Transcription

All You Ever Wanted to Know AboutNetwork Management in 90 Minutes(More or Less)Adopted fromCisco UniversityNMS-100012529 04 2006 c2 2006 Cisco Systems, Inc. All rights reserved. CNC contentCisco Public1About the Speaker Dr. Pete Welcher–Cisco CCIE #1773, CCSI #94014, CCIP–Specialties: Network Design, QoS, MPLS, Wireless, Large-ScaleRouting & Switching, High Availability, Management of Networks–Customers include large enterprises, federal agencies, hospitals,universities, major hotel chain–MPLS w/ major city government optical MPLS deployment–Several large MPLS VPN customers–MPLS VPN Security Risk Analysis for major retailer (1700 stores)–Taught many of the Cisco router/switch courses–Reviewer for many Cisco Press books, book proposals–Presented (lab sessions) MPLS VPN at Networkers 2005, 2006 Over 138 articles at http://www.netcraftsmen.net/welcher/NMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.Cisco Public2

Agenda Managing Network Management Managing via the Cisco IOS Syslog IP SLA NetFlow NBAR Net Mgmt Stories (as time permits) Summary, Q&A, References, Applause-O-Meter (if time)NMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved.Cisco Public3Cisco Public4Managing Network ManagementNMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.

Pete’s Stages of Network Management1. Gathering information to diagnose a problem (CLI, etc.)2. Collecting SNMP trap & syslog information to assist3. Automating configuration and IOS software management4. Automated performance data gathering, reporting(baseline, capacity planning)5. Performance threshold-based trapsNMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved.Cisco Public5Plan Network Management Plan what you buy, and don’t buy severalproducts at one time Try the product before buying–Demos always look great, but generallydon’t show what the product doesn’t do well,or what is hard to admin–Take the class: if it doesn’t work in class –Demo it in-house: if you can’t make itwork nPl a Consider a consultant–Broader exposure to NM products, whatpeople like and don’t like, what seems towork Focus: What problem are you trying tosolve?NMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.Cisco Public6

Determine Management Priorities You can’t do it all, especially in smallmedium size organizations Network Management can get laborintense–But staffing rarely gets larger Newton was right about INERTIA–Existing process may focus on managingWAN links–But data center, colo facility, etc. alsoneed to be watched–Services and response times, WAN SLA’s,etc. also candidates for monitoringNMS-100012529 04 2006 c2Cisco Public 2006, 2007 Cisco Systems, Inc. All rights reserved.72-Dimensional FCAPSLevel Managed:BusinessServiceNetworkCacti,SW Orion,Concord,InfoVistaHPOVSecurity Products?Labor-intense?CW LMSElement (device)Fault Configuration Accounting Performance SecurityNMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.Cisco Public8

The New Age in Net Mgmt Tools 20 years ago, disks were costly–Not any more, 1 TB USB drive for 1K soon 10 years ago, CPU and bandwidth were costly–Getting very cheap now, e.g. Intel Dual and Quad core processors Impact on Net Management:–Smaller scale products are scaling further and further!–Older products were (are) stingy with resources, like polling for data (usesCPU and bandwidth) and storing data (uses disk space)–Recent products figure out “it’s a router” or “it’s a switch” and go collect a lotof useful info–For years, I’ve disliked turning on polling one router or interface or whatever , ONE at a time – now we don’t have to!–Do you really want to be reading MIBs and figuring out what variables wouldbe useful to collect? The software should already know the important variables! The secret of test-driving a tool–Look for what the vendor made hard to do (intentionally or unintentionally)–Decide if you can live with itNMS-100012529 04 2006 c2Cisco Public 2006, 2007 Cisco Systems, Inc. All rights reserved.9Use “Sustainable” Tools Most organizations have had a lot of NM shelfware over time–May explain current disinterest in (platform) products Base your tool selection on ease of product admin and size of yourorganization–One person shop: Keep It Simple! (1-2 products)–With the right mix of tools and a dedicated / good admin, you can getgood value from several tools–Net mgmt tool admin MUST be a tool user, not just a sys admin New generation of low admin hassle tools:What’s Up Gold (displacing HP OV NNM?)Cisco NAMSolarWinds OrionNetQoS productsNMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.CactiNetMRICisco SDM, ASDM, CSMCisco Public10

Managing via the Cisco IOSNMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved.Cisco Public11Cisco IOS Tools Help You Manage Companies sometimes buy cheaper equipment, particularly accessswitches–This is a TCO issue!!–When something goes wrong, it can be CCIE-hard to figure out theproblem and cause, if the device gives you no info or just RMON data Cisco IOS provides–Broad range of show commands–Show logging to see locally-retained syslog info after an event–Out of band management (reverse telnet / reverse SSH)–IP SLA and related show commands–NetFlow and related show commands–NBAR–ESM for “smart syslog” in 12.3 T and later–SNMP access to vast amounts of information–SDM, ASDM, web tools for managing single devices–CBQoS MIB (and many other SNMP MIBs are supported too!)NMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.Cisco Public12

Communicating with the NetworkNetwork ManagementBegins with an Understandingof How to Collect and InterpretThis InformationManaged NetworkElements Are Waitingto Provide Us withUseful InformationNMS-100012529 04 2006 c2Cisco Public 2006, 2007 Cisco Systems, Inc. All rights reserved.13Methods of Gathering InformationConsoleTelnetExampleSecurity OptionsTerminalServerDevice UsernamesTACACS/RADIUSTeraTerm, PuttySSHHTTPEmbedded DeviceManagement (XML)SSL (HTTPS)SNMPMRTGMulti RouterTraffic GrapherSNMPv1, 2c—Access ListsSNMPv3—Auth/PrivCacti updates MRTGNMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.Cisco Public14

Methods of Communication (Event Driven)NMS-100012529 04 2006 c2ExampleFunctionSyslogOperation ChangesChange auditNetflowUsage Flow reportingAccountingEmbeddedEvent ManagerScriptable EventDriven ReportingSNMP TrapsEvent Driven orThreshold DrivenCisco Public 2006, 2007 Cisco Systems, Inc. All rights reserved.15CISCO-CLASS-BASED-QOS MIBClass-Map Stats Table (cbQosCMstats)Before QoSAfter QoS Policies Have Been AppliedTotals classifiedfor the ClassCMPrePolicyPktNumber of packetsCMPrePolicyBytethat Match the ClassCMPostPolicyPktPackets and BytesDroppedCMDropPktBronzeNMS-100012529 04 2006 c2BronzeCMDropByteDrop Pre-PostSilverSilverGoldGold 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.BronzeSilverCisco Public16

Two-Tier Management tSystemNetworkQueriesPrinterNMS-100012529 04 2006 c2CiscoCallManagerUnsolicitedEventsSwitchRouter 2006, 2007 Cisco Systems, Inc. All rights reserved.NetworkElementsCisco Public17Cisco Public18Network Management Tips Configure for manageability (andsecurity)–One of my articles contains a samplemanageability configuration ers/snmptemplate.htmlNMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.

SyslogNMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved.Cisco Public19Syslog Very basic reporting mechanism, “standard” (esp. on UNIX) Text messages on UDP port 540 Easy to implement clients All ASCII (easy to manipulate) Think of it as a Flight Recorder: maximize the STP and otherinfo captured when you have a problemNMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.Cisco Public20

Syslog Problems It’s not reliable (yet) It’s not secure (yet)–Not much worse than SNMPv1/v2c notifications One way: no query capability Priority isn’t consistently used–Fairly accurate on Cisco routers, PIX maybe not Can be verbose–No argument there! Especially security devices!!! Tools: Syslog-NG, Kiwi Syslog, freeware For New Smart Ways to Process Syslogs on Device, SeeNMS-3011: Getting the Right Events from Network ElementsNMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved.Cisco Public21There Is a Cisco IOS Message Standardfor Syslog%FACILITY-SUBFACILITY-SEVERITY-MNEMONIC: Message-text%SYS-5-CONFIG I: Configured from console bycwr2000 on vty0 (192.168.64.25) Documentation for each release explains the meaning of many ofthese events Severity maps to Syslog level—i.e., how critical of a message it is Facility here is not the same as Syslog facility; e.g., local7NMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.Cisco Public22

IP SLANMS-100012529 04 2006 c2Cisco Public 2006, 2007 Cisco Systems, Inc. All rights reserved.23Multimedia QoS Requirements (Examples)Traffic TypeVoIP1%MaximumOne-WayLatency200 msVideoconferencingStreaming video1%200 ms30 ms2%5sN/ANMS-100012529 04 2006 c2MaximumPacket Loss 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.Max. Jitter30 msCisco Public24

Cisco IOS IP Service Level Agreement:A New DirectionCisco Solution that Assures IP Service Levels, ProactivelyVerifies Network Operation, and Accurately Measures NetworkPerformance Comprehensive hardware support Committed Cisco partner support Cisco IOS Software, the world’s leading network infrastructure softwareEnterprise and Small Medium BusinessUnderstand NetworkPerformance andEase DeploymentAccessService ProvidersVerify Service LevelsVerify Outsourced SLAsEnterpriseBackboneEnterprisePremise EdgeMeasure and provideSLAsService ProviderAggregation EdgeServiceProvider CoreCisco IOS SoftwareNMS-100012529 04 2006 c2Cisco Public 2006, 2007 Cisco Systems, Inc. All rights reserved.25How Does It Work? Hop-by-hop analysis Edge-to-Edge measurement Proactive NotificationManagementApplication– Rising and falling thresholds– Robust threshold definition for SLAs– SNMP traps generated when SLAviolated– Thresholds can trigger SA operationactivation for further analysisIP SLAIP P SLACisco IOSDeviceMeasure(IP SLA Responder)NMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.Cisco Public26

IP SLA Sender Cisco IOS device that sends probe packets Operation configuration takes place on thesender only Once the operation is finished, all the results are tobe polled off the sender Target is another host (IP Host, or IP SLAResponder) Some operations require the target to run the IPSLA responder (Jitter for instance), some other areworking with a simple IP Host (ICMP Ping)NMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved.Cisco Public27IP SLA Responder Runs on Cisco IOS Configure ‘ip sla monitor responder’, or setrttMonApplResponder.0 1 with SNMP Sender uses the IP SLA Control Protocol tocommunicate with responder before sending thetest packets Responder knows the type of operation, the portused, the duration Communication can be authenticated with MD5,not encrypted (offers integrity) Responder inserts in/out timestamps in packetpayload (measures CPU time spent)NMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.Cisco Public28

IP SLA Operation With ResponderIP SLA SenderControl Message Ask Receiver toOpen Port 2020 on UDPIP SLA ResponderIP SLA-ControlUDP, 1967Responder Says OKControlPhaseStart Listening onUDP Port 2020Sending Test Packets IP SLA-TestUDP, 2020ProbingPhaseDone: Stop ListeningNMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved.Cisco Public29Cisco IOS IP SLAs andCISCO-RTTMON-MIB IP SLAs (a.k.a. Service Assurance Agent—SAA,formerly RTR) IP SLAs is an active measurement tool, unlikeNetFlow which is passive Generates availability and threshold traps Also collects statistics Information can be retrieved by SNMPhttp://www.cisco.com/go/ipsla/NMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.Cisco Public30

Scenario 2: Enterprise WANISP SLA MonitoringCEPEISPCPEPECECPEEnterprise(CPE to CE)ISP Network(CE to CE)Enterprise(CPE to CE)End-to-End(CPE to CPE)NMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved.Cisco Public31Scenario 2: Enterprise WANHierarchical MonitoringCorp. HQData ailBranchNetwork ConnectivityServer ConnectivityNMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.SmallOfficeCisco Public32

Cisco IOS IP SLA Uses and MetricsRequirement IP SLA Measurement*DataTraffic*VoIP*Service LevelAgreement Minimize delay,packet loss Verify QoS Minimizedelay, packetloss, jitter Measure delay,packet loss, jitter One-wayConnectivitytesting Minimizedelay, packetloss Connectivitytests to IPdevices Jitter packet loss LatencyNMS-100012529 04 2006 c2JitterPacket lossLatencyPer QoSJitterPacket lossLatencyMOS voiceQuality scoreJitterPacket lossLatencyOne-wayEnhancedaccuracy NTP*Availability 2006, 2007 Cisco Systems, Inc. All rights reserved.**StreamingVideoCisco Public33Benefits of Using IP SLA Flat learning curve (Cisco IOS technology) No additional equipment, nor vendor Can be deployed on customer site (CPE) andmeasure end-to-end SLAs Activate at the production router (CPE, CE, PE) oras a dedicated “shadow-router” Can be managed with existing router managementtools (e.g. CiscoWorks IPM)NMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.Cisco Public34

IP SLA Technical Overview Wide measurement capabilities (UDP, TCP,ICMP, ) Near millisecond precision Accessible using CLI and SNMP Proactive notification Historical data storage Flexible scheduling options Already in Cisco IOS (available on most platforms) Almost all interfaces supported, physical, andlogicalNMS-100012529 04 2006 c2Cisco Public 2006, 2007 Cisco Systems, Inc. All rights reserved.35Proactive Notification Can send SNMP traps when certain “triggering” events occur(e.g., when rising and falling thresholds are passed) Can trigger another IP SLA operation for further analysis (e.g.,when ping fails, a path echooperation starts)IP SLAWANptraMPSNNMS-100012529 04 2006 c2NMS 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.www.cisco.comCisco Public36

Historical Data Storage Stores previous results Not supported on all operations New enhanced history enables configuration of IPSLA to store aggregated measurements in“buckets”–e.g., store 48 buckets, and each bucket maintains 15minutes of the aggregated measurements; with thisconfiguration, it can store 12 hours of performanceinformationNMS-100012529 04 2006 c2Cisco Public 2006, 2007 Cisco Systems, Inc. All rights reserved.37IP SLA TodayIncreasing Service ValueJitterHTTPEchoDLSwDNS/DHCPFTPPath JitterPathEchoEchoAPMSNAUDPICMPATM*TCPConnectFrame RelayQoSSupport(ToS)Cisco IOS-BasedIP SLA*MPLSVPN Aware* With Cisco IOS 12.2(9)TNMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.Cisco Public38

TOS Marking Probes can be TOS marked to match thetarget class Only TOS setting is supported, no diffserv(see next slide to perform translation)ip sla monitor 11type jitter dest-ipaddr 10.52.130.68 dest-port 16384 \interval 20 num-packets 1000tos 0x20frequency 60request-data-size 172ip sla monitor schedule 11 start-time nowNMS-100012529 04 2006 c2Cisco Public 2006, 2007 Cisco Systems, Inc. All rights reserved.39Converting Between TOS and UprecedenceIn Cisco IOS the 8TOS bits are setfrom right to leftToSAlways zeroDiffServ(RFC2474)32168421D5D4D3D2D1D0CUCUDSCP (6 bits)Multiply by 4BinaryNMS-100012529 04 2006 c2Divide by 8ToSDSCPPrecedence101 000160 (0xA0)405101 100176 (0xB0)445001 11056 (0x38)141 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.Cisco Public40

Uses for IP SLA OperationsNMS-100012529 04 2006 c241Cisco Public 2006, 2007 Cisco Systems, Inc. All rights reserved.Features and Supported Cisco IOS 2(2)T12.2(11)T(Eng2)12.3(4)T12.3(12)TICMP EchoXXXXXXXXICMP Echo PathXXXXXXXXXXXXXXXXUDP w SNMP SupportUDP Jitter WithOne Way LatencyFTP GetXXXXXXXXXXXXXXXXXXFeature/ReleaseUDP EchoTCP ConnectXXXXMPLS/VPN AwareXXXXFrame-Relay (CLI)XXXXICMP Path JitterXXXXAPMXXXXXXVoice with MOS/ICPIF ScoreXPost Dial Delay H323/SIPNMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.Cisco Public42

Cisco IOS IP SLA PartnersCisco Network Management SolutionIP Communications Service MonitorInternetworking Performance MonitorTelephony MonitoringEnterprise performance measurementsTHIRD PARTY PRODUCTSNew Partners2006NMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved.Cisco Public43Things to Look For Provisioning–Does the tool provision IP SLA (easily), or do you have to do it viaCLI?–Don’t assume: some of the costly products may not doprovisioning all that well–How much effort in turning on many IP SLA measurements? Reporting–What does the tool do for IP SLA data collection and reports?–Easy to set up and maintain? Hierarchy–Does the tool allow aggregate of hierarchical measurements for amore scalable set of measurements?–Not aware of any products that do this yet NMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.Cisco Public44

NetFlowNMS-100012529 04 2006 c2Cisco Public 2006, 2007 Cisco Systems, Inc. All rights reserved.45What Is a Traditional IP Flow?1NetFlowKey Fields23Reporting1.2.3.NMS-100012529 04 2006 c2NetFlowExportPacketsInspect a packet’s 7 key fields and identify the valuesIf the set of key field values is unique create a flowrecord or cache entryWhen the flow terminates export the flow to thecollector 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.Cisco Public46

NetFlow Key Fields Creating Flow RecordsExample 1Example 21.InspectPacket2.Packet 2Source IP3.3.3.3Destination IP2.2.2.2Source port23Destination port22078Layer 3 ProtocolTCP - 60TOS Byte0Ethernet 0Input InterfaceEthernet 0Packet 1Source IP1.1.1.123Destination port22078Layer 3 ProtocolTCP - 6Input Interface3.2.2.2.2Source portTOS Byte4.Add new Flow to the NetFlow CacheCreate Flow record in the CacheSource IPDest. IPDest. I/FProtocolTOS Pkts1.1.1.12.2.2.2E160 11000NMS-100012529 04 2006 c2InspectPacketKey FieldsKey FieldsDestination IPInspect packet forkey field valuesCompare set ofvalues to NetFlowcacheIf the set of valuesare unique create aflow in cacheInspect the nextpacketSource IPDest. IPDest. I/FProtocolTOS Pkts3.3.3.32.2.2.2E160 110001.1.1.12.2.2.2E160 11000 2006, 2007 Cisco Systems, Inc. All rights reserved.Cisco Public47Cisco Public48NetFlowWhat Is a Flow? A flow is a stream of traffic from a sourceto a destination that moves across a device Seven fields identify flows–Source IP address–Destination IP address–Source port number–Destination port number–Layer 3 protocol type–ToS byte–Input logical interface (ifIndex)NMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.

Traditional Layer 3 NetFlow CacheKey Fields in YellowNon-Key Fields white1. Create and update flows in NetFlow 510.0.23.2104024.514 Inactive timer expired (15 sec is default) Active timer expired (30 min (1800 sec) is default) NetFlow cache is full (oldest flows are expired)2. 1180101100000A2/24500A2/241510.0.23.21528180044. Export version5. Transport protocol30 Flows per 1500 byte export packetNMS-100012529 04 2006 c2ExportPacket 2006, 2007 Cisco Systems, Inc. All rights reserved.HeaderNon-Aggregated Flows—Export Version 5 or 9Payload(Flows)Cisco Public49NetFlowWhat Kind of Information Does a Device Send About a Flow? Currently, devices export flow informationfor ingress traffic only Devices export NetFlow Data Export (NDE)in UDP packets NDE includes flow information such as–Source address, destination address–Bytes, packetsNMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.Cisco Public50

NetFlowNDE Versionssrc addrdst addrsrc portdst portnexthopSNMP inputSNMP outputprottosflagsflowsoctetspacketsstart timeend timesrc asdst assrc maskdst maskrouter scsrc prefixdst prefix Static —SrcPrefix8—Prefixx x x x x x xx x x x x x xx x x x x x xx xx xxxx xx x xx x xx x xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx x x xx x x x xx xxxxxx x x xxxx x Version 9 Templates define NDE fields and lengths–NetFlow version 9 is the IETF standard mechanismfor information export: IPFIXNMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved.Cisco Public51Cisco Public52NetFlowWhat Do Customers Do with NetFlow? Network traffic analysis Billing and accounting Anomaly detection Capacity planningNMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.

NetFlow Reporting Application ExamplesNetQosAdventNetIBM AuroraPartner e/NMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved.Cisco Public53Cisco Public54NBARNMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.

NBAR Principles Network-Based Application Recognition classifies trafficby protocol (layer 4–7) NBAR supports the following QoS features:–Guaranteed bandwidth with Class-Based Weighted Fair Queuing (CBWFQ)–Policing and limiting bandwidth–Marking (ToS or IP DSCP)–Drop policy with weighted random early detection (WRED) Accounting functionality is enabled via NBAR feature“protocol discovery” Protocol discovery analyzes Application Trafficpatterns in real time and discovers which traffic is runningon the network Per interface, per application, bidirectional (input and output)Statistics: bit rate (bps), packet counts, byte countsInformation: http://www.cisco.com/go/nbarNMS-100012529 04 2006 c2Cisco Public 2006, 2007 Cisco Systems, Inc. All rights reserved.55NBAR DetailsStateful/Dynamic InspectionIP PacketToSByteTCP/UDP PacketSourceIP AddrDestIP AddrSrcPortData PacketDstPortSub-Port/Deep NntpRcmdTftpCitrixNapsterVdoliveXwindowsNBAR Currently Supports 90 Protocols/ApplicationsNMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.Cisco Public56

NBAR show Commandrouter# show ip nbar protocol-discovery interface FastEthernet ttppop3snmpftp TotalNMS-100012529 04 2006 c2InputPacket CountByte Count5 minute bit rate 23018913000279538319106191089799065500OutputPacket CountByte Count5 minute bit rate 509670346116620000Cisco Public 2006, 2007 Cisco Systems, Inc. All rights reserved.57NetFlow and NBAR DifferentiationLink ceIP AddressDestinationIP AddressTCP/UDPHeaderSourcePortDataPacket9 Monitors data in Layers 2 thru 49 Determines applications by port9 Utilizes a 7-tuple for flow9 Flow information who, what,when, whereNBARDestinationPortDeep Packet(Payload)InspectionNBARNMS-100012529 04 2006 c2NetFlow 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.9 Examines data from Layers 3thru 79 Utilizes Layers 3 & 4 plus packetinspection for classification9 Stateful inspection of dynamicport traffic9 Packet and byte countsCisco Public58

NBAR and AutoQoS Cisco IOS AutoQos feature has two flavors1. AutoQoS for VoIP: one stage mechanism, createspre-defined policy maps for voice traffic2. AutoQoS Enterprise–I) Turn on the discovery mode and gather traffic statistics(config-if)# "auto discovery qos"–II) A policy map is created based on the detected trafficwith suggested bandwidth settings per class–Two modes– “Trusted mode” in case DSCP has been set correct– “Untrusted mode” discovers applications by leveraging NBAR Introduced in 12.3 TNMS-100012529 04 2006 c2Cisco Public 2006, 2007 Cisco Systems, Inc. All rights reserved.59Cisco AutoQoS for EnterpriseProcedure1. Invoke "auto discovery qos" onthe applicable linkUse "show auto discovery qos" toview data collection in progress2. Automatically configure the linkwith "auto qos" commandUse "show auto qos" to displaythe QoS policy settings deployed3. Use “auto discovery trust” in thecore if DSCP values are alreadyassigned at the edgeNMS-100012529 04 2006 c2 2006, 2007 Cisco Systems, Inc. All rights reserved. 2006, 2007 Cisco Systems, Inc. All rights reserved. Printed in USA.Traffic ClassDSCPIP RoutingCS6Interactive VoiceEFInteractive VideoAF41Streaming VideoCS4Telephony SignalingCS3Transaction/InteractiveAF21Network ManagementCS2Bulk DataAF11Best Effort0ScavengerCS1Cisco Public60

Cisco AutoQoS:Discovery in Progressrouter# show auto discovery qosAutoQoS Discovery enabled for applicationsDiscovery up time: 2 days, 55 minutesAutoQoS Class information:Class VoIP:Recommended Minimum Bandwidth: 517 Kbps/50% (PeakRate)Detected applications and kbps/%)(kbps/%)(bytes)rtp audio76/7517/50703104Class Interactive Video:Recommended Minimum Bandwidth: 24 Kbps/2% (AverageRate)Detected applications and kbps/%)(kbps/%)(bytes)rtp video24/25337/52704574Class Transactional:Recommended Minimum Bandwidth: 0 Kbps/0% (AverageRate)Detected applications and kbps/%)(kbps/%)(bytes)citrix36/374/730212Note: Reviewsqlnet12/17/ 11540NMS-100012529 04 2006 c2RecommendationsCisco Public 2006, 2007 Cisco Systems, Inc. All rights reserved.61Cisco AutoQoS:Suggested PolicySuggested AutoQoS Policy for the current uptime:!class-map match-any AutoQoS-Voice-Et3/1match protocol rtp audio!class-map match-any AutoQoS-Inter-Video-Et3/1match protocol rtp video!class-map match-any AutoQoS-Signaling-Et3/1match protocol sipmatch protocol rtcp!class-map match-any AutoQoS-Transactional-Et3/1match protocol citrix!class-map match-any AutoQoS-Bulk-Et3/1match protocol exchangepolicy-map AutoQoS-Policy-Et3/1class AutoQoS-Voice-Et3/1priority percent 1set dscp efclass AutoQoS-Inter-Video-Et3/1bandwidth remaining percent 1set dscp af41class AutoQoS-Signaling-Et3/1bandwidth remaining percent 1set dscp cs3Recommended Policy IsBased on AutoDiscoveryStatisticsOptions Continue AutoDiscovery (policymay change) Copy and change the policy (offline). . .class AutoQoS-Transactional-Et3/1bandwidth remaining percent 1random-detect dscp-basedset dscp af21class AutoQoS-Bulk-Et3/1bandwidt

Syslog Problems It's not reliable (yet) It's not secure (yet) -Not much worse than SNMPv1/v2c notifications One way: no query capability Priority isn't consistently used -Fairly accurate on Cisco routers, PIX maybe not Can be verbose -No argument there! Especially security devices!!! Tools: Syslog-NG, Kiwi .