password for jasadmin:
user changepassword jasadmin
Enter the new password twice when you are prompted.
Procedure 36-3 To change your password using the CLI

1 2 Log in to the CLI, as described in Procedure 14-1 or 14-2. Change the password by typing:
user changepassword id
where id is the name of an existing account
For example, the following command changes the password for jasadmin:
user changepassword jasadmin
Enter the new password twice when you are prompted.
Procedure 36-4 To change your password using the GUI

If you have the admin privilege for the GUI role, you can change your password from the GUI. 1 2 3 4 Access the 9900 WNG Central webpage, as described in Procedure 17-1. Click on the Change Password hyperlink. The Changing password on Central window appears, where Central is the name of the specific 9900 WNG Central. Enter your current password and your new password, then confirm your new password. Click on the Change button. The system confirms that your password has been changed.
36-6
Modifying privileges
Perform Procedure 36-5 to modify the privileges for a role.
Procedure 36-5 To modify the privileges for a role

1 2 3 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Disconnect the user from the GUI session, if required, as described in Procedure 36-10. Perform one of the following: a b c 4 Go to step 4 to modify the privileges for a CLI role. Go to step 5 to modify the privileges for a GUI role. Go to step 6 to modify the privileges for a Reports role.
Modify the privilege for the CLI role by typing:

user modify group CLI id group
where id is the username of the account group is the privilege, which can be sudo, admin, user, readonly, or demoonly. See Table 36-2 for more information.
Modify the privileges for the GUI role by typing:

user modify group GUI id gui_role1 [gui_role2] [gui_role3] [gui_role4] [gui_role5]
where id is the username of the account gui_role1 is the privilege, which can be NE, ano, subs, admin, or demo. See Table 36-2 for more information. gui_role2 to gui_role5 are optional and can be NE, ano, subs, admin, or demo. See Table 36-2 for more information.
Modify the privileges for the Reports role by typing:

user modify group Reports id rep_role1 [rep_role2] [rep_role3] [rep_role4]
where id is the username of the account rep_role1 is the privilege, which can be subs, NE, apps, demo, admin. See Table 36-2 for more information. rep_role2 to rep_role4 are optional and can be subs, NE, apps, demo, admin. See Table 36-2 for more information.
Modifying the name of an account

Perform Procedure 36-6 to modify the name of an account.
Procedure 36-6 To modify the name of an account

1 2 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Assign a new name to an existing account by typing:
user modify name id [new_firstname] [new_lastname]
where id is the userame of the account new_firstname is the new first name of the account new_lastname is the new last name of the account
Setting the password timeout

Perform Procedure 36-7 to reset the default number of days before all passwords expire. Perform Procedure 36-8 to reset the default number of days before a specific password expires.
Procedure 36-7 To reset the default timeout for all passwords

1 2 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Specify the default timeout for all passwords by typing:
user setDefaultPasswordAge days
where days is the number of days before passwords expire for existing and new users. The default is 42 days.
Procedure 36-8 To reset the default timeout for a specific password

1 2 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Specify the default timeout for an account by typing:
user modify PasswordAge id days
where id is the username of the account days is the number of days before the password expires for existing and new users. The default is 42 days.
36-8
Setting the idle timeout

Perform Procedure 36-9 to set the idle timeout for the GUI and Reports roles that have not had activity in a specified amount of time. The timeout prevents data accumulation when specific signaling messages are not viewed; for example, if a RADIUS accounting problem occurred in the service provider network and the RADIUS accounting responses were not delivered to the 9900 WNG. The idle timeout removes the sessions that are considered ended due to no activity. To display the idle timeout for the GUI and Reports roles, perform Procedure 36-14.
Procedure 36-9 To set the idle timeout for user accounts

1 2 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Specify the idle timeout for all GUI and Reports roles by typing:
idleTimeout {GUI | web} timeout
where timeout is the idle timeout in minutes. The range is 0 to 4 294 967 295. The default is 0. A value of 0 means no idle timeout.
Note Alcatel-Lucent recommends that the timeout is set to a value that is greater than or equal to one day and the timeout can match any network timeout for subscriber sessions. For example, a subscriber session in some networks terminates after one day regardless of activity. In this case, Alcatel-Lucent recommends setting the timeout to one day.
Disconnecting users
Perform Procedure 36-10 to disconnect a specific user or all users that are connected to the GUI.
Procedure 36-10 To disconnect one or all users from active GUI sessions
1 2 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Perform one of the following: a b 3 Go to step 3 to disconnect all users. Go to step 4 to disconnect one user.
Disconnect all users by typing one of the following:

guiDisconnect all clean guiDisconnect all clean noclean
36-9
Use the clean option before an upgrade to disconnect the existing sessions and reload the new configuration. Otherwise, use the noclean option. 4 Disconnect a user by typing one of the following:
guiDisconnect user id clean noclean guiDisconnect user id noclean
Use the clean option before an upgrade to disconnect the existing sessions and reload the new configuration. Otherwise, use the noclean option.
Deleting user accounts

Perform Procedure 36-11 to delete user accounts.
Procedure 36-11 To delete a user account

This procedure does not apply to an SNMP or Motive API user accounts. See Procedures 19-5 or 20-2. 1 2 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Delete a user account by typing:
user delete id
A confirmation prompt appears. 3 Confirm the deletion by typing:

Y
36.3
Monitoring user accounts

You can use CLI commands to monitor user accounts. Table 36-5 lists where to find information about how to monitor users accounts.
Table 36-5 Procedure for monitoring users
Task To display CLI, GUI, and Reports roles that are on the 9900 WNG Central To display SNMP user accounts (1 of 2) See Procedure 36-12 19-7
36-10
Task To display Motive API user accounts To display user accounts with a pattern To display the idle timeout for the GUI and Reports roles (2 of 2)
See Procedure 20-3 36-13 36-14
Displaying user accounts

Perform Procedures 36-12 to display all roles. Perform Procedures 36-13 to display roles with a specific pattern.
Procedure 36-12 To display CLI, GUI, and Reports roles that are on the 9900 WNG Central
This procedure does not apply to SNMP or Motive API user accounts. See Procedures 19-7 and 20-3. 1 2 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Display all of the configured user accounts by typing:
show users
Table 36-6 describes the information that appears for each user account.
Table 36-6 show users information
Column Name Login CLI Role Description The first and last name of the user. The login name for the user. The access level when the user is using CLI. The CLI roles are sudo, admin, user, readonly, and demoonly. See Tables 36-1 and 36-2 for more information about roles and privileges. The access level when the user is using the GUI. The GUI roles are NE, ano, subs, admin, and demo. See Tables 36-1 and 36-2 for more information about roles and privileges. The access level when the user is using the GUI. The Reports roles are NE, subs, apps, admin, and demo. See Tables 36-1 and 36-2 for more information about roles and privileges.
GUI Role
Reports Role
36-11
Procedure 36-13 To display user accounts with a pattern

This procedure does not apply to SNMP and Motive API user accounts. 1 2 Log in to the CLI with the any privilege, as described in Procedure 14-1 or 14-2. Display the users with a specific characteristic by typing:
grep users pattern
where pattern is a specific characteristic that applies to accounts; for example, all accounts with a specific name
Displaying idle timeouts

Perform Procedure 36-14 to display the idle timeout for the GUI and Reports roles.
Procedure 36-14 To display the idle timeout for the GUI and Reports roles
This procedure does not apply to SNMP and Motive API user accounts. 1 2 Log in to the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Display the idle timeout for all GUI and Reports roles by typing:
show idleTimeout {GUI | web}
The timeout for all GUI and Reports roles appears.
36-12
System monitoring and administration
37 Monitoring the 9900 WNG Central and Detector 38 System events 38-1
37-1
37.1 Monitoring the 9900 WNG system
37-2 37-2
37.2 Monitoring the 9900 WNG using log files 37.3 Monitoring GUI reports and queries 37.4 Measuring system performance
37-10
37-12
37.5 Monitoring a remote 9900 WNG Central and Detector using the BMC 37-29
37-1
37.1
Monitoring the 9900 WNG system

The 9900 WNG includes tools that the system administrator can use to monitor the health of the 9900 WNG Central and Detector. The tools provide information to determine if there is a need to perform maintenance on the 9900 WNG system. Table 37-1 describes the monitoring tools and where to find more information.
Table 37-1 Monitoring the 9900 WNG system
Monitoring tool Description See
CLI-based monitoring tools User accounts Log reports View information about accounts View logs that monitor system events View logs that monitor GUI-based activities View Motive API logs Performance measurements BMC GUI-based tools Status LEDs Status indicators for the following: View logs that measure system performance View reports that monitor remote 9900 WNG Central and Detector hardware Procedure Section 37.4 Section 37.5 Section 36.3 Section 37.2

System events
database anomaly events system CPU Utilization memory utilization disk utilization processes hardware and software failures
9900 WNG status indicators in section 16.3
Query based reports about the following:
Chapter 38
37.2
Monitoring the 9900 WNG using log files

The 9900 WNG can log the following events:
configuration management activities software upgrades and updates security related events (for example, user login attempts) autonomous notifications internal system errors and corrective actions taken informational messages not associated with alarms or error conditions (for example, state changes, status)
All log files have a maximum size of 10 MB. When a file has reached the maximum size, the log files rollover to another file, with up to seven such files for each log stored on disk.
When you view log files on the CLI, log files are displayed in reverse order (that is, the most recent message received is displayed first in the log file). Procedure 37-1 describes how to view 9900 WNG log files using CLI.
Procedure 37-1 To view 9900 WNG log files using CLI

1 2 Access the CLI, as described in Procedure 14-1 or 14-2. Type a show command, as described in Table 37-2.
Table 37-2 CLI commands used for viewing log files
CLI command show log audit show log central show log central-err show log compression show log database show log detector show log gui show log ipmi show log motive show log syslog show log systemEvents show log webAccess Executed on Central Central Central Central Central Detector Central Central Central Central and Detector Central Central Description Displays the CLI logging information Displays the 9900 WNG WNG Central logging information Displays error logging information Displays information about hourly and daily summaries Displays information about the database Displays 9900 WNG Detector logging information Displays the GUI logging information Displays BMC logging information Displays the Motive API logging information Displays the system level logging information Displays all of the generated system events Displays the web access logging information
Sample log reports

The following sections show a sample for each type of system log that you can generate.
show log audit
The show log audit command contains all commands that different users have executed through the CLI. The following is sample output from the CLI screen:
37-3
central> show log audit May 8 09:19:38 central123.company.com slwhite1gui: central123.company.com. "show log audit" May 8 09:18:40 central123.company.com slwhite1gui: central123.company.com. "show log syslog" May 8 09:18:29 central123.company.com slwhite1gui: central123.company.com. "login slwhite1gui" May 8 09:16:40 central123.company.com slwhite1gui: central123.company.com. "show log central"
show log central
The show log central command shows information on Central processes. For example, license loading errors and what is wrong with the license, as well as connections to the Detectors. The following is sample output from the CLI screen:
central> show log central <13>May 08 08:53:48 WARNING: [DataBaseWriter] batch update failed with size=2, error code:22001 <15>May 08 08:38:52 <15>May 07 20:38:53 <15>May 07 08:38:52 INFO: [AwareCentral] Load license...SUCCESS INFO: [AwareCentral] Load license...SUCCESS INFO: [AwareCentral] Load license...SUCCESS
<13>May 06 23:15:51 WARNING: [DataBaseWriter] batch update failed with size=2, error code:22001
show log central-err
The show log central-err CLI command displays error logging information for the 9900 WNG Central. The following is sample output from the CLI screen.
central> show log central-err Jun 29 14:01:03 aware-central99 anomalyArchival-7654: end:2010-06-29 14:01:01.000000000 -0400 Jun 29 14:01:01 aware-central99 anomalyArchival-7654: start:2010-06-29 14:01:01.000000000 -0400 Jun 29 13:24:01 aware-central99 hourlySummary-7270: Custom HourlySummary on 1277820000 took 0 seconds Jun 29 13:24:01 aware-central99 HourlyNetworkSummary-7300: Hourly Network Summary took 67 seconds Jun 29 13:22:54 aware-central99 hourlySummary-7270: HourlySummary 1277820000 took 31 seconds Jun 29 13:22:23 aware-central99 hourlySummary-7195: Custom HourlySummary on 1277816400 took 0 seconds Jun 29 13:22:23 aware-central99 HourlyNetworkSummary-7234: Hourly Network Summary took 95 seconds 37-4 Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 July 2010 3HE 06049 AAAA TQZZA
Jun 29 13:20:48 aware-central99 hourlySummary-7195: HourlySummary 1277816400 took 36 seconds Jun 29 13:20:12 aware-central99 flowSummary-7012: Custom FlowSummary on mobile_flow_record_20100629113359 took 0 seconds Jun 29 13:20:12 aware-central99 flowSummary-7012: Compressing mobile_flow_record_20100629113359 took 694 seconds Jun 29 13:01:01 aware-central99 anomalyArchival-6922: end:2010-06-29 13:01:01.000000000 -0400 Jun 29 13:01:01 aware-central99 anomalyArchival-6922: start:2010-06-29 13:01:01.000000000 -0400 Jun 29 12:01:03 aware-central99 anomalyArchival-5129: end:2010-06-29 12:01:01.000000000 -0400 Jun 29 12:01:01 aware-central99 anomalyArchival-5129: start:2010-06-29 12:01:01.000000000 -0400 Jun 29 11:58:36 aware-central99 hourlySummary-5037: Custom HourlySummary on 1277812800 took 0 seconds Jun 29 11:58:36 aware-central99 HourlyNetworkSummary-5075: Hourly Network Summary took 79 seconds Jun 29 11:57:17 aware-central99 hourlySummary-5037: HourlySummary 1277812800 took 41 seconds Jun 29 11:56:36 aware-central99 flowSummary-4819: Custom FlowSummary on mobile_flow_record_20100629100709 took 0 seconds
show log database
The show log database CLI command displays information about the database. The following is sample output from the CLI screen.
central# show log database Version: '5.1.45-enterprise-commercial-pro' socket: '/var/lib/mysql/mysql.sock' port: 3308 MySQL Enterprise Server - Pro Edition (Commercial) 100628 16:17:28 [Note] /usr/sbin/mysqld: ready for connections. 100628 16:17:28 [Note] Event Scheduler: Loaded 0 events 100628 16:17:28 InnoDB: Started; log sequence number 0 266721272
100628 16:17:28 [Note] Plugin 'FEDERATED' is disabled. 100628 16:17:27 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql 100628 16:17:27 mysqld_safe mysqld from pid file /var/lib/mysql/aware-central21.pid ended 100628 16:17:27 [Note] /usr/sbin/mysqld: Shutdown complete 100628 16:17:27 266721272 InnoDB: Shutdown completed; log sequence number 0
37-5
show log detector
The show log detector command shows information on the Detector processes. The following is sample output from the CLI screen:
central> detector detectorB detector:detectorB> show log detector May 4 16:22:29 detectorB ser: [SystemEventCollector] detector=detectorB time=1209932548.604402 class=4 module=tracker sev=clear corrid=606339080 count=1 type=8 refobj=detectorB subobj=0 value=0.000 cond=Receivingpackets desc=Receivi gpackets May 4 16:22:29 detectorB aware: [awared] Receiving Packets
May 4 13:53:28 detectorB ser: [SystemEventCollector] detector=detectorB time=1209923608.604402 class=4 module=tracker sev=maj corrid=606339080 count=1 type=8 refobj=detectorB subobj=0 value=0.000 cond=NoPackets desc=NoPacketsinla t60seconds May 4 13:53:28 detectorB aware: [awared] No packets in last 60 seconds May 4 13:52:31 detectorB ser: [SystemEventCollector] detector=detectorB time=1209923551.604402 class=4 module=tracker sev=clear corrid=606343948 count=1 type=12 refobj=detectorB subobj=19 value=59.996 cond=<60% desc=EventQueueUsag Normal May 4 13:52:29 detectorB ser: [SystemEventCollector] detector=detectorB time=1209923549.604402 class=4 module=tracker sev=maj corrid=606343948 count=1 type=12 refobj=detectorB subobj=19 value=75.001 cond=>75% desc=HighOccupancyin ventQueue Apr 26 10:10:16 detectorB aware: [awared] Receiving Packets Apr 26 10:10:16 detectorB ser: [SystemEventCollector] detector=detectorB time=1209219015.747128 class=4 module=tracker sev=clear corrid=606339080 count=1 type=8 refobj=detectorB subobj=0 value=0.000 cond=Receivingpackets desc=Receivi
show log gui
The show log gui command shows all clients connecting to the GUI (that is, user name). For example, when clients shut down, and duplicate client connections. The following is sample output from the CLI screen.
central> show log gui <15>Jun 29 11:38:20 INFO: [GUIBootstrap] Connection UP to GUI(port):cory(4702) <15>Jun 29 08:51:58 INFO: [GUIBootstrap] Connection DOWN to GUI(port):omwal(4248) 37-6 Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 July 2010 3HE 06049 AAAA TQZZA
<13>Jun 29 08:51:58 WARNING: [GUIHandlerThread$WriteToClient] IO Error writing to gui client... terminating with error: Connection has been shutdown: javax.net.ssl.SSLException: java.net.SocketException: Connection reset <13>Jun 29 08:51:58 WARNING: [GUIHandlerThread$ReadFromClient] IOException: Connection reset GUI User: omwal Execution Time: Tue Jun 29 14:51:39 CEST 2010 Operation: Start Time: End Time: Hop Start: Network Forensic Hop Report Tue Jun 29 02:51:24 CEST 2010 Tue Jun 29 14:51:24 CEST 2010 RNC_520 RNC
Start Hop Type: Hop End:
4024003C1773 BS Consise
End Hop Type: Report Type :
Query Duration : 13016 ms <15>Jun 29 08:51:41 INFO: [GUIHandlerThread$ReadFromClient] Received following operation from gui client: GUI User: omwal Execution Time: Tue Jun 29 14:50:10 CEST 2010 Operation: Start Time: End Time: Hop Start: Network Forensic Hop Report Tue Jun 29 02:50:03 CEST 2010 Tue Jun 29 14:50:03 CEST 2010 RNC_AB RNC
31041057e59eae BS Consise
Query Duration : 4391 ms
show log ipmi
The show log ipmi CLI command displays BMC logging information for the 9900 WNG Central. The following is sample output from the CLI screen.
central:sudo# show log ipmi
37-7
ipmiutil ver 2.54 showsel: version 2.54 -- BMC version 0.64, IPMI version 2.0 SEL Ver 51 Support 0f, Size = 3938 records (Used=629, Free=3309) RecId Date/Time_______ Source_ Evt_Type SensNum Evt_detail - Trig [Evt_data] 0004 12/24/09 18:33:01 BMC ff] 0018 12/24/09 18:38:34 BMC 0f ff] 10 SEL Disabled #09 Log Cleared 6f [42 0f 14 Button #84 Power Button pressed 6f [40
002c 12/24/09 18:38:36 BIOS 12 System Event #83 Boot: ClockSync_1 6f [05 00 ff] 0040 12/24/09 18:38:36 BIOS 12 System Event #83 Boot: ClockSync_2 6f [05 80 ff] 0054 12/24/09 18:38:36 BMC ff] 0068 02/01/10 21:16:03 BMC 007c 02/01/10 21:16:03 BMC 0090 12/24/09 19:39:02 BMC 09 Power Unit #01 Power Off 6f [40 0f
07 Processor #90 Present 6f [47 0f ff] 07 Processor #91 Present 6f [47 0f ff] 09 Power Unit #01 AC Lost 6f [44 0f ff]
00a4 02/01/10 21:16:04 BMC 09 Power Unit #01 AC Regained ef [44 0f ff] 00b8 02/01/10 21:16:06 BMC 00cc 02/01/10 21:16:10 BMC 0f ff] 08 Power Supply #70 Inserted 6f [40 0f ff] 14 Button #84 Power Button pressed 6f [40
show log compression
The show log compression CLI command displays information about the hourly and daily summaries. The following is sample output from the CLI screen.
<15>Jun 25 04:56:29 INFO: [DataSummaryGenerator] Now obtaining hourly summary for hour=2010-06-25 00:00 <15>Jun 25 04:52:10 INFO: [DataSummaryGenerator] Now obtaining hourly summary for hour=2010-06-24 23:00 <15>Jun 25 02:34:30 INFO: [DataSummaryGenerator] Running daily summary for: 20100624 with start,endtimes = 1277352000,1277438400
show log motive
The show log motive command shows information about the Motive API. The following is sample output from the CLI screen.
sudo# show log motive
37-8
maximum durations applicationInfo=0 dataUsage=0 networkCongestion=0 subscriberInfo=0 subscriberIssues=0 deviceInfo=0 minimum durations applicationInfo=0 dataUsage=0 networkCongestion=0 subscriberInfo=0 subscriberIssues=0 deviceInfo=0 average durations applicationInfo=0 dataUsage=0 networkCongestion=0 subscriberInfo=0 subscriberIssues=0 deviceInfo=0 com.alcatel_lucent.aware.motive.MotiveServer instance(2) complete. Statistics: Server Start: Wed Jun 23 10:03:46 EDT 2010, Server End Time: Wed Jun 23 10:38:13 EDT 2010 # of transactions applicationInfo=0 dataUsage=0 networkCongestion=0 subscriberInfo=0 subscriber Issues=0 deviceInfo=0 maximum durations applicationInfo=0 dataUsage=0 networkCongestion=0 subscriberInfo=0 subscriberIssues=0 deviceInfo=0 minimum durations applicationInfo=0 dataUsage=0 networkCongestion=0 subscriberInfo=0 subscriberIssues=0 deviceInfo=0 average durations applicationInfo=0 dataUsage=0 networkCongestion=0 subscriberInfo=0 subscriberIssues=0 deviceInfo=0 com.alcatel_lucent.aware.motive.MotiveServer instance(1) complete. Statistics: Server Start: Wed Jun 23 10:03:46 EDT 2010, Server End Time: Wed Jun 23 10:16:18 EDT 2010 # of transactions applicationInfo=0 dataUsage=0 networkCongestion=0 subscriberInfo=0 subscriber Issues=0 deviceInfo=0 maximum durations applicationInfo=0 dataUsage=0 networkCongestion=0 subscriberInfo=0 subscriberIssues=0 deviceInfo=0 minimum durations applicationInfo=0 dataUsage=0 networkCongestion=0 subscriberInfo=0 subscriberIssues=0 deviceInfo=0
show log syslog
The show log syslog command shows all important messages. For example, disk errors. The following is sample output from the CLI screen:
central> show log syslog Feb 4 04:32:46 central123.company.com syslogd 1.4.1: restart (remote reception). Feb 4 04:32:45 central123.company.com syslogd 1.4.1: restart (remote reception). Feb 4 00:01:02 central123.company.com logger: root 26059 2055 0 Feb03 pts/1 Ss 0:00 -bash Feb 3 18:54:04 central123.company.com init: Re-reading inittab central>
show log systemEvents
The show log systemEvents command shows all system events that have occurred in the system. The following is sample output from the CLI screen.
central> show log systemEvents <15>Jun 29 06:49:56 INFO: [SystemEventHandlerThread$EventMessageHandlerThread] WROTE TO DB: detector=1 time=1.277808596644E9 class=4 module=sysmon sev=crit corrid=16859658 count=1 type=Line rate threshold status=active endtime=0.0 value=955.729 referencedObject=aware-detector99 referencedSubObject=Capture Port A condition=A>950Mbits/sec description=PortAcaptureratetoohigh <15>Jun 29 06:49:56 INFO: [SystemEventBootstrap$SnmpThread] WROTE TO SNMP: detector=1 time=1277808596.644 class=4 module=sysmon sev=crit corrid=16859658 count=1 type=10 refobj=aware-detector99 subobj=66 value=955.729 cond=A>950Mbits/sec desc=PortAcaptureratetoohigh <15>Jun 29 06:49:56 INFO: [SystemEventHandlerThread] RECEIVED: detector=1 time=1277808596.644 class=4 module=sysmon sev=crit corrid=16859658 count=1 type=10 refobj=aware-detector99 subobj=66 value=955.729 cond=A>950Mbits/sec desc=PortAcaptureratetoohigh
show log webAccess
The show log webAccess command shows all system events that have occurred in the system. The following is sample output from the CLI screen.
Jun 29 11:36:31 Jun 29 11:36:20 Jun 29 10:30:45 [info] user cory launched the GUI client [info] user cory from 138.120.141.128 logged in [info] demotaylor: file: alu9900mibs.zip
Jun 29 09:27:09 [info] user demotaylor from 138.120.134.113 logged in Jun 29 09:17:50 Jun 29 09:01:31 Jun 29 08:37:14 Jun 29 08:37:08 Jun 29 08:04:05 Jun 29 08:04:05 Jun 29 08:04:05 Jun 29 08:04:05 Jun 29 08:04:05 [info] user hbouvier from 135.120.193.183 logged in [info] user hbouvier from 135.120.193.183 logged in [info] user omwal launched the GUI client [info] user omwal from 172.31.149.32 logged in [info] user vantan from 135.244.112.98 logged in [info] user vantan session timed out or expired [info] user democenter session timed out or expired [info] user fryandi session timed out or expired [info] user scm session timed out or expired
37.3
Monitoring GUI reports and queries

The system generates messages in the log file of the 9900 WNG Central for the following reports and queries that are initiated on the GUI.
Subscriber Report Network Forensic Element Report

Network Forensic Hop Report Mobile Flow Query

The logs contain the user name, execution time, operation, query start time, query end time, query key like mobile ID, IP addresses or network element name.
Subscriber Report
The following is an example of the Subscriber Report log file:
<15>Mar 21 14:51:54 INFO: [GUIHandlerThread$ReadFromClient] Received following operation from gui client: GUI User: jsmith Execution Time: Sun Mar 21 14:51:53 EDT 2010 Operation: Start Time: End Time: Mobile ID: Subscriber Report Sun Mar 21 10:51:00 EDT 2010 Sun Mar 21 14:51:00 EDT 2010 1234567891@mip.1x.bell.ca Individual
Subscriber Report Type:
Network Forensic Element Report

The following is an example of the Network Forensic Element Report log file:
<15>Mar 21 14:58:23 INFO: [GUIHandlerThread$ReadFromClient] Received following operation from gui client: GUI User: jsmith Execution Time: Sun Mar 21 14:58:23 EDT 2010 Operation: Start Time: End Time: Network Forensic Element Report Sun Mar 21 02:58:00 EDT 2010 Sun Mar 21 14:58:00 EDT 2010 402400000B83 BS Concise
Network Element: Element Type: Report Type :
Network Forensic Hop Report

The following is an example of the Network Forensic Hop Report log file:
<15>Mar 21 14:58:58 INFO: [GUIHandlerThread$ReadFromClient] Received following operation from gui client:
37-11
GUI User: jsmith Execution Time: Sun Mar 21 14:58:58 EDT 2010 Operation: Start Time: End Time: Hop Start: Network Forensic Hop Report Sun Mar 21 14:28:00 EDT 2010 Sun Mar 21 14:58:00 EDT 2010 rnc043 RNC
402400000B83 BS Non-concise
Mobile Flow Query

The following is an example of the Mobile Flow Query log file:
<15>Mar 21 14:59:33 INFO: [GUIHandlerThread$ReadFromClient] Received following operation from gui client: GUI User: jsmith Execution Time: Sun Mar 21 14:59:32 EDT 2010 Operation: Start Time: End Time: IP 1: ID 1: IP 2: ID 2: Mobile Flow Query Sun Mar 21 10:58:00 EDT 2010 Sun Mar 21 14:58:00 EDT 2010
172.19.43.233 none none none IP_1 Orig
Flow Indicator:
37.4
Measuring system performance

Performance measurements allow you to assess system activity to engineer the system capacity and identify system faults. Table 37-3 lists the CLI commands that are used to measure 9900 WNG performance.
37-12
37 Monitoring the 9900 WNG Central and Detector Table 37-3 Performance measurement CLI commands
CLI command show stats show memory show system show backhaul show compressionStatus show top Executed on 9900 WNG Central and Detector 9900 WNG Central and Detector 9900 WNG Central and Detector 9900 WNG Central 9900 WNG Central 9900 WNG Central
show stats
The show stats CLI command when performed at the 9900 WNG Central prompt, provides information about the state of the internal memory buffers and other statistics collected by 9900 WNG Central for each 9900 WNG Detector connected to it. For example, the show stats CLI command displays the number of mobile flows, anomalies, and the breakdown of the types of anomalies from the latest update from the Detector. When the show stats CLI command is performed at the 9900 WNG Detector prompt, it provides similar statistics of the events generated by each 9900 WNG Detector including whether any events are dropped at the 9900 WNG Detector and the timestamp of the last packet seen at the 9900 WNG Detector. The following output is displayed when you enter the show stats command on the 9900 WNG Central.
Number of Connected EMS Clients: 7 (user1:138.120.134.125,user2:137.244.35.254,user3:134.183.211.144,us er4:135.144.119.249,user5:136.222.252.126,user6:138.222.155.111,user 7:139.244.145.151) Number of Connected Detectors: 2 aware-detectorA (192.168.1.3) Anomaly Channel UP since Jun 14 13:43:47 2010 EDT Awareness Channel UP since Jun 14 13:43:49 2010 EDT aware-intel3 (135.112.180.91) Anomaly Channel UP since Jun 14 13:43:49 2010 EDT Awareness Channel UP since Jun 14 13:43:49 2010 EDT Queue Usage at Central: Anomaly Queue: Periodic Status Queue: Mobile Flow Queue: 0 90 9736
37-13
Subscriber Queue: Syslog queue: Active Topology View GGSN/HA count: SGSN/FA count: RNC count: Base Station count: Active Hop count: Events not written to DB Anomaly: Periodic Status: Mobile Flow: Billing Discrepancy Session: Subscriber Session: Detector:aware-detectorA Link_Status: 13:43:47 2010 EDT Total Events Received: Anomaly Events: Periodic Status Events: Subscriber/Connection Events: Mobile Flow Events: 196 5593 9079 16262 22673
1412 0
0 0 0 0 0
Up since Jun 14 25647825 1725 779182 3192493 21674425
2010 EDT
Anomaly Events Last Reported by Detector at Jun 14 15:35:02 Signaling Attacks: RNC Overloads: Battery Attacks: Vertical Portscans: Horizontal Portscans: Always Active Subscribers: High Usage Subscribers: 14 0 8 0 24 0 56
37-14
Subscribers using p2p: Sources of Unwanted traffic: High signaling subscribers: Distributed Battery Attacks: Mobile Flood(Single Source): Distributed Mobile Floods: Router Discovery Anomalies: Number of Active Mobiles: Detector:aware-intel3 Link_Status: 13:43:49 2010 EDT Total Events Received: Anomaly Events: Periodic Status Events: Subscriber/Connection Events: Mobile Flow Events: 2010 EDT
62 9 659 0 0 0 0 767660
Up since Jun 14 28086957 1191 1124394 3529436 23431936
Anomaly Events Last Reported by Detector at Jun 14 15:38:29 Signaling Attacks: RNC Overloads: Battery Attacks: Vertical Portscans: Horizontal Portscans: Always Active Subscribers: High Usage Subscribers: Subscribers using p2p: Sources of Unwanted traffic: High signaling subscribers: Distributed Battery Attacks: Mobile Flood(Single Source): Distributed Mobile Floods: Router Discovery Anomalies: 14 0 22 0 23 0 62 76 9 334 14 0 0 0
37-15
Number of Active Mobiles:
856139
show memory
The show memory CLI command provides a detailed snapshot of memory usage on the 9900 WNG Central or Detector.
Note See the RHEL 5.0 or later manual pages for information about memory statistics.
The following output is displayed when you enter the show memory command on the 9900 WNG.
MemTotal: MemFree: Buffers: Cached: SwapCached: Active: Inactive: HighTotal: HighFree: LowTotal: LowFree: SwapTotal: SwapFree: Dirty: Writeback: AnonPages: Mapped: Slab: PageTables: NFS_Unstable: Bounce: CommitLimit: 32959952 kB 1576692 kB 155320 kB 20200104 kB 0 kB 25577028 kB 5294484 kB 0 kB 0 kB 32959952 kB 1576692 kB 16777208 kB 16777076 kB 1268 kB 0 kB 10516320 kB 29220 kB 435620 kB 39280 kB 0 kB 0 kB 33257184 kB
Committed_AS: 11707416 kB 37-16 Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 July 2010 3HE 06049 AAAA TQZZA
VmallocTotal: 34359738367 kB VmallocUsed: 271080 kB
VmallocChunk: 34359466919 kB HugePages_Total: HugePages_Free: HugePages_Rsvd: Hugepagesize: central> : 0 0 0 2048 kB
show system
The show system CLI command provides performance measurements for the CPU, disk usage, and memory consumption. The following output is displayed when you enter the show system command on the 9900 WNG Central.
Uptime: 09:05:46 up 30 days, 7 min, 4 users, load average: 0.18, 0.14, 0.10 CPU Usage: Cpu(s): 3.0%us, 0.2%sy, 0.0%ni, 96.6%id, 0.1%wa, 0.0%hi, 0.0%si, Memory Usage: MemTotal: MemFree: Active: Inactive: Disk Usage: Filesystem Size Used Avail Use% Mounted on 32959952 kB 1531956 kB 25605692 kB 5309488 kB 0.0%st
/dev/mapper/VolGroup00-LogVol00 593G /dev/sdb1 2.0T 2.7G 1.5T 560G 465G 1% / 76% /awaredb
/dev/mapper/VolGroup00-LogVol01 49G 428M 46G 1% /var
37-17
show backhaul
The show backhaul CLI command displays the current and peak management backhaul communication rates between 9900 WNG Detector and Central, which can be used to size the backhaul communication from the 9900 WNG Detector to the 9900 WNG Central. The following output is displayed when you enter the show backhaul command on the 9900 WNG Central.
eth0: Receive: 14.9 Mbits/sec 1710.9 packets/sec ( 98.4 Mbits/sec peak - 14:41 04/15/10) eth0: Transmit: 0.5 Mbits/sec 1052.9 packets/sec ( 40.1 Mbits/sec peak - 11:38 06/07/10) eth1: Receive: 13.5 Mbits/sec 1363.4 packets/sec ( 26.9 Mbits/sec peak - 13:41 06/14/10) eth1: Transmit: 0.2 Mbits/sec peak - 20:48 06/13/10) 470.4 packets/sec ( 1.1 Mbits/sec
show compressionStatus
The show compressionStatus command displays compression related information.
central:sudo# show compressionStatus Hourly summary available until 2010-06-24 03:00:00 Number of uncompressed tables 3 Latest dailySummary available for 2010-06-22 00:00:00
show top
The show top command displays information about UNIX utilities:
central:sudo# show top top - 10:33:03 up 35 days, 20:07, 15 users, 1.57 Tasks: 226 total, Cpu(s): 14.1%us, 0.3%si, 0.0%st load average: 1.20, 1.56, 0 stopped, 2.7%wa, 0 zombie
2 running, 224 sleeping, 1.3%sy, 0.0%ni, 81.5%id,
0.1%hi, 136728k
Mem: 63924972k total, 61092684k used, buffers Swap: 16777208k total, cached
2832288k free,
204k used, 16777004k free, 27523412k
PID USER
PR
NI
VIRT
RES
SHR S %CPU %MEM
TIME+
COMMAND
37-18
17587 root myisamchk 9024 root 1 root 2 root migration/0 3 root ksoftirqd/0 4 root 5 root migration/1 6 root ksoftirqd/1 7 root 8 root migration/2 9 root ksoftirqd/2 10 root 11 root migration/3 12 root ksoftirqd/3 13 root 14 root migration/4 15 root ksoftirqd/4 16 root 17 root migration/5 18 root ksoftirqd/5 19 root
25 17 15 RT 34 RT RT 34 RT RT 34 RT RT 34 RT RT 34 RT RT 34 RT
155m 130m
888 R 100.8
0.2 0.2 0.0 0.0 0.0
0:43.19 2926:12 java 0:02.65 init 0:00.07 0:00.21
0 10.4g 134m 9072 S 13.8 0 10348 -5 19 -5 -5 19 -5 -5 19 -5 -5 19 -5 -5 19 -5 -5 19 -5 0 0 0 0 0 0 0 0 0 0 0 0 S 0 0 0 0 0 0 0 S 0 0 0 0 0 0 0 S 0 0 0 0 0 0 0 S 0 0 0 0 0 0 S 712 0 0 0 S 596 S 0 S 0 S 0.0 0 S 0 S 0.0 0 S 0 S 0.0 0 S 0 S 0.0 0 S 0 S 0.0 0 S 0 S 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
0:00.00 watchdog/0 0.0 0.0 0:00.09 1:37.52
0:00.00 watchdog/1 0.0 0.0 0:00.10 3:15.74
0:00.00 watchdog/2 0.0 0.0 0:00.07 0:08.73
0:00.00 watchdog/3 0.0 0.0 0:00.25 0:00.31
0:00.00 watchdog/4 0.0 0.0 0:00.24 0:01.49
0:00.00 watchdog/5
37-19
20 root migration/6 21 root ksoftirqd/6 22 root 23 root migration/7 24 root ksoftirqd/7 25 root 26 root 27 root 28 root 29 root 30 root 31 root 32 root 33 root 34 root 543 root 554 root 555 root 556 root 557 root 558 root
RT 34 RT RT 34 RT 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10
-5 19 -5 -5 19 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 S 0 0 0 S
0 S 0 S 0.0 0 S 0 S 0.0
0.0 0.0 0.0 0.0 0.0 0.0
0.0 0.0
0:00.28 0:05.45
0:00.00 watchdog/6 0.0 0.0 0:00.24 0:00.57
0:00.00 watchdog/7 0:00.07 events/0 0:00.01 events/1 0:00.02 events/2 0:00.00 events/3 0:00.00 events/4 0:00.69 events/5 0:00.02 events/6 0:00.18 events/7 0:00.18 khelper 0:00.61 kthread 0:00.10 kblockd/0 0:00.32 kblockd/1 0:02.19 kblockd/2 0:00.11 kblockd/3 0:00.03 kblockd/4
0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 S
0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
0 0 0 0 0 0 0 0 0 0 0 0
0 0
37-20
559 root 560 root 561 root 562 root 708 root 709 root 710 root 711 root 712 root 713 root 714 root 715 root 718 root 720 root 837 root 840 root 841 root 842 root 843 root 844 root 845 root
10 10 10 20 19 10 10 10 10 10 10 10 11 10 15 10 16 17 17 19 20
-5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 0 -5 -5 -5 -5 -5 -5
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 S 0 S 0 S
0.0 0.0 0.0
0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
0:00.44 kblockd/5 0:02.02 kblockd/6 0:00.06 kblockd/7 0:00.00 kacpid 0:00.00 cqueue/0 0:00.00 cqueue/1 0:00.00 cqueue/2 0:00.00 cqueue/3 0:00.00 cqueue/4 0:00.00 cqueue/5 0:00.00 cqueue/6 0:00.00 cqueue/7 0:00.00 khubd 0:00.00 kseriod 0:00.00 khungtaskd 9:33.62 kswapd0 0:00.00 aio/0 0:00.00 aio/1 0:00.00 aio/2 0:00.00 aio/3 0:00.00 aio/4
0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 S
0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
0.0
0.0 0.0 0.0 0.0 0.0 0.0 0.0
0 S 0 S 0 S 0 S 0 S 0 S
0.0 0.0 0.0 0.0 0.0 0.0
37-21
846 root 847 root 848 root 1011 root 1090 root 1136 root 1137 root 1138 root 1148 root 1149 root 1150 root 1151 root 1152 root 1153 root 1154 root 1155 root 1156 root 1175 root 1176 root usb-storage 1178 root 1179 root usb-storage
10 10 20 11 12 10 12 11 13 14 15 16 17 17 19 19 18 19 10 10 10
-5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0
0 S 0 S 0 S 0 S 0 S 0 S
0.0 0.0 0.0 0.0 0.0
0.0 0.0 0.0 0.0 0.0
0:00.00 aio/5 0:00.00 aio/6 0:00.00 aio/7 0:00.00 kpsmoused 0:00.00 scsi_eh_0 0:00.00 mpt_poll_0 0:00.00 mpt/0 0:00.00 scsi_eh_1 0:00.00 ata/0 0:00.00 ata/1 0:00.00 ata/2 0:00.00 ata/3 0:00.00 ata/4 0:00.00 ata/5 0:00.00 ata/6 0:00.00 ata/7 0:00.00 ata_aux 0:00.00 scsi_eh_2 3:08.16
0.0
0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
0 S 0 S
0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
0 0 0 0 0 0 0 0 0
0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 S
0 S 0 S
0.0
0.0
0.0
0.0
0:00.00 scsi_eh_3 3:04.85
0 S
0.0
0.0
37-22
1181 root 1182 root usb-storage 1184 root 1185 root usb-storage 1196 root 1233 root 1272 root 1299 root 1332 root 2054 root 2055 root awarecli.sh 2061 root 2126 root 2558 root 2562 root 2962 root 2963 root 2964 root 2965 root 2966 root 2967 root
12 10 14 10 11 12 10 11 12 17 23 18 10 15 15 11 11 11 11 11 11
-5 -5 -5 -5 -5 -5 -5 -5
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 780
0 S
0.0
0.0
0:00.00 scsi_eh_4 3:10.14
0 S 0 S
0.0
0.0
0.0
0.0
0:00.00 scsi_eh_5 3:07.71 0:00.00 kstriped 0:00.00 ksnapd 0:13.09 kjournald 0:00.00 kauditd 0:00.14 udevd 0:00.00 su 0:00.00 0:00.02 clish 0:00.00 kedac 0:03.71 sshd 0:00.34 bash 0:00.00 kmpathd/0 0:00.00 kmpathd/1 0:00.00 kmpathd/2 0:00.00 kmpathd/3 0:00.00 kmpathd/4 0:00.00 kmpathd/5
0 S 0 S 0 S 0 S 0 S 456 S
0.0
0.0
0.0 0.0
0.0 0.0
0.0 0.0 0.0
0.0 0.0 0.0 0.0
-4 12764 0 0
109m 1808 1388 S 8700 992 844 S
0.0 0.0 0.0 0.0 0.0 0.0
0.0 0.0 0.0 0.0 0.0
0 36292 3412 1312 S -5 0 0 0 S
0 98912 3872 2976 S 0 66184 1704 1212 S -5 -5 -5 -5 -5 -5 0 0 0 0 0 0 0 0 0 0 0 0 0 S 0 S 0 S 0 S 0 S 0 S
0.0 0.0 0.0 0.0 0.0 0.0
0.0 0.0 0.0 0.0 0.0 0.0
37-23
2968 root 2969 root
11 11
-5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 S 0 S
0.0 0.0
0.0 0.0
0:00.00 kmpathd/6 0:00.00 kmpathd/7 0:00.00
2970 root 11 kmpath_handlerd 2997 root 3003 root 3037 root jbd2/sda3-8 10 10 10
0 S 0 S 0 S
0.0
0.0
0.0 0.0
0.0 0.0
3:19.47 kjournald 1:44.19 kjournald 1:07.01 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00
0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 S
0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
3038 root 11 ext4-dio-unwrit 3039 root 11 ext4-dio-unwrit 3040 root 11 ext4-dio-unwrit 3041 root 11 ext4-dio-unwrit 3042 root 11 ext4-dio-unwrit 3043 root 11 ext4-dio-unwrit 3044 root 11 ext4-dio-unwrit 3045 root 11 ext4-dio-unwrit 3049 root 3201 root 3475 root kondemand/0 3476 root kondemand/1 3477 root kondemand/2 3478 root kondemand/3 3479 root kondemand/4 10 15 10 14 15 16 16
0.0
0.0 0.0
0:00.01 kjournald 0:00.44 sshd 0:00.00 0:00.00 0:00.00 0:00.00 0:00.00
0 62624 1216 -5 -5 -5 -5 -5 0 0 0 0 0 0 0 0 0 0
656 S 0 S 0 S 0 S 0 S 0 S
0.0 0.0 0.0 0.0 0.0 0.0
0.0 0.0 0.0 0.0 0.0
37-24
3480 root kondemand/5 3481 root kondemand/6 3482 root kondemand/7 3898 root irqbalance 3912 dbus dbus-daemon 3948 ntp 4532 root 4556 haldaemo 4557 root hald-runner
17 16 17 18 15 15 15 15 15
-5 -5 -5
0 0 0
0 0 0 372 892
0 S 0 S 0 S 244 S 676 S
0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
0:00.00 0:00.00 0:00.00 0:11.94 0:00.00 0:00.36 ntpd 0:00.33 crond 0:00.81 hald 0:00.00 0:00.00 0:00.00 3:12.11 3:11.71 3:16.19 3:11.18 8:20.68 0:00.00 smartd 0:00.00 mingetty 0:00.00 mingetty 0:00.00 mingetty 0:00.00 mingetty
0 10760 0 21256
0 23388 5028 3904 S 0 74804 1152 576 S
0 31260 4292 1564 S 0 21692 1076 0 12324 0 12324 0 10228 0 10228 0 10228 0 10228 0 10228 0 18416 0 0 0 0 3792 3792 3792 3792 844 844 684 680 680 684 680 472 484 484 484 484 868 S 724 S 732 S 584 S 584 S 584 S 584 S 584 S 268 S 412 S 412 S 412 S 412 S
4564 haldaemo 25 hald-addon-acpi 4567 haldaemo 25 hald-addon-keyb 4580 root 18 hald-addon-stor 4582 root 18 hald-addon-stor 4584 root 18 hald-addon-stor 4586 root 18 hald-addon-stor 4588 root 18 hald-addon-stor 4612 root 4643 root 4644 root 4645 root 4646 root 18 18 18 18 20
0.0 0.0 0.0 0.0
37-25
4648 root 4650 root 4651 root 7023 root 7027 root 7557 root 7561 root 7833 root 7834 root awarecli.sh 7840 root 7976 root 8187 root 8228 root 8232 root 8345 root 8481 root
21 18 17 15 16 15 15 17 21 18 15 16 15 15 16 15
0 0 0
3792 3792 3800
480 480 536
412 S 412 S 464 S
0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.4 0.0
0:00.00 mingetty 0:00.00 mingetty 0:00.00 agetty 0:22.07 sshd 0:00.01 bash 0:00.31 sshd 0:00.01 bash 0:00.00 su 0:00.00 0:00.02 clish 0:00.07 mysql 9:56.87 top 0:00.07 sshd 0:00.00 bash 0:00.00 bash 0:00.00 mysql 0:00.00 0:00.00 16:17.24 sysmon 0:00.00 logger 0:42.93 snmpagent
0 98908 3804 2956 S 0 66056 1568 1152 S 0 98908 3824 2952 S 0 66156 1592 1168 S 0 0 109m 1808 1388 S 8700 992 844 S
0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
0 36292 3416 1316 S 0 77448 2004 1268 S 0 12868 1208 804 S
0 98908 3820 2956 S 0 66056 1568 1148 S 0 66164 1588 1168 S 0 77308 1932 1208 S 0 0 0 0 0 9700 1224 996 S
8488 root 18 run_snmpagent.s 8501 root 21 run_systemEvent 8505 root 8510 root 8511 root 18 17 15
9700 1232 1000 S 346m 220m 2932 S 3784 424 360 S
391m 224m 2904 S
0.0
0.4
37-26
8523 root 8524 root 8608 root 8612 root 8862 root run_central.sh 9023 root 9076 root 9121 root 9125 root 9860 root 9861 root usb-storage
16 16 15 15 20 16 15 15 15 11 10
0 0
3784
424
360 S
0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
0.0 0.2 0.0 0.0 0.0 0.0 0.0 0.0 0.0
0:00.00 logger 0:08.47 java 0:00.03 sshd 0:00.00 bash 0:00.00 0:00.00 logger 0:00.10 mysql 0:01.50 sshd 0:00.06 bash 0:00.00 scsi_eh_6 0:01.63 0:00.83 0:00.00 mysql 4:39.30 java 0:00.00 0:03.00 pdflush 7809:37 mysqld 0:00.82 pdflush 0:00.02 sshd 0:00.00 0:00.04 clish
888m 152m 8880 S
0 98908 3800 2952 S 0 66156 1572 1156 S 0 0 9700 1228 1000 S 3784 424 360 S
0 77460 2020 1268 S 0 98912 3836 2964 S 0 66192 1612 1160 S -5 -5 0 0 0 0 680 0 S
0.0
0.0
0 S 584 S
0.0 0.0 0.0 0.0 0.0 0.0
0.0 0.0 0.0 2.7 0.0 0.0
9920 root 18 hald-addon-stor 10241 root 11812 tomcat 16630 root mysqld_safe 16672 root 16751 mysql 17302 root 17352 root 17356 root awarecli.sh 17362 root 15 25 25 15 15 15 15 18 18
0 10228
0 77428 1940 1208 S 0 2598m 1.7g 0 0 8704 1100 0 0 13m S 888 S 0 S
0 25.1g 0 0
23g 4.8g S 0 0 S
0.0 37.9 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
0 98928 4376 3460 S 0 8700 992 844 S
0 36292 3380 1288 S
37-27
17540 apache 17541 apache 17561 root 17588 root 17590 root 17591 root command.sh 17592 root paginate.sh 17595 root 17597 root 18903 root 18908 root 19601 root 19605 root 19622 root
15 15 15 18 15 19 20 15 21 16 15 15 16 16
0 0
245m 6380 1936 S 245m 6376 1936 S
0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
0:00.00 httpd 0:00.00 httpd 0:00.00 mysql 0:00.00 logger 0:00.00 sh 0:00.00 0:00.00 0:00.00 top 0:00.00 cat 0:08.73 sshd 0:00.01 bash 0:00.02 sshd 0:00.00 bash 0:00.00 mysql 0:00.03 0:00.02 0:00.70 syslogd 0:00.00 klogd 0:00.14 httpd 0:00.00 0:00.00 logger
0 77432 1940 1212 S 0 0 0 0 3784 8700 8700 428 944 972 364 S 800 S 828 S 976 S 708 R 324 S
9700 1208
0 12736 1064 0 3796 392
0 99688 3848 2976 S 0 66060 1572 1148 S 0 99820 3820 2952 S 0 66052 1536 1132 S 0 77448 1992 1264 S 0 11060 1432 0 0 0 0 0 0 9924 1472 5908 3804 672 432 968 S 980 S 528 S 344 S
24390 root 18 dailySummary.sh 24568 root syncConfigs.sh 26483 root 26486 root 26777 root 15 16 20 18
245m 8940 4636 S 9700 1228 1000 S 3784 424 360 S
27530 root 18 run_mobile_flow 27544 root 17
37-28
27545 root 28010 root 28014 root 29647 root 29651 root 30393 root 30591 root 30592 root awarecli.sh 30598 root 30657 root 30661 root 30863 root 30867 root 31105 root 31119 root awarecli.sh 31126 root
18 15 15 15 15 15 17 22 18 15 15 15 16 15 20 18
568m 243m 8744 S
0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
0.4 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
0:58.31 java 0:00.49 sshd 0:00.05 bash 0:00.08 sshd 0:00.03 bash 0:00.01 mysql 0:00.00 su 0:00.00 0:00.05 clish 0:00.20 sshd 0:00.01 bash 0:00.06 sshd 0:00.06 bash 0:00.17 sshd 0:00.00 0:00.05 clish
0 99688 3812 2952 S 0 66160 1604 1180 S 0 98912 3828 2972 S 0 66176 1612 1176 S 0 77440 2008 1280 S 0 0 109m 1816 1388 S 8700 992 844 S
0 36292 3424 1324 S 0 99820 3816 2952 S 0 66188 1568 1160 S 0 99688 3828 2972 S 0 66176 1616 1188 S 0 98928 4376 3460 S 0 8700 992 844 S
0 36292 3448 1328 S
37.5
Monitoring a remote 9900 WNG Central and Detector using the BMC
The BMC can be used to monitor the 9900 WNG Central and Detector remotely. The BMC can monitor the status of the fan, system temperature, and the power being supplied to the device. Perform Procedure 37-2 to monitor a 9900 WNG Detector or Central remotely using the BMC.
37-29
Procedure 37-2 To monitor a 9900 WNG Detector or Central remotely using the BMC
1 Ensure that the following tasks are complete:
The BMC interface has been configured as described in Procedure 7-2. The IPMI management utility has been installed on the machine (Linux or Windows) from which you access the BMC.
Type:
showsel -N nodename -U admin -R password -l count
where nodename is the nodename or IP address of the BMC LAN interface password is the remote password for the specified nodename count is the number of recent events you want to view
In the following example, the showsel command displays the ten most recent events for the remote device with IP address 1.1.1.2 and remote password admin.
showsel -N 1.1.1.2 -U admin -R admin -l 10 0658 09/12/08 11:25:39 BMC 2 6f [a1 02 11] 0644 09/12/08 11:25:39 BMC 6f [a0 02 01] 0630 09/12/08 11:25:18 BMC 6f [a0 02 01] 061c 09/11/08 13:15:02 BMC 2 6f [a1 02 11] 0608 09/11/08 13:14:55 BMC 6f [a0 02 01] 05f4 08/31/08 15:07:56 BMC 0f ff] 05e0 08/31/08 15:07:56 BMC [41 0f ff] 05cc 08/31/08 15:07:56 BMC ff] 05b8 08/25/08 13:01:11 BMC 2 6f [a1 02 11] 05a4 08/25/08 12:19:46 BMC 2 6f [a1 02 11 2a Session Audit #0a Deactivated User 2a Session Audit #0a Activated User 2 2a Session Audit #0a Activated User 2 2a Session Audit #0a Deactivated User 2a Session Audit #0a Activated User 2 09 Power Unit #02 Not Redundant 0b [43 09 Power Unit #02 Redundancy Lost 0b 08 Power Supply #70 AC Lost 6f [43 0f 2a Session Audit #0a Deactivated User 2a Session Audit #0a Deactivated User
37-30
Displaying the health status of the 9900 WNG Detector or Central

Perform Procedure 37-3 to display the health status of the 9900 WNG Detector or Central remotely using the BMC.
Procedure 37-3 To display the health status of the 9900 WNG Detector or Central
1 Log in to one of the following: a b 2 9900 WNG Central, as described in Procedure 14-1 or 14-2. 9900 WNG Detector, as described in Procedure 14-3.
Display the status of the 9900 WNG Central or Detector by typing:

bmchealth -N nodename -U admin -R password
where nodename is the nodename or IP address of the BMC LAN interface password is the remote password for the specified nodename
In the following example, the bmchealth command is used to display the health status of the remote device with IP address 1.1.1.2 and remote password admin.
bmchealth -N 1.1.1.2 -U admin -R admin
bmchealth ver 1.9 Opening connection to node 1.1.1.2 ... BMC version 0.62, IPMI version 2.0 BMC manufacturer = 000157 (Intel), product = 0028 (S5000PAL) Power State Selftest status = 00 (S0: working)
= 0055 (OK)
Channel 1 Auth Types: MD5 Straight_Passwd Status = 04, OEM ID 000000 OEM Aux 00 bmchealth: completed successfully
Displaying the sensor status of the 9900 WNG Central or Detector

Perform Procedure 37-4 to display the sensor status of the 9900 WNG Central or Detector remotely using the BMC.
37-31
Procedure 37-4 To display the sensor status of the 9900 WNG Central or Detector
1 Log in to one of the following: a b 2 9900 WNG Central, as described in Procedure 14-1 or 14-2. 9900 WNG Detector, , as described in Procedure 14-3.
View the sensor status of the 9900 WNG Central or Detector by typing:
sensor -N nodename -U admin -R password
where nodename is the nodename or IP address of the BMC LAN interface password is the remote password for the specified nodename
In the following example, the sensor command is used to display the sensor status of the remote device with IP address 1.1.1.2 and remote password admin.
sensor -N 1.1.1.2 -U admin -R admin
sensor: version 1.53 Opening connection to node 135.112.180.71 ... -- BMC version 0.62, IPMI version 2.0 _ID_ SDR_Type_xx Sz Own Typ S_Num Sens_Description Reading 0001 SDR Full 01 37 20 a 02 snum 10 BB +1.1V Vtt Volts 0002 SDR Full 01 37 20 a 02 snum 12 BB +1.5V AUX Volts 0003 SDR Full 01 33 20 a 02 snum 13 BB +1.5V Volts 0004 SDR Full 01 33 20 a 02 snum 14 BB +1.8V Volts 0005 SDR Full 01 33 20 a 02 snum 15 BB +3.3V Volts 0006 SDR Full 01 37 20 a 02 snum 16 BB +3.3V STB Volts 0007 SDR Full 01 37 20 a 02 snum 17 BB +1.5V ESB Volts 0008 SDR Full 01 31 20 a 02 snum 18 BB +5V Volts 0009 SDR Full 01 36 20 a 02 snum 1a BB +12V AUX OK 11.84 Volts 000a SDR Full 01 33 20 a 02 snum 1b BB +0.9V Volts Hex & Interp = ae OK = bd OK = 72 OK = af OK = c4 OK = c5 OK = c0 OK = c1 OK = bf = be OK 0.91 1.10 1.47 1.48 1.79 3.37 3.39 1.50 5.02
37-32
000b SDR Full 01 39 20 a 01 snum 30 Baseboard Temp OK 33.00 degrees C
= 21
000c SDR Full 01 3b 20 a 01 snum 32 Front Panel Temp = 1e OK 30.00 degrees C 000d SDR Full 01 3b 20 a 01 snum 48 Mem Therm Margin = 00 OK degrees C 000e SDR Full 01 30 20 m 04 snum 50 Fan 1 OK 4896.00 RPM 000f SDR Full 01 30 20 m 04 snum 51 Fan 2 OK 4828.00 RPM 0010 SDR Full 01 31 20 m 04 snum 52 Fan 3A OK 9315.00 RPM 0011 SDR Full 01 31 20 m 04 snum 53 Fan 4A OK 9246.00 RPM 0012 SDR Full 01 31 20 m 04 snum 58 Fan 3B OK 7599.00 RPM = 90 = 8e = 87 = 86 = 95 0.00
37-33
37-34
38 System events
38.1 System events overview
38-2 38-2
38.2 License Violation system event 38.3 Link Down system event 38-3
38.4 Process Down system event 38.5 Process Start system event 38.6 CPU Usage system event 38.7 Disk Usage system event
38-3 38-4
38-4 38-4 38-5
38.8 Memory Usage system event 38.9 No Packet system event 38.10 Packet Drop system event
38-6 38-6 38-6
38.11 Line rate threshold system event 38.12 Queue Usage system event 38-7
38.13 Hardware Failure system event 38.14 Swap Usage system event 38-8
38-8
38-1
38 System events
38.1
System events overview

A 9900 WNG Central or Detector can generate system event notifications. System events that are generated on the 9900 WNG Detector are sent to the 9900 WNG Central, stored in the database, and displayed on the client GUI. Generated system events are also stored in a log file on the 9900 WNG Central. Most system events are also reported as SNMP traps. See chapter 19 for more information about SNMP. The following system resources are monitored:
CPU Utilization memory utilization disk utilizationtriggers database cleanup, if required swap space utilization external disk array processesProcess Down events for daemon processes are generated if a process is not running or stalled
Viewing system events

You can view system events using the GUI. The System View on the 9900 WNG Central GUI displays the system events that have occurred on the 9900 WNG system. You can view the most recent events from the Systems Events view or display past events based on specific criteria in the System History view. See chapter 26 for more information about viewing system events in the GUI.
System Event types

See the following sections for information about each type of system event:
License Violation system event Link Down system event Process Down system event Process Start system event CPU Usage system event Disk Usage system event Memory Usage system event
No Packet system event Packet Drop system event Line rate threshold system event Queue Usage system event Hardware Failure system event Swap Usage system event
38.2
License Violation system event

A license violation event is reported when one of the following conditions occurs:
The maximum number of sessions is exceeded The license has expired The license file is invalid (no license, license validity check failed, invalid hostid)
This event is reported on the 9900 WNG Central device.
38 System events
A license violation event can be cleared by obtaining a new license with the required capacity or obtaining license with an extended date See chapter 6 for more information about the license.
38.3
Link Down system event

Link Down system events are generated when key communication channels cannot be established. They are detected when a communication end point tries to read or write from the channel. The Link Down event is automatically cleared when the channel communication is reestablished. The system monitors the following types of communication channels:
AnomalyChannel (reported by the 9900 WNG Central and Detector) AwarenessChannel (reported by the 9900 WNG Central and Detector) SystemEventChannel (reported by the 9900 WNG Central) SNMPChannel (reported by the 9900 WNG Central) SysMonToSECChannel (reported by the 9900 WNG Central and Detector) CentralToSECChannel (reported by the 9900 WNG Central)
Clearing a Link Down event

You can use one of the following strategies to clear a Link Down system event:
When a Link Down event is generated for the anomaly or awareness channels,
both the 9900 WNG Detector and 9900 WNG Central report the event. You can use the log in 9900 WNG Central to investigate the cause of the event. For information about log files in 9900 WNG Central, see the chapter, Monitoring the 9900 WNG system. A Link Down event can be generated because of a physical link or router problem. If this is the suspected cause, investigate the physical link or the condition of the router. Ping the 9900 WNG Detector from the CLI to verify connectivity. A Link Down event can be generated because of a Process Down condition. For related information, see section 38.4. You can restart the process to clear the event. A Link Down event can indicate an issue with keys used for SSH communication. If this is the suspected cause, backup the detector configuration, delete the detector administratively, and then add it back.
38.4
Process Down system event

Process Down events are generated by the 9900 WNG Detector and Central to indicate that a process has stopped. Separate Process Down events are generated for the 9900 WNG Detector Central. The objectID field indicates the server on which the condition was detected. The value can be Central or the object ID of the 9900 WNG Detector.
38-3
38 System events
For a 9900 WNG Central, the SubobjectID can be one of the following:
CentralDthe central service/process on the 9900 WNG Central SNMPthe SNMP service/process on the 9900 WNG Central System Monitorthe system monitor service/process on the 9900 WNG Central MySQLthe MySQL service/process on the 9900 WNG Central Tomcat the Tomcat service/process on the 9900 WNG Central Compressionthe compression service/process on the 9900 WNG Central NTP daemonthe NTP daemon on the 9900 WNG Central
For a 9900 WNG Detector, the SubobjectID can be one of the following:
AwareDthe detector service/process on a 9900 WNG Detector System Monitorthe system monitor service/process on a 9900 WNG Detector System Event Reporterthe system event reporter service/process on a
9900 WNG Detector NTP daemonthe NTP daemon on the 9900 WNG Detector The event is cleared when the process restarts.
38.5
Process Start system event

Process Start events are generated by 9900 WNG Detector and Central daemons to indicate that a key daemon has restarted. This event is reported with a severity Info and does not clear automatically.
38.6
CPU Usage system event

A CPU usage event is generated when the CPU usage at WNG Central or a WNG Detector exceeds the threshold value. The 9900 WNG Detector and 9900 WNG Central devices report separate CPU usage events. This event is critical.
Note A 9900 WNG Detector can run with very high CPU consumption numbers.
A Critical event is generated when CPU usage is greater than or equal to 90% of capacity. The event is automatically cleared when usage is less than or equal to 80%.
38.7
Disk Usage system event

Table 38-1 lists when a critical Disk Usage event is generated.
38-4
38 System events Table 38-1 Disk Usage system event

Device 9900 WNG Central 9900 WNG Detector External disk array 95% 90% Generated 90% Cleared 80%
Disk usage is verified every 3 min. The objectID field indicates the machine on which the condition was detected. The SubobjectID specifies the disk partition. For the 9900 WNG Central, the SubobjectID can be one of the following partitions:
root partition /tmp partition /var partition /awaredb partition (for the database) /awaredb-ext (external disk array) /awared partition /dev/shm partition
For a 9900 WNG Detector device, the SubobjectID can be one of the following partitions:
root partition /tmp partition /var partition /aware partition
Exceptions for the 9900 WNG Central root partition

The root partition on the 9900 WNG Central machine hosts the reports (those you can see from the 9900 WNG webpage). Reports are not deleted automatically. When you see a Disk Usage High system event for the root partition, see section 39.2 to backup your reports to an external storage device such a USB stick or SCP to another machine. Then, delete old reports as necessary to free up disk space. For all the other partitions, if a Disk Usage High event persists for a long time, contact your Alcatel-Lucent technical support representative to investigate and rectify the problem.
38.8
Memory Usage system event

A separate Memory Usage event is generated for the 9900 WNG Central and each Detector. Memory usage is checked every 60 s. The objectID field reports the device on which the condition was detected. Table 38-2 lists when a Memory usage system event is generated and cleared.
38-5
38 System events Table 38-2 Memory usage system event

Device 9900 WNG Central 9900 WNG Detector Generated 97% 98% Cleared 92% 93%
38.9
No Packet system event

A No Packet event is generated when no packets are received at the Packet Capture Card ports during a 60-s interval. This event indicates a possible issue with the packet capture card connections or tapping point. When this event is reported, verify the following;
The packet capture cards are properly connected The tapping points are properly installed.
If the packet capture cards are properly connected and the tapping points are properly installed, contact your Alcatel-Lucent technical support representative.
38.10
Packet Drop system event

Packet Drop event is generated when 1000 packets are lost in a 5-minute interval. A Packet Drop event indicates that packets are being dropped from the packet capture card interface and are not being processed. The ObjectID field indicates the 9900 WNG Detector device on where this condition was detected. This event indicates that the 9900 WNG Detector processing cannot keep up with incoming rate of packets. If traffic is too high for a single Detector, the system might need an additional 9900 WNG Detector. For information about how to clear this event, contact your Alcatel-Lucent technical support representative.
38.11
Line rate threshold system event

Table 38-3 describes when the Line rate threshold system event is generated and cleared.
38-6
38 System events Table 38-3 Line rate threshold system event

Generated When the traffic feed input is greater than or equal to: Cleared When the traffic feed input rate drops less than or equal to:
950 Mbits/s for the 1G card 3900 Mbits/sec for the 10G card
900 Mbits/s for the 1G card 3750 Mbits/s for the 10G card
The event indicates that there is a high probability that packets are being dropped. When the transmitting rate for the 9900 WNG Detector is greater than or equal to 30 MBits/s or receiving rate for the 9900 WNG Central is greater than or equal to 40 Mbits/s When the transmitting rate for the 9900 WNG Detector and the receiving rate for the 9900 WNG Central is equal to or less than 15 Mbits/s
The objectId field reports whether the detected problem was for the 9900 WNG Central or Detector (central or detector). The subobjectId can be one of the following:
PortA PortB PortC
PortD BACKHAULRCV BACKHAULXMIT
38.12
Queue Usage system event

A Queue Usage event is generated when any of the queue or pool usage reaches 75% of thresholds. This event is applicable only on 9900 WNG Detectors. The reported value for the SubObject IDs field can be one of the following values:
MIP Memory Pool Signaling Attack Pool Detector Traffic Update Pool RNC Overload Pool Battery Attack Pool Vertical Portscan Pool Horizontal Portscan Pool Always Active Subscriber Pool High Usage Subscriber Pool Unwanted Source Pool P2P Mobile RNC Load Status Pool PDSN Traffic Update Pool HA Traffic Update Pool Radius Session Update Pool
MIP Session Update Pool Connection Record Pool Mobile Flow Record Pool Anomaly Queue Awareness Queue SystemEvent Queue Syslog Queue Battery Attack Distributed Pool Flood Mobile Single Pool Flood Mobile Distributed Pool High Signaling Abuse Pool Router Discovery Abuse Pool All Session Update Pool UMTS Session Update Pool
38-7
38 System events
Queue usage events are cleared when the usage goes below factory configured thresholds. For the 9900 WNG Detector, it is cleared automatically when the pool usage is less than or equal to 60% of the capacity.
When the reported SubObject ID is ANOMALYQ, AWARENESSQ, or

SYSTEMEVENTQ, check if the 9900 WNG Central is overloaded.
Use the show eventrate anomalyEvents CLI command for controlling the event
rate of anomaly events. Use the show eventrate awarenessEvents CLI command for controlling the event rate of awareness events. If the pools are in high usage, contact your Alcatel-Lucent technical support representative to determine if pool sizes can be increased, within memory constraints.
38.13
Hardware Failure system event

The critical Hardware Failure system event is generated for the 9900 WNG Central when there is a failure in external disk array. The system event indicates that a disk should be replaced. The sub-object instance value for this event is EXTARRAY.
38.14
Swap Usage system event

A Swap Usage event generated when the swap utilization is greater than or equal to 50%. The event is cleared when the swap utilization is less than or equal to 10%.
38-8
Database administration
39-1
39.1 Backup and restore overview
39-2 39-4 39-5 39-7 39-7
39.2 Backing up 9900 WNG Central files 39.3 Restoring 9900 WNG Central files 39.4 Backing up 9900 WNG Detector files 39.5 Restoring 9900 WNG Detector files
39-1
39.1
Backup and restore overview

You can backup and restore the database for a 9900 WNG system using CLI commands. There are two types of backups, and the type of backup performed depends on the category of files you need to back up. The types of backups are:
archive backups, which erase the original files that are being backed up after they
have been successfully stored in an archive system backups, which store system files but the original files are not erased Table 39-1 describes the categories of files that you can back up and the type of backup that is performed for each category.
Table 39-1 Backup file types
File type Description Backup type
9900 WNG Central files All Configuration License Log Report

(1)
All 9900 WNG Central files. The backup includes configuration, system, license, log, report, and security files. 9900 WNG Central configuration files and stored 9900 WNG Detector backup files 9900 WNG Central license files. See chapter 6 for more information about license files. 9900 WNG Central activity log files 9900 WNG Central raw data files that are used to create reports 9900 WNG Central security records, user data, and passwords 9900 WNG Central system database files
System System System Archive Archive System System
Security System
9900 WNG Detector files Detector All 9900 WNG Detector files. 9900 WNG Detector backup files are stored on the 9900 WNG Central. System
Note
(1)
You can perform an incremental backup of report data, which archives information from the reports database that has changed since the last backup was performed. See Procedure 39-1 for more information.
Recommended frequency of full database backups

System Administrators should perform regular backups to prevent loss of data. Loss of data can be caused by the following:
system failures accidental file removal malicious user activity hardware failures; see section 38.13 for information about Hardware Failure system events errors during installation of system upgrades or updates
39-2
Alcatel-Lucent recommends that you perform full database backups as part of regular maintenance. To preserve your data, full backups should be performed before the following tasks:
applying software updates generic retrofits Restoring backup data

You can use the restore command to restore backup data. The 9900 WNG restoration process can copy backup files to the original location, or to a location that you specify. The restore files overwrite the existing files. See section 39.3 for information about restoring 9900 WNG Central files. See section 39.5 for information about restoring 9900 WNG Detector files.
Location of backup and restore files

Backup and restore tasks are performed using the CLI. Backup files are saved to a USB drive or a specified SCP location, except for 9900 WNG Detector backups; the 9900 WNG Detector backup data is stored on the 9900 WNG Central server, but a *.tar.gz file is not created. When you use SCP, you may be prompted for a password before you can use the target directory. When you use USB, you are prompted to eject the USB drive when the backup is complete.
Accessing SCP locations

When you backup to, or restore from, a remote location accessed using SCP, you may be prompted for a password. You can eliminate the need to enter a password each time you access the SCP location by registering your public key with the remote system. Depending on the configuration of the remote location, you may be able to add the public key of your 9900 WNG Central CLI login account to the list of authorized keys at the remote location. You can view the public key for your account by using the show publickey command. See section 12.3 for more information about using the show publickey command.
Backup filename format

Backup filenames have the following format: timestamp-backup type.tar.gz where timestamp is in MMDDYYhhmm format backup type is the type of backup. The backup types are:
config security license db
logs reports all
39-3
39.2
Backing up 9900 WNG Central files

You can back up files on the 9900 WNG Central to a USB device or a location specified using SCP, such as an external disk array. You can also perform an incremental backup of the reports database. Procedure 39-1 describes how to perform a backup of 9900 WNG Central files.
Procedure 39-1 To back up 9900 WNG Central files

Note The first time you perform a backup on a 9900 WNG Central, you are prompted to accept an RSA key for the device. Accept the key to continue the backup procedure.
1 2 Log into the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Perform a backup by typing:
backup file_type location_type location
where file_type is the type of file you need to back up; Table 39-2 describes the file type command options location_type is USB or SCP location is the filename or SCP location of the backup file. If the SCP location requires a password, you are prompted to enter the password.
Table 39-2 Backup command file type options

Option all config db license logs reports security Files affected 9900 WNG Central configuration, system, license, log, report, and security files Configuration files System database files License files Log files Raw data files that are used to create reports Security files
A backup file is created in the specified location.
39-4
Incremental backups of the reports database

You can perform an incremental backup of the reports database, which backs up the changes made to the reports database since the last time you performed a backup. You cannot perform an incremental backup unless a backup has been performed in the last 30 days. Procedure 39-2 describes how to perform an incremental backup.
Procedure 39-2 To perform an incremental backup of the reports database

1 2 Log into the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Perform an incremental backup by typing:
backup incremental location_type location
where location_type is USB or SCP location is the filename or SCP location of the backup file. If the SCP location requires a password, you are prompted to enter the password.
39.3
Restoring 9900 WNG Central files

You can restore 9900 WNG Central files from a backup archive on a USB device or at an SCP location, and restore a reports database that has been backed up in increments. Procedure 39-3 describes how to restore files.
Procedure 39-3 To restore 9900 WNG Central files

Caution Restoring system database files causes the 9900 WNG Central device to restart automatically.
1 2 Log into the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Restore the files from a backup archive by typing:
restore file_type location_type location
where file_type is the type of file you need to restore; Table 39-3 describes the file type command options location_type is USB or SCP location is the filename or SCP location of the backup file. If the SCP location requires a password, you are prompted to enter the password.
39-5
39 Backup and restore Table 39-3 Restore command file type options
Option all
(1)
Files affected 9900 WNG Central configuration, system, license, log, report, and security files Configuration files System database files License files Log files Raw data files that are used to create reports Security files
config db
(1)
license logs reports security
Note
(1)
When you restore files of this type, the 9900 WNG Central device restarts.
The files in the specified backup file are restored.
Incrementally restoring report database files

You can restore report database files that have been backed up in increments. You must first restore the full reports database backup, and then restore the increments, beginning with the oldest increment. Procedure 39-4 describes how to restore reports database increments.
Procedure 39-4 To restore reports database increments

1 2 Log into the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Restore the primary reports database backup by typing:
restore reports location_type location
where location_type is USB or SCP location is the filename or SCP location of the backup file
Restore the first, oldest backup increment by typing:

restore reports location_type location
where location_type is USB or SCP location is the filename or SCP location of the incremental backup file
Repeat step 3 for each increment, from the oldest file to the newest. The report files are restored.
39-6
39.4
Backing up 9900 WNG Detector files

You can back up the files on a 9900 WNG Detector to the 9900 WNG Central. The backup files are stored on the 9900 WNG Central. Perform Procedure 39-5 to backup a 9900 WNG Detector.
Procedure 39-5 To backup a 9900 WNG Detector

1 2 Log into the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Type:
backup detector detector-id
where detector-id is the name of the 9900 WNG Detector for the backup
39.5
Restoring 9900 WNG Detector files

You can restore the files on a 9900 WNG Detector from the 9900 WNG Central. Procedure 39-6 describes how to restore a 9900 WNG Detector.
Procedure 39-6 To restore a 9900 WNG Detector

Caution Restoring a 9900 WNG Detector restarts the device automatically.
1 2 Log into the CLI with the sudo privilege, as described in Procedure 14-1 or 14-2. Restore a 9900 WNG Detector by typing:
restore detector detector-id
where detector-id is the name of the 9900 WNG detector to restore
The backed up files are restored on the specified 9900 WNG Detector.
39-7
39-8
Glossary
Numerics
1xRTT 2.5G 2G One times the number of 1.25 MHz channels for wireless radio transmission technology that is used in CDMA cellular networks. See GPRS. second generation Second generation of wireless telephone technology. 3G third generation Third generation of mobile standards and technology. 3GPP 3rd Generation Partnership Project The joint standardization partnership responsible for standardizing UMTS, HSPA, and LTE. 4G fourth generation Fourth generation of mobile standards and technology. 9900 WNG 9900 Wireless Network Guardian The 9900 WNG is a GUI-based system that is designed to manage data flows, and monitor network activities and demands for network resources. 9900 WNG Central 9900 Wireless Network Guardian Central The component of the 9900 WNG that is deployed in a network or security operations centre.
GL-1
Glossary
9900 WNG Detector
9900 Wireless Network Guardian Detector A NEBS-3 and ETSI certified product that is suitable for many applications in the Telecom Central Office and industrial environment.
A
A11 interface AAA The A11 interface is used to carry signaling information between the PDSN and the PCF. authentication, authorization, and accounting The functions of security-based protocols, such as RADIUS, to provide secure communications. AC alternating current AC refers to the 120 V electricity delivered by the local power utility to the 3-pin power outlet in a wall. The polarity of the current alternates between positive and negative, 60 times each second. See also DC. ano ANSI anomaly American National Standards Institute Nonprofit, nongovernmental body supported by over 1000 trade organizations, professional societies, and companies; ANSI was established for the creation of voluntary industry standards. ARIN American Registry for Internet Numbers ARIN manages the distribution of Internet number resources, such as IPv4 and IPv6 addresses. AWG American Wire Gauge U.S. standard set of conductor sizes for copper electrical wiring and telephone wiring, where gauge refers to the diameter of the wire. Telephone wire is usually 22, 24, or 26. The higher the gauge wire, the smaller the diameter and the thinner the wire.
B
BMC baseboard management controller A BMC is a specialized microcontroller that is on the motherboard of a computer, usually a server. The BMC manages the interface between the system management software and the platform hardware. BTS base transceiver station
GL-2
Glossary
C
Cat5e category 5 cable enhanced Cat5e has 100 impedance and electrical characteristics that support transmissions up to 100 MHz. Cat5e was designed for high-speed GigE. CBN CDMA common bonding network code-division multiple access CDMA refers to 2G and 3G wireless communications. CDMA is a type of multiplexing that allows many signals to occupy a transmission channel. The transmission channel optimizes the available bandwidth. CDMA is used in UHF cellular telephone systems that have 800-MHz and 1.9-GHz bands. CLEI CLI Common Language Equipment Identification command line interface A workstation access method interface that uses CLI commands to communicate with any NE in the network CRU customer replaceable units CRUs are components that can be removed and replaced by service provider personnel without technical assistance or special training from Alcatel-Lucent. CSA Canadian Standards Organization The CSA is the nonprofit Canadian agency that certifies electrical and electronic products that conform to Canadian national safety standards.
D
DC direct current DC is an electric current that flows in one direction only. See also AC. DoS denial of service A type of attack on a network that involves flooding the network with dummy data packets to render the network incapable of transmitting legitimate traffic.
E
EIA Electronic Industries Association A group that specifies electrical transmission standards. For EIA-spaced equipment racks, 1 RU equals 1.75 in. (4.45 cm).
Alcatel-Lucent 9900 Wireless Network Guardian, Release 2.1 July 2010 3HE 06049 AAAA TQZZA GL-3
Glossary
EMS
element management system An application that manages one or more NEs.
ESD ETSI
electrostatic discharge European Telecommunications Standards Institute Established to produce telecommunication standards integration in the European community for users, manufacturers, suppliers, and Post Telephone and Telegraph administration. See also ANSI.
EV-DO rev 0 EV-DO rev A
EV-DO rev 0 provides access to mobile devices with forward link air interface speeds of up to 2.4 Mb/s. EV-DO rev A is a 3G CDMA technology that is an upgrade of EV-DO. Rev A has faster downlink speeds than EV-DO Rev 0, at 3.1 Mb/s, and faster uplink speeds of 1.8 Mb/s.
F
FCAPS FCAPS is the acronym for a broad categorization of network and service management activities that includes:

FIPS
fault management configuration management accounting/administration management performance management security management
federal information processing standards A set of standards issued by the U.S. National Institute of Standards and Technology.
FTP
File Transfer Protocol FTP is the Internet standard client-server protocol to transfer files from one computer to another computer. FTP generally runs over TCP or UDP.
G
GGSN Gateway GPRS Service Node GGSN provides network access to external hosts that need to communicate with mobile subscribers. GGSN is the gateway between the GPRS wireless data network and other external PDNs such as radio networks, IP networks, or private networks.
GL-4
Glossary
GigE
Gigabit Ethernet An Ethernet interface with a peak data rate of 1000 Mb/s.
GPRS
General Packet Radio Service A mobile data service extension to the GSM system. Also called 2.5G.
GSM
Global System of Mobile communications GSM is a type of 2G network.
GTP-C
GTP-Control plane This protocol tunnels signalling messages between:

GTP-U
SGN and MME over the S3 interface SGSN and SGW over the S4 interface SGW and PGW over the S5/S8 interface MMEs over the S10 interface
GTP-User plane This protocol tunnels user data between the Node B and the S-GW, as well as between the S-GW and the P-GW in the backbone network. GTP encapsulates all end-user IP packets.
H
HA HDD HSPA HTTPS home agent hard disk drive high-speed packet access HTTPS is HTTP over SSL, which uses a public and private key encryption system, including the use of a digital certificate for secure transfer of web messages.
I
I I2M IEC IEEE Internet Internet to mobile International Electrotechnical Commission Institute of Electrical and Electronics Engineers The IEEE is a worldwide engineering publishing and standards-making body. It is the organization responsible for defining many of the standards used in the computer, electrical, and electronics industries.
GL-5
Glossary
IPMI
intelligent platform management interface IPMI is a standard, which defines a set of common interfaces for a computer system that system administrators can use to monitor the health of the system and manage the system. IPMI operates independently of the operating system and therefore allows system administrators to remotely manage a system remotely. The system can be managed if there is no operating system or system management software, or if the monitored system is powered off, but connected to a power source.
IPv4
Internet protocol version 4 The version of IP in use since the 1970s. IPv4 addresses are 32 bits. IPv4 headers vary in length and are at least 20 bytes.
IPv6
Internet protocol version 6 The version of IP that succeeds IPv4. IPv6 addresses are 128 bits. IPv6 headers are 40 bytes.
J
JRE Java Runtime Environment
K
Keps nut KPI A Keps nut is a nut that has an attached, free-spinning washer. key performance indicator
L
LMT local management terminal An LMT has all of the required functions to locally operate an HMS-based NE. LOM lights-out management LOM is IPMI implemented by Apple. LTE Long Term Evolution LTE is a standard for wireless mobile broadband networks. LTE networks can offer higher data throughput to mobile terminals than other technologies. LTE is the accepted evolution path for GSM, WCDMA, and CDMA networks. LTE is developed and maintained by the 3GPP standards body.
M
M
GL-6
mobile
Glossary
M2I M2M MD5
mobile to Internet mobile to mobile message digest 5 MD5 is a security algorithm that takes an input message of arbitrary length and produces as an output a 128-bit message digest of the input. MD5 is intended for digital signature applications, where a large file must be compressed securely before being encrypted.
MIB
management information base A formal description of a set of network objects that can be managed using SNMP.
MIP MME MMF
mobile IP mobility management entity multimode fiber
N
NAI network access identifier An NAI is the subscriber identity in a 3GPP2 CDMA network. NE NE can be expanded two ways: 1 network element A physical device, such as a router, switch, or bridge, that participates in a network. 2 network An access level for the GUI role. NEBS Network Equipment Building Standards The requirement for equipment deployed in a central office environment. Covers spatial, hardware, craftsperson interface, thermal, fire resistance, handling and transportation, earthquake and vibration, airborne contaminants, grounding, acoustical noise, illumination, electromagnetic compatibility, and electrostatic discharge requirements. NEBS-3 Network Equipment Building Standards level 3 NEBS-3 is a Bellcore standard that has specifications for fire suppression, thermal margin testing, vibration resistance (earthquakes), airflow patterns, acoustic limits, failover and partial operational requirements (such as chassis fan failures), failure severity levels, RF emissions and tolerances, and testing/certification requirements.
GL-7
Glossary
NFPA
National Fire Protection Association A nonprofit organization that develops and publishes codes and standards to reduce the risk of fires.
NIC NMS
network interface card network management system An NMS is a system that manages at least part of a network. An NMS is generally a reasonably powerful and well-equipped computer such as an engineering workstation that communicates with agents to help keep track of network statistics and resources.
NOC
network operations center
O
OID Object Identifier Each object in the MIB has an OID value. The management station uses the OID to request the object value from the SNMP agent. An OID is a sequence of integers that uniquely identifies a managed object. The OID defines a path to the object through an OID tree or registration tree. OS operating system
P
PCF PDSN PGW PTS Packet Control Function public data switched network packet data network gateway pseudo terminal
R
RADIUS remote authentication dial-in user service An AAA protocol for applications that allows remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. RADIUS allows an organization to maintain user profiles in a central database that all remote servers can share. An organization can set up a policy that can be applied at a single administered network point. RNC radio network controller An RNC controls radio resource management in the radio access networks of UMTSs
GL-8
Glossary
ROI RPM
return on investment Red Hat Linux Package Manager RPM is a core component of the Red Hat Enterprise Linux Operating System.
RSA
Rivest, Shamir, and Adleman algorithm An-FIPS approved algorithm to generate and verify digital signatures.
RTSP
real time streaming protocol RTSP is used to control streaming media servers by establishing and controlling media sessions between endpoints.
RTT
Round-Trip Time The time required for a packet to travel from a source computer to a remote computer or system and back.
S
SAI Service Area Interface An outdoor telecommunications cabinet in which twisted pair wires connect with feeder cables for routing to a central office or remote switch. SAS SCP Serial Attached SCSI secure copy protocol A method of securely transferring files between hosts, based on the SSH protocol. SCSI small computer system interface An SCSI is a set of standards, that specify the commands, protocols, and electrical an optical interfaces, to physically connect and transfer data between computers and peripheral devices. SEMS SFP SGSN SGW SNMP Sealed Expansion Module Shelf Small Form Factor Pluggable Serving GPRS Service Node serving gateway simple network management protocol A protocol used for the transport of network management information between a network manager and an NE. SNMP is the most commonly used standard for most interworking devices.
GL-9
Glossary
SSH
secure shell The SSH protocol is used to support secure remote login. SSH runs over TCP, authenticating and then encrypting a session. SSH is a secure alternative to Telnet but can also be used for FTP, SNMP, and remote execution of programs.
SSL
secure socket layer A protocol that provides endpoint authentication and communications privacy over the Internet using cryptography. The SSL is layered beneath application protocols such as HTTP, Telnet, and FTP, and is layered above TCP. The SSL can add security to any protocol that uses TCP.
subs sudo
subscriber superuser do The account in the CLI that has the highest level of privileges.
T
TCP transmission control protocol A transport layer protocol that is used to establish connections and send data between computers over the Internet. TCP runs on top of IP. Telnet TIA The Internet-standard TCP/IP for remote login service. Telnet allows a user at one site to interact with a remote system at another site. Telecommunications Industry Association
U
UDP User Datagram Protocol A minimal transport protocol above the IP network layer that does not guarantee datagram delivery. UDP is for applications that do not require the level of service that TCP provides or need to use communications services, such as multicast or broadcast delivery, which are not available in TCP. UHF UMTS ultra-high frequency Universal Mobile Telecommunications System UMTS is the technology for 3G mobile services. In addition to voice and video telephony services, UMTS supports data transfer rates up to 144 kb/s in a rural environment and 2 Mb/s in an indoor environment.
GL-10
Glossary
UNI
user-network interface UNI is an interface point between ATM end users and a private ATM switch, or between a private ATM switch and the public carrier ATM network. UNI is defined by physical and protocol specifications per ATM Forum UNI documents. UNI is the standard adopted by the ATM Forum to define connections between users or end stations and a local ATM network switch.
USB
Universal Serial Bus A serial bus standard that provides an interface to other USB devices that can be connected.
USM
user-based security model
V
VACM view-based access control model SNMP v3 view-based access control model that defines the elements of the procedure for controlling access to management information. VLAN virtual local area network A VLAN is a logical group of NEs that may be on the same physical network segment. The NEs share the same IP network number. VLAN specifications are in IEEE 802.1Q. VRTN virtual real-time network
W
WCDMA Wideband Code Division Multiple Access WCDMA is an air interface standard for 3G mobile networks. whitelisted subnet WiMAX A subnet from which traffic is ignored by the 9900 WNG. Worldwide Interoperability for Microwave Access WiMAX is a protocol that provides fixed and fully mobile Internet access. WSDL WSP Web Services Description Language wireless service provider
Y
Yum Yum is a software package manager tool that is used to install, update, and remove packages and their dependencies on RPM-based systems.
GL-11
Glossary
GL-12
Index
Numbers
9900 Wireless Network Guardian; See 9900 WNG 9900 WNG, 10-2 9900 WNG Central web page, 17-2 Central, 10-6 components, 1-2, 10-4 Detector, 10-6 external user interfaces, 10-7 features, 11-2 hardware, 1-5 in a CDMA network, 10-5 in a UMTS environment, 10-5 in a wireless network, 10-4 key benefits, 10-3 key functions, 10-2 license, 6-2 planning, 2-2 regulatory specifications, 3-6 safety hazards, 3-2 software, 1-6 software repositories, 9-3 software upgrades, 9-2 system architecture, 10-2 user accounts, 36-2 user interfaces, 13-2
9900 WNG Central adding entries to application map tables, 12-16 changing modes in CLI, 14-8 changing to 9900 WNG Detector, 14-9 changing to 9900 WNG Detector and modes, 14-10 configuring anomaly alerts, 19-11 configuring as the software repository, 9-4 configuring congestion alerts, 19-11 configuring for the first time, 7-5 configuring SNMPv1/v2c, 19-3 configuring SNMPv3, 19-5 configuring trend alerts, 19-11 dashboard, 16-6, 21-2 deleting SNMP communities, 19-10 deleting SNMP hosts, 19-11 deleting SNMP server IP addresses, 19-10 deleting SNMP views, 19-11 displaying health, 37-31 displaying sensor status, 37-31 enabling security event manager feed, 12-20 exceptions for the root partition, 38-5 external ports, 4-18 generating public keys, 12-21 hardware, 1-6 inputs and outputs, 33-5 installing, 4-2
IN-1
Index 9900 WNG Central (continued) 9900 WNG Detector
loading saved login banners, 12-21 logging in to CLI from GUI, 14-7 logging in to CLI using SSH, 14-6 mandatory configuration procedures, 7-2 monitoring, 37-2 monitoring using BMC, 37-30 obtaining host identifier, 6-3 optional configuration procedures, 12-16 ordering CRUs, 8-2 planning, 2-2 powering down, 5-3 powering down using BMC, 5-5 powering up, 5-2 powering up using BMC, 5-5 replacing hard disk drive, 8-4 replacing power supply, 8-3 resetting using BMC, 5-5 SNMP, 19-2 software upgrades, 9-2 updating SNMP agent contact, 19-9 updating SNMP location information, 19-9 upgrading software using a USB, 9-8 upgrading software using the 9900 WNG Central repository, 9-6 upgrading software using the external software repository, 9-7 9900 WNG Central web page, 17-2 accessing, 17-2 changing your password, 36-6 9900 WNG Centralr inputs and outputs, 33-3 9900 WNG Detector adding, 12-14 backing up, 39-4 backing up files, 39-7 changing modes in CLI, 14-8 changing to 9900 WNG Central, 14-9 changing to 9900 WNG Central and modes, 14-10 configuring for the first time, 7-6 configuring RNC load threshold, 12-4 configuring RNC-to-PCF IP address mapping, 12-4 configuring UMTS RNC-to-SAI mapping threshold, 12-5
IN-2
copying configuration files, 12-15 deleting, 12-16 deployment mode, 12-2 disabling reporting of anomaly events, 12-11 displaying health, 37-31 displaying sensor status, 37-31 estimating number needed, 2-5 external ports, 4-18 hardware, 1-5 inputs and outputs, 33-3, 33-5 installing, 4-2 location, 2-6 logging in to CLI, 14-8 mandatory configuration procedures, 7-2 modifying anomaly event throttle rates, 12-8 modifying mobile dormancy timeout values, 12-9 monitoring, 37-2 monitoring using BMC, 37-30 optional configuration procedures, 12-2 ordering CRUs, 8-2 planning, 2-3 powering down, 5-5 powering down using BMC, 5-5 powering up, 5-4 powering up using BMC, 5-5 replacing hard disk drive, 8-4 replacing power supply, 8-3 resetting using BMC, 5-5 restoring, 39-7 restoring files, 39-7 software upgrades, 9-2 specifying intensity levels for anomaly events, 12-13 specifying IP addresses for whitelists, 12-8 specifying mobile IP address ranges, 12-7 specifying VLANs, 12-10 upgrading software using a USB, 9-8 upgrading software using the 9900 WNG Central repository, 9-6 upgrading software using the external software repository, 9-7
Index 9900 WNG EMS BMC
9900 WNG EMS installing, 15-2 system requirements, 15-2 9900 WNG GUI; See GUI
A
abusive subscriber events, 33-17 AC power requirements, 4-3 AC power supply, 2-13 access privileges; See privileges access roles; See roles accessing 9900 WNG Central web page, 17-2 accounts creating, 20-3 deleting SNMP, 19-8 accounts; See user accounts Active Reports tab Subscriber view, 29-3 always-active subscriber events, 33-19 anomaly alerts configuring, 19-11 anomaly event throttle rates modifying, 12-8 Anomaly Events filtering, 22-8 anomaly events investigating, 33-5 specifying threshold, 33-21 unwanted source, 33-16 Anomaly Events tab, 29-11 in subscriber reports, 29-11 Anomaly Events view, 22-5 anomaly types, 22-7 components, 22-6 Event Details panel, 22-7 filtering events, 22-8 opening Mobile Flow view from, 22-9 operations, 22-9 working in, 22-9 Anomaly History view, 22-12 components, 22-12 filtering, 22-12
anomaly types in Anomaly Events view, 22-7 API; See Motive API application browser-based reports, 31-36 Application Comparison Table report, 31-36 application map tables adding entries, 12-16 application reports, 31-36 application choosers, 31-41 application filters, 31-41 configuring, 31-40 fields in, 31-40 parameters, 31-40 axes in Dashboard View charts, 21-9
B
backing up, 39-2 9900 WNG Detector, 39-4 configuration files, 39-4 full database, 39-4 full system, 39-4 license files, 39-4 log files, 39-4 reports, 39-4 security files, 39-4 system files, 39-4 backup data restoring, 39-3 battery attacks, 33-8 Billing Discrepancy report, 31-34 Billing tab, 29-15 in subscriber reports, 29-15 BMC, 13-2, 18-2 monitoring 9900 WNG Central, 37-30 monitoring 9900 WNG Detector, 37-30 powering down 9900 WNG Central, 5-5 powering down 9900 WNG Detector, 5-5 powering up 9900 WNG Central, 5-5 powering up 9900 WNG Detector, 5-5 resetting 9900 WNG Central, 5-5 resetting 9900 WNG Detector, 5-5
IN-3
Index browser-based reports CLI
browser-based reports application, 31-36 CDF charts, 30-9 considerations for early-morning queries, 30-6 controls, 30-4 device, 31-41 export icons, 30-12 exporting, 30-12 exporting to CSV file, 30-13 exporting to Excel, 30-13 filters, 30-4 generating, 30-2 hop, 31-25 input parameters page, 30-3 lag period, 30-5 legacy reports, 30-2 navigation icons in, 30-6 network elements, 31-10 network resource usage, 31-2 network statistics, 31-5 pie charts, 30-10 presentation page, 30-6 security, 31-28 stacked area charts, 30-8 subscriber, 31-29 tables, 30-11 time parameters, 30-4 time zones, 30-5 time-series charts, 30-7 tool tips in, 30-6 troubleshooting, 31-47 types, 30-7
C
cables connecting, 4-17 calendar and time widget in GUI, 16-7 calendar widgets, 30-5 CDF charts in browser-based reports, 30-9 CDMA network threat detection, 33-2
Cell comparison table (CDMA) report, 31-10, 31-11 Cell cumulative dist. (CDMA; session & perf) report, 31-14 Cell cumulative dist. (CDMA; traffic) report, 31-14 Cell cumulative dist. (UMTS; session & perf) report, 31-15 Cell cumulative dist. (UMTS; traffic) report, 31-15 Cell multi-element time-trend table (CDMA) report, 31-13 Cell multi-element time-trend table (UMTS) report, 31-13 Cell time plot (sessions and performances) report, 31-12 Cell time plot (traffic) report, 31-11 cells displaying in Network Graph view, 24-9 Central dashboard, 16-6, 21-2 Central web page, 13-2 Central web page; See 9900 WNG Central web page Central; See 9900 WNG Central chart display properties configuring in Dashboard View, 21-12 in Dashboard View, 21-12 right-click options, 21-12 CLEI labels, 8-4 CLI, 13-2, 14-2 See also CLI commands changing modes, 14-8 changing target servers, 14-9 changing target servers and modes, 14-10 logging in to 9900 WNG Central from GUI, 14-7 logging in to 9900 WNG Central using SSH, 14-6 logging in to 9900 WNG Detector, 14-8 managing user accounts, 36-4 measuring performance, 37-12 modes, 14-3 monitoring user accounts, 36-10 navigation tips, 14-12 privileges, 14-3
IN-4
Index CLI (continued) database
prompts, 14-5 role, 36-2 roles, 14-3 shortcuts, 14-13 timeouts, 14-5 viewing log files, 37-3 CLI commands, 14-14 See also CLI backing up, 39-2 Motive API, 20-4 restoring, 39-2 show backhaul, 37-18 show compressionStatus, 37-18 show memory, 37-16 show stats, 37-13 show system, 37-17 show top, 37-18 software upgrades, 9-2 syntax, 14-12 CLI prompts, 14-5 CLI role, 36-2 creating, 36-5 CLI view, 28-2 opening from GUI, 28-2 commands SNMP, 19-12 components GUI, 16-2 in Anomaly Events view, 22-6 in Mobile Flow record, 27-3 in Network Graph view, 24-7 in Performance Events view, 22-10 in subscriber reports, 29-7 in Subscriber view, 29-3 in System Events view, 26-3 configuration files backing up, 39-4 copying, 12-15 restoring, 39-5 configuration procedures; See optional configuration procedures, mandatory configuration procedures
configuring chart display properties in Dashboard View, 21-12 Dashboard View intensity preferences, 21-10 congestion alerts configuring, 19-11 connecting cables, 4-17 connections, 4-17 controls Dashboard View, 21-8 Dashboard View axes, 21-9 Dashboard View element display, 21-9 CPU Usage system event, 38-4 CRUs replacing, 8-2 CSV file exporting browser-based reports to, 30-13 Cumulative Resources chart in Flow/Session tab, 29-14
D
daily summarization process and browserbased reports, 30-6 Dashboard View chart display properties, 21-12 components, 21-2 configuring optional properties for element charts, 21-11 element icons, 21-4 elements, 21-4 features, 21-2 plotting elements in, 21-5 Dashboard View elements moving to a new dashboard, 21-13 dashboards moving elements, 21-13 data retrieval settings preferences in GUI, 16-9 database backing up, 39-4 restoring, 39-5
IN-5
Index DC external ports
DC power requirements, 4-4 DC power supply, 2-13 deployment mode specifying, 12-2 deployment options Northbound of a PDSN, 2-8 Southbound of an HA, 2-7 Detector time plot (sessions and events) report, 31-7 Detector time plot (traffic) report, 31-6 Detector; See 9900 WNG Detector device browser-based reports, 31-41 device details in Mobile Flow view, 27-7 device reports, 31-41 fields in, 31-46 manufacturer versus models, 31-47 parameters, 31-46 Disk Usage system event, 38-4 distributed battery attacks, 33-9 distributed mobile floods, 33-12
E
Element Tables naming conventions for provisioning, 24-11 provisioning NE groups, 24-11 provisioning operations, 24-11 searching for NEs, 24-12 Element Tables view in Topology view, 24-2 right-click operations, 24-6 sort function, 24-6 working in, 24-5 elements plots in Dashboard View, 21-5 maximum number of, 21-5 procedures, 21-5 EMS GUI:See GUI environmental requirements, 2-15
Event Details panel Anomaly Events view, 22-7 in Mobile Flow, 27-5 event types network usage reports, 31-5 events abusive subscriber, 33-17 always-active subscriber, 33-19 battery attacks, 33-8 distributed battery attacks, 33-9 distributed mobile floods, 33-12 high signaling subscriber, 33-18 high-usage subscriber, 33-17 horizontal port scans, 33-14 ICMP router discovery abuses, 33-13 license violations, 35-2 Memory Usage, 38-5 mobile floods, 33-11 network anomaly, 33-6 peer-to-peer mobile traffic, 33-20 real-time, 22-2 RNC overloads, 33-10 signaling attack, 33-7 system, 38-2 unwanted source, 33-14 vertical port scans, 33-15 wireless attack, 33-7 Events Details panel Forensic View, 23-5 querying forensic events, 23-6 Excel exporting browser-based reports to, 30-13 exporting browser-based reports, 30-12 data from Network Forensic view, 25-7 graphical browser-based reports, 30-13 exporting data from the GUI, 16-7 external interfaces Motive API, 20-2 SNMP, 19-2 external ports 9900 WNG Central, 4-18 9900 WNG Detector, 4-18
IN-6
Index external user interfaces GUI role
external user interfaces, 1-7, 10-7 BMC, 13-2 Central web page, 13-2 CLI, 13-2 EMS GUI, 13-2 NMS, 13-2 SNMP, 13-2
table columns in, 23-5 working in, 23-5
G
generating browser-based reports, 30-2 Mobile Flow reports, 27-2 reports in Subscriber view, 29-4 GGSN or HA time plot (sessions and performances) report, 31-21 GGSN or HA time plot (traffic) report, 31-21 GGSN-to-SGSN or HA-to-PDSN hop time plot reports, 31-26 GGSN/HA comparison table report, 31-20 GGSN/HA multi-element time-trend table report, 31-22 graphical browser-based reports exporting, 30-13 grounding servers, 4-15 GUI components, 16-2 configuring language, 16-8 Dashboard View, 21-2 data retrieval settings, 16-9 disconnecting users, 36-9 features and functions, 16-6 launching, 15-3 logging in to, 16-2 menus, 16-4 monitoring the 9900 WNG system, 16-4 navigation menu, 16-6 opening CLI view, 28-2 provisioning your PC, 15-2 role, 36-2 GUI components Dashboard View, 21-2 GUI features calendar and time widget, 16-7 exporting data, 16-7 sorting data, 16-6 whois query, 16-7 GUI role, 36-2 creating, 36-5
F
features new, 11-2 filtering Anomaly Events, 22-8 anomaly events, 22-8 Anomaly History events, 22-13 browser-based reports, 30-4 Performance Events, 22-11 System Events, 26-5 Flow Details button in Flow/Session tab, 29-14 Flow/Session tab, 29-11 Cumulative Resources chart, 29-14 Flow Details button, 29-14 in subscriber reports, 29-11 Mobile Flow chart, 29-13 plots in, 29-13 Session chart, 29-14 Forensic View, 23-2 Events Details panel, 23-5 generating, 23-2 generating from Anomaly Events view, 23-2 generating from Anomaly History view, 23-2 generating from Performance Events view, 23-2 GUI-based reports, 23-3 menu components, 23-2 opening Mobile Flow view from, 23-6 operations, 23-5 querying data in Events Details panel, 23-6 reports components, 23-4 tab, 23-2
IN-7
Index GUI-based reports license
GUI-based reports Forensic View, 23-3
Hour-of-day trend comparing models report, 31-42
H
hard disk drive ordering, 8-2 replacing, 8-4 hardware 9900 WNG, 1-5 9900 WNG Central, 1-6 9900 WNG Detector, 1-5 connections, 4-17 installing, 4-2 replacing hard disk drive, 8-4 replacing power supply, 8-3 Hardware Failure system event, 38-8 hardware requirements, 4-2 hardware specifications, 2-12 cabling, 2-14 power requirements, 2-13 racks, 2-12 hazard statements, 3-2 high signaling subscriber events, 33-18 high-usage subscriber events, 33-17 Historic Reports tab Subscriber view, 29-3 Historic View tab, 23-3 hop browser-based reports, 31-25 hop reports, 31-25 in Network Forensic view, 25-2 parameters, 31-27 specifying hops, 31-27 time resolution, 31-28 horizontal port scans, 33-14 Hour-of-day trend comparing applications report, 31-37 Hour-of-day trend comparing days of week report, 31-38 Hour-of-day trend comparing days report, 31-37 Hour-of-day trend comparing manufacturers report, 31-42
I
ICMP router discovery abuses, 33-13 icons to export browser-based reports, 30-12 idle timeouts displaying, 36-12 Incident breakdown by event type (pie chart) report, 31-3, 31-3 Incident breakdown by event type (time plot) report, 31-2 installing, 4-2 2-post racks, 4-11 4-post racks, 4-7 9900 WNG Central, 4-2 9900 WNG Detector, 4-2 9900 WNG EMS, 15-2 brackets, 4-7 hardware, 4-2 license, 6-3 server rack, 4-6 servers, 4-7 intensity levels for anomaly events specifying, 12-13 intensity preferences in Dashboard View, 21-10 IP addresses specifying for whitelists, 12-8
L
lag period in browser-based reports, 30-5 language configuring choice of in GUI, 16-8 LEDs status indicators, 16-4 troubleshooting, 16-5 legacy reports, 30-2 license, 6-2 expiration, 6-2 installing, 6-3 obtaining, 6-3
IN-8
Index license (continued) Motive API
obtaining 9900 WNG Central host identifier, 6-3 viewing status, 35-2 viewing violations, 35-2 license files backing up, 39-4 restoring, 39-5 License Violation system event, 38-2 Line rate threshold system event, 38-6 Link Down system event, 38-3 log files, 37-2 backing up, 39-4 displaying for Motive API, 20-6 GUI queries, 37-10 GUI reports, 37-10 restoring, 39-5 using to monitor the system, 37-3 viewing using CLI, 37-3 log reports samples, 37-3 logging in 9900 WNG Central CLI from GUI, 14-7 9900 WNG Central CLI using SSH, 14-6 9900 WNG Detector, 14-8 logging in to GUI, 16-2 login banners loading, 12-21
M
mandatory configuration procedures 9900 WNG Central, 7-2 9900 WNG Detector, 7-2 configuring 9900 WNG Central servers, 7-5 configuring 9900 WNG Detector servers, 7-6 configuring management interfaces and BMC LANs, 7-3 prerequisites, 7-2 Memory Usage system event, 38-5 menu icons in System View, 26-2
menus Forensic View, 23-2 GUI, 16-4 Subscriber View, 29-2 MIBs; See SNMP MIBs mobile dormancy timeout values modifying, 12-9 mobile floods, 33-11 Mobile Flow chart in Flow/Session tab, 29-13 Mobile Flow measurements RTT, 27-8 throughput, 27-8 Mobile Flow Queries, 37-12 Mobile Flow record components, 27-3 Mobile Flow report Event Details tab, 27-5 Path tab, 27-7 Performance tab, 27-6 Mobile Flow reports generating, 27-2 Mobile Flow view measurements, 27-8 opening from Anomaly Events view, 22-9 opening from Forensic View, 23-6 opening Network Forensic reports from, 27-8 operations, 27-7 records, 27-2 viewing device details, 27-7 working in, 27-7 mobile IP address ranges specifying, 12-7 modes changing, 14-8 CLI, 14-3 monitoring using log files, 37-2 Motive API, 20-2 adding subnets, 20-4 CLI commands, 20-4 creating accounts, 20-3 deleting subnets, 20-5 deleting users, 20-3
IN-9
Index Motive API (continued) optional configuration procedures
displaying log files, 20-6 displaying statistics, 20-6 displaying users, 20-4 interface, 20-2 role, 36-2 security, 20-3 Motive API role, 36-2 creating, 20-3 mouse-over function in Network Graph view, 24-9 multiple params) report, 31-31
N
navigation icons in browser-based reports, 30-6 NE reports in Network Forensic view, 25-2 network anomaly events, 33-6 network elements browser-based reports, 31-10 network elements reports, 31-10 configuration options, 31-24 parameters, 31-22 sessions and performance parameters, 31-23 traffic measure types parameters, 31-23 traffic parameters, 31-23 Network Forensic Element Reports, 37-11 Network Forensic Hop Reports, 37-11 Network Forensic reports components, 25-4 concise format, 25-5 detailed format, 25-5 generating from the Network Graph view, 24-10 opening from Mobile Flow view, 27-8 statistics, 25-5 Network Forensic view, 25-2 export functions, 25-7 generating reports, 25-3 History tab, 25-4 hop reports, 25-2 in navigation menu, 25-2 NE reports, 25-2
operations, 25-7 sorting data in, 25-7 working in, 25-7 Network Graph view, 24-6 components, 24-7 display functions, 24-8 displaying and collapsing cell view, 24-9 generating a Network Forensic report from, 24-10 mouse-over function, 24-9 opening, 24-6 operations in, 24-10 preferences, 24-8 working in, 24-8 network resource usage browser-based reports, 31-2 network resource usage reports, 31-2 network statistics browser-based reports, 31-5 network statistics reports, 31-5 parameters, 31-8 sessions and events parameters, 31-9 traffic parameters, 31-8 network usage reports event types, 31-5 resource types, 31-5 NMS, 13-2 No Packet system event, 38-6
O
operations Anomaly Events view, 22-9 in Element Tables view, 24-6 in Forensic View, 23-5 in Network Forensic view, 25-7 in System View, 26-6 Performance Events view, 22-11 optional configuration procedures, 12-2 9900 WNG Central, 12-16 9900 WNG Detector, 12-2 adding 9900 WNG Detectors, 12-14 adding entries to application map tables, 12-16 configuring anomaly alerts, 19-11
IN-10
Index optional configuration procedures (continued) powering down
configuring congestion alerts, 19-11 configuring RNC load threshold, 12-4 configuring RNC-to-PCF IP addresses, 12-4 configuring SNMPv1/v2c, 19-3 configuring SNMPv3, 19-5 configuring trend alerts, 19-11 configuring UMTS RNC-to-SAI mappings, 12-5 copying 9900 WNG Detector configuration files, 12-15 deleting 9900 WNG Detectors, 12-16 deleting SNMP communities, 19-10 deleting SNMP hosts, 19-11 deleting SNMP server IP addresses, 19-10 deleting SNMP views, 19-11 disabling anomaly event reporting, 12-11 enabling security event manager feed, 12-20 generating public keys, 12-21 loading saved login banners, 12-21 modifying anomaly throttle rates, 12-8 modifying mobile dormancy timeout values, 12-9 specifying anomaly event intensity levels, 12-13 specifying deployment modes, 12-2 specifying IP addresses for whitelists, 12-8 specifying mobile IP address ranges, 12-7 specifying VLANs, 12-10 updating SNMP agent contact, 19-9 updating SNMP location information, 19-9 Overall network time plot (sessions and events) report, 31-6 Overall network time plot (traffic) report, 31-5 Overall subscriber cumulative distribution report, 31-30
P
Packet Drop system event, 38-6 parameters browser-based reports input page, 30-3
passwords changing for users, 36-6 changing your account using the CLI, 36-6 changing your account using the GUI, 36-6 expiration, 36-3 requirements, 36-3 Path tab, 29-14 in subscriber reports, 29-14 peer-to-peer mobile traffic events, 33-20 performance measuring using CLI, 37-12 Performance Events view, 22-10 components, 22-10 filtering data, 22-11 operations, 22-11 working in, 22-11 Performance KPI by manufacturer/model report, 31-45 pie charts in browser-based reports, 30-10 planning, 2-2 9900 WNG Central, 2-2 9900 WNG Detector, 2-3 cabling, 2-14 environmental requirements, 2-15 IP addresses, 2-11 port numbers, 2-11 power requirements, 2-13 port scans, 33-14 horizontal, 33-14 vertical, 33-15 ports 9900 WNG Central, 4-18 9900 WNG Detector, 4-18 power requirements, 4-3 AC, 4-3 DC, 4-4 power supply ordering, 8-2 replacing, 8-3 powering down, 5-2 9900 WNG Central, 5-3 9900 WNG Detector, 5-5
IN-11
Index powering up RNC load thresholds
powering up, 5-2 9900 WNG Central, 5-2 9900 WNG Detector, 5-4 preferences GUI, 16-9 menu, 16-9 presentation page browser-based reports, 30-6 privileges, 36-2 admin, 36-2 anomaly, 36-2 application devices, 36-2 changing, 36-7 CLI, 14-3 demo only, 36-2 escalating, 36-3 NE, 36-2 reportonly, 36-2 subscriber, 36-2 sudo, 36-2 user, 36-2 Process Down system event, 38-3 Process Start system event, 38-4 public keys generating, 12-21
Q
queries Mobile Flow, 37-12 Queue Usage system event, 38-7
R
Real-time Events view, 22-2 anomalies, 22-5 Anomaly History, 22-12 columns in table, 22-3 common components, 22-2 common features, 22-2 Performance Events, 22-10 severity indicators, 22-4 Realm/APN comparison table report, 31-34 records Mobile Flow view, 27-2 regulatory specifications, 3-6
IN-12
reporting of anomaly events disabling, 12-11 Reports role, 36-2 reports backing up, 39-4 generating browser-based, 30-2 generating for subscriber, 29-5 generating from Network Forensic view, 25-3 mobile flow, 27-2 Network Forensic Element, 37-11 Network Forensic Hop, 37-11 restoring, 39-5 subscriber, 16-11 Subscriber view, 29-2 reports database performing an incremental backup, 39-5 restoring increments, 39-6 Reports role, 36-2 creating, 36-5 resetting 9900 WNG Central using BMC, 5-5 9900 WNG Detector using BMC, 5-5 resource types network usage reports, 31-5 Resources breakdown by top application report, 31-4 restoring, 39-2 9900 WNG Detector, 39-7 configuration files, 39-5 database, 39-5 full system, 39-5 license files, 39-5 log files, 39-5 procedures, 39-5 reports, 39-5 security files, 39-5 system files, 39-5 restoring backup data, 39-3 right-click options for charts in Dashboard View, 21-12 RNC comparison table report, 31-16 RNC load thresholds configuring, 12-4
Index RNC multi-element time-trend table report SNMP MIBs
RNC multi-element time-trend table report, 31-17, 31-18 RNC overloads, 33-10 RNC time plot (sessions and performances) report, 31-17 RNC time plot (traffic) report, 31-16 RNC-to-cell hop time plot report, 31-26 RNC-to-PCF IP address mapping configuring, 12-4 Roaming traffic report, 31-7 roles, 36-2 changing, 36-7 CLI, 14-3, 36-2 GUI, 36-2 managing, 36-4 monitoring, 36-10 Motive API, 36-2 Reports, 36-2 SNMP, 36-2 RTT in Mobile Flow measurements, 27-8
S
safety guidelines, 3-3 hazards, 3-2 safety guidelines, 3-3 safety hazards, 3-2 security, 34-2 browser-based reports, 31-28 Motive API, 20-3 passwords, 36-3 privileges, 36-2 RBAC, 34-2 roles, 36-2 SNMPv3, 34-2 SSH protocol, 34-2 SSL, 34-2 supported protocols, 34-2 security event manager feed enabling, 12-20 security files backing up, 39-4 restoring, 39-5 security reports, 31-28
server grounding, 4-15 installing racks, 4-6 specifications, 2-12 Session chart in Flow/Session tab, 29-14 severity indicators in Real-time Events view, 22-4 SGSN or PDSN time plot (sessions and performances) report, 31-19 SGSN or PDSN time plot (traffic) report, 31-18 SGSN/PDSN multi-element time-trend table report, 31-20 SGSN/PDSN-to-RNC hop time plot report, 31-26 show backhaul, 37-18 show compressionStatus, 37-18 show memory, 37-16 show stats, 37-13 show system, 37-17 show top, 37-18 signaling attack events, 33-7 Single subscriber time trend table report, 31-31 SNMP, 13-2 9900 WNG Central, 19-2 creating accounts, 19-5 deleting accounts, 19-8 deleting communities, 19-10 deleting groups, 19-8 deleting hosts, 19-11 deleting server IP addresses, 19-10 deleting views, 19-11 displaying users, 19-8 interface, 19-2 MIBs, 19-15 role, 36-2 trap events, 19-13 updating agent contact, 19-9 updating location information, 19-9 SNMP commands, 19-12 GET, 19-12 SET, 19-12 TRAP, 19-12 SNMP MIBs, 19-15 accessing, 19-15
IN-13
Index SNMP role system events
SNMP role, 36-2 creating, 19-5 SNMPv1/v2c configuring, 19-3 SNMPv3 configuring, 19-5 software 9900 WNG, 1-6 displaying enabled repository, 9-4 displaying packages, 9-9 repository, 9-3 upgrading using an external repository, 9-7 upgrading using the 9900 WNG Central repository, 9-6 upgrading using USB, 9-8 software repository configuring the 9900 WNG Central, 9-4 displaying, 9-4 displaying packages, 9-9 software upgrades, 9-2 CLI commands, 9-2 sorting data in Element Tables view, 24-6 data in Network Forensic view, 25-7 data in tables, 16-6 data in the GUI, 16-6 stacked area charts in browser-based reports, 30-8 statistics displaying for Motive API, 20-6 Statistics tab in subscriber reports, 29-8 subnets adding for Motive API, 20-4 deleting for Motive API, 20-5 subscriber browser-based reports, 31-29 Subscriber Group Manager, 32-2 subscriber group view changing, 32-4 subscriber groups changing view, 32-4 creating, 32-3 importing data, 32-5 Subscriber Reports, 37-11
IN-14
subscriber reports, 29-4, 31-29 Anomaly Events tab, 29-11 Billingtab, 29-15 components, 29-7 fields in, 31-35 Flow/Session tab, 29-11 modifying preferences, 16-11 parameters, 31-35 Path tab, 29-14 Statistics tab, 29-8 Top Applications tab, 29-8 Top Servers tab, 29-10 Subscriber Statistics tab, 29-8, 29-8 Subscriber time plot report, 31-30 Subscriber view acquiring IDs for reports, 29-4 Active Reports tab, 29-3 components, 29-3 generating reports, 29-4 Historic Reports tab, 29-3 reports, 29-2 reports characteristics, 29-4 subscribers searching, 32-4 Swap Usage system event, 38-8 system backing up, 39-4 restoring, 39-5 system architecture, 1-2, 10-2 system events, 38-2 CPU Usage, 38-4 Disk Usage, 38-4 Hardware Failure, 38-8 License Violation, 38-2 Line rate threshold, 38-6 Link Down, 38-3 No Packet, 38-6 Packet Drop, 38-6 Process Down, 38-3 Process Start, 38-4 Queue Usage, 38-7 Swap Usage, 38-8 viewing, 38-2
Index System Events view user accounts
System Events view, 26-2 components, 26-3 display preferences, 26-4 table columns, 26-4 system files backing up, 39-4 restoring, 39-5 System History view, 26-5 system requirements 9900 WNG EMS, 15-2 System View, 26-2 menu icons, 26-2 operations, 26-6 working in, 26-6
T
Table comparing manufacturers report, 31-44 Table comparing models report, 31-45 tables in browser-based reports, 30-11 threat detection CDMA network, 33-2 UMTS network, 33-3 threshold values, 33-21 throughput in Mobile Flow measurements, 27-8 time parameters browser-based reports, 30-4 Time plot comparing applications report, 31-38 Time plot comparing manufacturers report, 31-43 Time plot comparing models report, 31-44 time zones in browser-based reports, 30-5 time-series charts in browser-based reports, 30-7 timeouts See also idle timeouts in CLI, 14-5 tool tips in browser-based reports, 30-6 Top applications reports, 31-39 Top Applications tab in subscriber reports, 29-8
Top attackers at or above a specified intensity level report, 31-28 Top mobile (single day, 31-31 Top Mobiles reports, 31-32 Top scanners report, 31-29 Top servers report, 31-33 Top Servers tab, 29-10 in subscriber reports, 29-10 Topology view, 24-2 Element Tables view, 24-2 trend alerts configuring, 19-11 troubleshooting browser-based reports, 31-47 using LEDs, 16-5
U
UMTS network threat detection, 33-3 UMTS RNC-to-SAI mapping configuring, 12-5 unwanted source anomaly event, 33-16 upgrading 9900 WNG Central software using a USB, 9-8 9900 WNG Central software using the 9900 WNG Central repository, 9-6 9900 WNG Central software using the external software repository, 9-7 9900 WNG Detector software using a USB, 9-8 9900 WNG Detector software using the 9900 WNG Central repository, 9-6 9900 WNG Detector software using the external software repository, 9-7 user accounts, 36-2 changing names, 36-8 changing password, 36-6 changing passwords using the CLI, 36-6 changing passwords using the GUI, 36-6 changing roles, 36-7 CLI role, 36-2 creating, 36-5 creating for SNMP, 19-5
IN-15
Index user accounts (continued) wireless attack events
deleting, 36-10 deleting motive API, 20-3 deleting SNMP, 19-8 disconnecting, 36-9 displaying, 36-11 displaying idle timeouts, 36-12 displaying Motive API users, 20-4 displaying patterns, 36-12 displaying SNMP users, 19-8 GUI role, 36-2 managing, 36-4 monitoring, 36-10 Motive API role, 36-2 passwords, 36-3 privileges, 36-2 Reports role, 36-2 resetting the password timeout for all, 36-8 roles, 36-2 setting the idle timeout, 36-9 setting the password timeout for one, 36-8 SNMP role, 36-2 user interfaces, 13-2 9900 WNG Central web page, 17-2 BMC, 18-2 CLI, 14-2 GUI, 16-2 GUI Dashboard View, 21-2 logging in, 13-3 users See also user accounts creating accounts, 36-5
Network Graph, 24-6 Performance Events, 22-10 Subscriber, 29-3 System, 26-2 Topology, 24-2 VLANs specifying, 12-10
W
warning hazards, 3-2 whois query, 16-7 widgets calendar, 30-5 wireless attack events, 33-7
V
vertical port scans, 33-15 viewing license status, 35-2 system events, 38-2 views Anomaly Events, 22-5 Anomaly History, 22-12 CLI, 28-2 Element Tables, 24-2 Forensic, 23-2 Network Forensic, 25-2
IN-16
Customer documentation and product support
Customer documentation
http://www.alcatel-lucent.com/myaccess
Product manuals and documentation updates are available at alcatel-lucent.com. If you are a new user and require access to this service, please contact your Alcatel-Lucent sales representative.
Technical Support
http://support.alcatel-lucent.com
Documentation feedback
documentation.feedback@alcatel-lucent.com
2010 Alcatel-Lucent. All rights reserved. 3HE 06049 AAAA TQZZA

WNG R2.1 Product Guides

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

WNG R2.1 Product Guides

Încărcat de

Drepturi de autor:

Formate disponibile

PRODUCT GUIDES

When printed by Alcatel-Lucent, this document is printed on recycled paper.

About the guides

9900 Wireless Network Guardian User Guide

Contains information about:

9900 Wireless Network Guardian System Administration and Security Guide

Contains information about:

Conventions used in this guide

may, or will, cause equipment damage or serious performance problems.

Acronyms and initialisms

Procedures with options or substeps

Procedure 1 Example of options in a procedure

You must perform this step.

Procedure 2 Example of substeps in a procedure

You must perform this step.

Multiple PDF file search

Procedure 3 To search multiple PDF files for a term

Whole words only Case-Sensitive Include Bookmarks Include Comments

Planning, Installation, and Upgrade Guide

9900 WNG planning

9900 WNG Detector and Central server installation

Powering up, powering down, and resetting 9900 WNG components

Mandatory configuration procedures

Software maintenance and upgrades

11 9900 WNG new features

9900 WNG Release 2.1 features...................................................... 11-2

Internal and external interfaces

Interfaces overview.................................................................... 13-2 Logging in to 9900 WNG interfaces .................................................. 13-3

14-12 14-12 14-13 14-14 14-14 14-14

17 9900 WNG Central webpage

22 Real-time Events views

25 Network Forensics view

27 Mobile Flow view

27.2 27.3 27.4

CLI view.................................................................................. 28-2

Browser-based reporting and management

31 Configuring browser-based reports

31.5 31.6 31.7

31-36 31-36 31-40 31-40 31-41 31-42 31-46 31-47

32 Subscriber Group Manager

Network anomaly reporting and management

33-17 33-17 33-18 33-19 33-20 33-21 33-21

System Administration and Security Guide

Security overview ...................................................................... 34-2

36 User account management

System monitoring and administration

PLANNING, INSTALLATION, AND UPGRADE GUIDE

When printed by Alcatel-Lucent, this document is printed on recycled paper.

Alcatel-Lucent License Agreement

2. PROTECTION AND SECURITY OF LICENSED PROGRAMS

5. SUPPORT AND UPGRADES

6. WARRANTIES AND INDEMNIFICATION

Planning and system architecture

1 9900 WNG system architecture 2 9900 WNG planning 2-1

9900 WNG system architecture

1.1 9900 WNG overview

1.5 9900 WNG external user interfaces

1 9900 WNG system architecture

9900 WNG overview

9900 WNG Detector and Central

9900 WNG Central 9900 WNG Detector

9900 WNG Central

9900 WNG Detector Servers