Viewing Network Utilization
Many network administrators today still
do not know what type of traffic is consuming network capacity, what the top
applications are, and who the top talkers are. Most routers, switches, and other
network devices today include feature sets that provide network administrators
with the information necessary to examine how the network is being used. Some of
these feature sets provide real-time analysis of network utilization, and others
provide a historical view of network utilization. Both types of data enable the
network administrator to prove and establish a baseline for network
utilization.
This section examines two commonly
used mechanisms, NetFlow and NBAR, for viewing network utilization
characteristics at a very granular level. Once collected, this data is useful to
network administrators not only to get a better grasp on how the network is
being used, but also to choose relative priority among applications, data, and
nodes that consume network capacity.
NetFlow
NetFlow is a set of instrumentation
tools, pioneered by Cisco, that allows network administrators to characterize
network operation and utilization. NetFlow was developed and patented by Cisco
in 1996 as NetFlow version 1. NetFlow v1 provided basic characterization of
flows based on the common 5-tuple (source and destination IP addresses, source
and destination TCP ports, and IP protocol).
NetFlow has evolved into a more robust
system of flow characterization, NetFlow v5, which is the most commonly used
version of NetFlow today. NetFlow v6 added additional details related to
encapsulation. NetFlow v7 provided extensions to support the Catalyst 5000
family switch with a NetFlow feature card (NFFC) installed. NetFlow v8 provided
enhancements necessary to enable router-based aggregation. Router-based
aggregation allows the router to group multiple traditional flows together,
thereby minimizing router resource utilization.
NetFlow v9, the latest version of
NetFlow at the time of this writing, provides a flexible and extensible export
format. NetFlow v9 (RFC 3954) accommodates new NetFlow-supported technologies
such as IP Multicast, Multiprotocol Label Switching (MPLS), Network Address
Translation (NAT), and Border Gateway Protocol (BGP). Given the widespread
adoption of NetFlow, NetFlow v9 became the foundation for the IP Flow
Information Export (IPFIX) standard, which can be found as RFC 3917.
NetFlow allows network administrators to
have visibility into the network, which is necessary to better understand the
following:
-
Applications and network
utilization: Enables network administrators
to examine a history of traffic flows to determine how many flows exist between
connected nodes and the amount of bandwidth capacity being utilized between
them.
-
Overall network capacity
consumption: Allows network
administrators to better understand how much of the network is being utilized
holistically to determine if additional capacity is required to support
productivity and business-critical applications.
NetFlow is primarily used for
baselining application requirements and network utilization for the purpose of
determining what configuration of prioritization and control should be employed.
NetFlow can also be used to assess the impact of changes to the network, assess
network anomalies, identify security vulnerabilities, provide facilities for
charge-back and bill-back, diagnose network performance problems (such as
bandwidth "hogs"), and access monitoring. Given the focus of this book on
application performance, these capabilities of NetFlow are not discussed.
NetFlow operation involves two key
components:
-
A NetFlow-enabled device
-
A NetFlow collector
NetFlow-Enabled Device
A NetFlow-enabled
device (which includes most routers and switches), when configured, keeps a
cache of IP flows that have traversed that device. An IP flow is a series of
packets with matching packet attributes. An IP flow generally includes five
attributes and up to a maximum of seven attributes, as follows:
-
Source IP
address: The source IP address within the packet being transmitted
-
Destination IP address: The
destination IP address within the packet being transmitted
-
IP protocol number and type:
The protocol as defined by the IP packet header (that is, TCP, UDP, ICMP, or
others)
-
Source port: The source port
number of the Layer 4 header
-
Destination port: The
destination port number of the Layer 4 header
-
Type of service (ToS)
identifier: The bits tagged within the type of
service, or ToS, byte within the IP header, denoting priority
-
Router or switch interface: The interface at which the packet from the flow was
received
When packets with matching attributes are
identified on an interface configured for NetFlow, they are grouped internally
by the NetFlow device and counters are generated and maintained against the
matching packets. This information is stored in a NetFlow cache and contains
details about each of the identified flows and counter data related to those
flows. Furthermore, additional information can be gathered about these flows,
including:
-
Timestamps: Help to determine the longevity of the flow to provide
analysis and summarization of traffic and network utilization based on the time
of day
-
Next-hop information: Includes the next-hop IP address and routing
protocol–specific information such as the BGP autonomous system (AS)
-
Subnet mask: Used to determine
the network that the flow is related to
-
TCP flags: Bits contained within the TCP header that identify
handshakes and other signaling, including synchronization and
resets
You can examine this information
in real time using a device's CLI or GUI, which is helpful in troubleshooting
and examining real-time utilization. You also can configure the device to export
flows in the cache that have
terminated to a node on the network (typically a PC or a server) that is
configured to receive export packets containing NetFlow data, commonly called a
NetFlow
collector.
NetFlow Collector
Exporting terminated flows (that is,
when a TCP connection is torn down) to a NetFlow collector is helpful because it
not only enables long-term retention of statistics related to previously seen
flows for offline analysis, reporting, and baselining, but also removes the need
for the network device itself (that is, a router or switch) to maintain this
data long-term, thereby ensuring precious NetFlow device resources are kept
relatively free. These flows are exported to the NetFlow collector using UDP
packets and typically contain information for 30 to 50 flows at a time.
Figure 3-1 shows the process of NetFlow collection on a router with
export to a collector. Figure 3-2 shows a more granular view of the data collected by
NetFlow.
Many applications exist that allow
for in-depth and thorough analysis of NetFlow data, including products from
Cisco, CA, Hewlett-Packard, InfoVista, NetQoS, and many others. These
applications are helpful in analyzing the data presented by NetFlow and
correlating the data into various reports, including these:
Many of these applications
also couple other mechanisms for analyzing performance metrics such as Simple
Network Management Protocol (SNMP) polling, remote monitoring (RMON), and
traffic analysis using port mirroring. For example, Figure 3-3 shows a report
generated using NetQoS SuperAgent that provides insight into who the top talkers
on a given network are.
Figure 3-4 shows another report generated by NetQoS SuperAgent
that displays the top applications found on the network.
Figure 3-5 shows a NetQoS SuperAgent
report that displays network utilization trends over a 4-hour period, and a
breakdown of which applications were identified during each sample period. More
information about NetQoS can be found at http://www.netqos.com.
With the information provided by
NetFlow, network administrators can begin to fully understand how the network is
being utilized, which applications are consuming network resources at what time
of day, and which nodes are consuming the most available network capacity. Then,
they can begin the process of classification and prioritization.
For more information on Cisco IOS
NetFlow, including a detailed technical overview, visit http://www.cisco.com/go/netflow.
Network Based Application
Recognition
NBAR is another mechanism that network
administrators can employ on network devices such as routers or switches to
automatically discover application protocols and collect statistics. You can use
NBAR in conjunction with NetFlow to provide a more granular view of specific
applications that are using the network. While NetFlow examines primarily Layer
3 (network) and Layer 4 (transport) information to quantify network consumption
on a flow-by-flow basis, NBAR examines data not only at Layer 4 (transport
layer, port identification), but also all the way up to Layer 7 (application
layer).
NBAR provides deep packet inspection
(DPI) capabilities to classify and quantify application-specific network
utilization. This means that NBAR can go beyond examination of traditional IP
address and port information and examine the payload of traffic flows to
identify the application that is being transported across the network. This
allows NBAR to uniquely classify and differentiate application traffic within a
shared connection (for instance, a print job within a remote desktop session).
Figure 3-6
shows a comparison of NBAR and NetFlow in terms of which aspects of network
traffic each can examine.
While both NetFlow and NBAR provide
flow identification at Layer 3 and Layer 4, each provides a different set of
capabilities that are useful to a network administrator who wishes to align
network resources with relative business and application priority. NetFlow is
helpful in tracking the longevity of flows on the network and providing the data
necessary to analyze network utilization characteristics. NBAR provides
administrators with an application-based view rather than a network-based view,
yielding insight into which applications are actually the consumers of the
available network resources. NBAR is used not only for visibility into
application flows traversing a network, but also to provide traffic
classification necessary to employ QoS actions.
Note
The following list summarizes
applications that NBAR is able to recognize. For more information on Cisco IOS
NBAR, including a detailed technical overview, visit http://www.cisco.com/go/nbar.
| Enterprise Applications |
Security and Tunneling |
Network Mail Services |
Internet |
| Citrix ICA |
GRE |
IMAP |
FTP |
| pcAnywhere |
IPINIP |
POP3 |
Gopher |
| Novadigm |
IPsec |
Exchange |
HTTP |
| SAP |
L2TP |
Notes |
IRC |
| Routing
Protocols |
MS-PPTP |
SMTP |
Telnet |
| BGP |
SFTP |
Directory |
TFTP |
| EGP |
SHTTP |
DHCP/BOOTP |
NNTP |
| EIGRP |
SIMAP |
Finger |
NetBIOS |
| OSPF |
SIRC |
DNS |
NTP |
| RIP |
SLDAP |
Kerberos |
Print |
| Network
Management |
SNNTP |
LDAP |
X-Windows |
| ICMP |
SPOP3 |
Streaming
Media |
Peer-to-Peer |
| SNMP |
STELNET |
CU-SeeMe |
BitTorrent |
| Syslog |
SOCKS |
Netshow |
Direct Connect |
| RPC |
SSH |
Real Audio |
eDonkey/eMule |
| NFS |
Voice |
StreamWorks |
FastTrack |
| SUN-RPC |
H.323 |
VDOLive |
Gnutella |
| Database |
RTCP |
RTSP |
Kazaa |
| SQL*NET |
RTP |
MGCP |
WinMX |
| Microsoft SQL Server |
SIP |
Signaling |
|
| |
SCCP/Skinny |
RSVP |
|
| |
Skype |
|
|
Sections
Comments (0 posted)
Syndication
