plixer International Successful Ways to use NetFlow and IP SLA
38 Slides1.74 MB
plixer International Successful Ways to use NetFlow and IP SLA Wednesday June 17th 10:45am – 12:15pm Presenter Name Michael Patterson – Product Manager Michael Krygeris - Software Developer SHARKFEST '09 Stanford University June 15-18, 2009 SHARKFEST '09 Stanford University June 15–18, 2009
plixer International NetFlow Michael Patterson Product Manager – Scrutinizer.com SHARKFEST '09 Stanford University June 15–18, 2009
What is NetFlow plixer International NetFlow is a network protocol developed by Cisco to run on IOS equipment. It collects IP traffic information less the detail of a packet analyzer. The Router / Switch aggregates traffic into flows and sends up to 30 of them in a single NetFlow packet. A single NetFlow v5 packet can represent thousands of IP Frames from up to 30 hosts. SHARKFEST '09 Stanford University June 15–18, 2009
Applications for NetFlow plixer International Accounting Usage-based network billing Network planning Security Denial of Service monitoring Network monitoring http://www.cisco.com/en/US/products/ps6601/products ios protocol group home.html SHARKFEST '09 Stanford University June 15–18, 2009
NetFlow Complements WireSharkplixer International NetFlow Reporting provides details on: – Top Applications, Hosts, Autonomous Systems, Subnets (i.e. IP Groups), Types of Service, etc. WireShark Reporting provides packet level details on everything that went over the wire. The problem is that a distributed solution can be expensive. SHARKFEST '09 Stanford University June 15–18, 2009
Distributed Analysis plixer International Mirrored Port NetFlow allows most customers to leverage existing routers 90% of the benefits of a packet analyzers NetFlow Analyzer without deploying more computers 2% - 3% load on CPU of equipment Increases network traffic by 1% - 3% of existing traffic load WireShark Chicago Boston Paris, France SHARKFEST '09 Stanford University June 15–18, 2009 San Jose Internet NetFlow Data Router Switch 10 NetFlow enabled interfaces
Enabling NetFlow & sFlow plixer International NetFlow sFlow Cisco Enterasys Adtran Riverbed Juniper 3Com Force10 Enterasys Extreme HP Foundry http://www.plixer.com/products/scrutinizer activate-netflow.php SHARKFEST '09 Stanford University June 15–18, 2009
NetFlow v9 Ingress Vs. Egress plixer International NetFlow v9 Ingress is collected on traffic going into (i.e. inBound) an interface. This is how NetFlow v5 collects data. To figure out outBound traffic volume, ingress must be collected on all interfaces and the reporting software then displays outbound traffic. What goes in must go out, right? NetFlow v9 Egress is collected on traffic going out (i.e. outBound) of an interface. Generally, it is used in combination with Ingress, but it doesn’t have to be. Why collect with egress? Hardware such as WAN optimizers compress data. Traffic compression with Cisco NetFlow means that what comes in 100 bytes might go out as 50 bytes. If only using ingress flows, the NetFlow reporting software will show 100 bytes outbound, even if it was compressed to 50 bytes. This is because it was calculated using ingress flows. http://www.plixer.com/blog/scrutinizer/netflow-version-9-egress-vs-ingress/ SHARKFEST '09 Stanford University June 15–18, 2009
Egress Vs. Ingress plixer International http://www.plixer.com/blog/scrutinizer/netflow-version-9-egress-vs-ingress/ SHARKFEST '09 Stanford University June 15–18, 2009
WireShark needs a NetFlow v9 Template plixer International http://www.plixer.com/blog/general/wireshark-needs-templates-to-decipher-netflow-v9/ SHARKFEST '09 Stanford University June 15–18, 2009
Top N Reports plixer International Top Hosts, Applications, ToS, Autonomous Systems, IP Groups, subnets, etc. Demonstration http://www.plixer.com/products/free-netflow.php SHARKFEST '09 Stanford University June 15–18, 2009
ToS: DiffServ plixer International SHARKFEST '09 Stanford University June 15–18, 2009
CBQoS plixer International Ingress Flow Egress Flow Confirm whether CBQoS configurations on the Cisco router are working as planned. Blog: http://www.plixer.com/blog/denika/using-cbqos-to-monitor-qos-on-your-network/ SHARKFEST '09 Stanford University June 15–18, 2009
Network Behavior Analysis plixer International SHARKFEST '09 Stanford University June 15–18, 2009
NetFlow Wrap Up plixer International WireShark provides the details when you need to dig in and see everything NetFlow Reporting provides the high level details admins need 90% of the time NetFlow (sFlow) can easily be widely collected SHARKFEST '09 Stanford University June 15–18, 2009
plixer International IP SLA Michael Krygeris Software Developer – plixer.com SHARKFEST '09 Stanford University June 15–18, 2009
What is IP SLA plixer International Cisco IOS IP Service Level Agreements (SLAs) enables customers to perform service level monitoring by measuring both end-to-end latency, packet loss, etc. at the IP layer. With Cisco IOS IP SLAs, users can verify service guarantees, increase network reliability by validating network performance and proactively identify network issues. Cisco IOS IP SLAs use active monitoring to generate traffic in a continuous, reliable, and predictable manner, thus enabling the measurement of network performance and health. http://www.cisco.com/en/US/products/ps6602/products ios protocol group home.html SHARKFEST '09 Stanford University June 15–18, 2009
Applications for IP SLA plixer International IP SLA: Jitter IP SLA: ICMP Echo Configuration IP SLA: TCP Connect Configuration IP SLA: HTTP IP Configuration Others: – MOS (Mean Opinion Score) Involves setting up the correct VoIP codec for your PBX A MOS 5 is not realistic Requires a Jitter Probe – DNS lookup SHARKFEST '09 Stanford University June 15–18, 2009 http://www.plixer.com/blog/general/plixer-and-cisco-ip-sla-jitter-part-1-of-4/
IP SLA : HTTP IP Configuration plixer International The results of an HTTP operation can be useful in monitoring your web server performance levels by determining the RTT taken to retrieve a web page. The HTTP operation measures the round-trip time (RTT) between a Cisco device and an HTTP server to retrieve a web page. The HTTP server response time measurements consist of three types: – DNS Lookup—RTT taken to perform domain name lookup. – TCP Connect—RTT taken to perform a HTTP TCP connection. HTTP Transaction Time—RTT taken to send a request and get a response from the HTTP serverThe operation retrieves only the home HTML page. White Paper: http://www.plixer.com/support/wp request.php?w4 Yes SHARKFEST '09 Stanford University June 15–18, 2009
IP SLA : HTTP IP Configuration plixer International Router# show ip sla monitor configuration Router# config t Router (config)# ip sla monitor 1-2147483647 Router(config-sla-monitor-http)# type http operation get url url Router(config-sla-monitor-http)# tag Description of this IP SLA Operation Router(config-sla-monitor-http)# frequency 1-604800 Router (config-sla-monitor-http)# owner person or group Router (config-sla-monitor-http)# tos 0-255 Router(config-sla-monitor-http)# exit Router(config)# ip sla monitor schedule 1-2147483647 start-time now life forever Router# show ip sla monitor configuration statistics 1-2147483647 Router# show ip sla monitor configuration 1-2147483647 Router (config)# no ip sla monitor 1-2147483647 White Paper: http://www.plixer.com/support/wp request.php?w4 Yes SHARKFEST '09 Stanford University June 15–18, 2009
IP SLA : HTTP IP Configuration plixer International SHARKFEST '09 Stanford University June 15–18, 2009
IP SLA : ICMP Echo Configurationplixer International The ICMP Echo operation measures end-to-end response time between a Cisco router and any device with an IP Address. The response time is computed by measuring the time taken between sending an ICMP Echo request and receiving the Echo reply. ICMP Echo response times can be measured between Cisco routers by enabling the IP SLA Responder. Using another Cisco router is not required. White Paper: http://www.plixer.com/support/wp request.php?w6 Yes SHARKFEST '09 Stanford University June 15–18, 2009
IP SLA : ICMP Echo Configurationplixer International Router (config)# ip sla monitor responder Router (config)# exit Router# show ip sla monitor responder Router# show ip sla monitor configuration Router (config)# ip sla monitor 1-2147483647 Router(config-sla-monitor)# type echo protocol ipicmpecho ip address or Hostname Router(config-sla-monitor-echo)# tag Description of this IP SLA Operation Router(config-sla-monitor-echo)# frequency 1-604800 Router(config-sla-monitor-echo)#owner Name of person or group Router (config-sla-monitor-echo)# tos 0-255 Router(config-sla-monitor-echo)# exit Router(config)# ip sla monitor schedule 1-2147483647 start-time now life forever Router# show ip sla monitor configuration statistics 1-2147483647 Router#show ip sla monitor configuration 1-2147483647 Router (config)# no ip sla monitor 1-2147483647 White Paper: http://www.plixer.com/support/wp request.php?w6 Yes SHARKFEST '09 Stanford University June 15–18, 2009
IP SLA : ICMP Echo Configurationplixer International SHARKFEST '09 Stanford University June 15–18, 2009
IP SLA : TCP Connect Configuration plixer International The IP SLA TCP Connect operation measures the response time taken to perform a TCP Connect operation between a Cisco router and devices using IP. TCP is a transport layer (Layer 4) internet protocol that provides reliable full-duplex data transmission. The destination device can be any device using IP. TCP Connect response times can be measured between Cisco routers by enabling the IP SLA Responder. Using another Cisco router is not required. White Paper: http://www.plixer.com/support/wp request.php?w5 Yes SHARKFEST '09 Stanford University June 15–18, 2009
IP SLA : TCP Connect Configuration plixer International Router (config)# ip sla monitor responder Router (config)# ip sla monitor responder type type ipaddress ip address port 165535 Router (config)# ip sla monitor responder Router (config)# ip sla monitor responder type type ipaddress ip address port 165535 Router (config)# exit Router# show ip sla monitor responder Router# show ip sla monitor configuration Router (config)# ip sla monitor 1-2147483647 Router(config-sla-monitor)# type tcpconnect dest-ipaddr ip address or Hostname destport 1-65535 See Next Slide White Paper: http://www.plixer.com/support/wp request.php?w5 Yes SHARKFEST '09 Stanford University June 15–18, 2009
IP SLA : TCP Connect Configuration plixer International Continued Router (config-sla-monitor-tcp)# tag description of IP SLA Monitor Router(config-sla-monitor-tcp)# frequency 1-604800 Router (config-sla-monitor-jitter)# owner person or group Router (config-sla-monitor-tcp)# tos 0-255 Router(config-sla-monitor-tcp)# exit Router (config)# ip sla monitor schedule 1-2147483647 start-time now life forever Router# show ip sla monitor configuration statistics 1-2147483647 Router#show ip sla monitor configuration 1-2147483647 Router (config)# no ip sla monitor 1-2147483647 White Paper: http://www.plixer.com/support/wp request.php?w5 Yes SHARKFEST '09 Stanford University June 15–18, 2009
IP SLA : TCP Connect Configuration plixer International SHARKFEST '09 Stanford University June 15–18, 2009
IP SLA : Jitter Configuration plixer International The IP SLA UDP jitter operation was primarily designed to diagnose network suitability for real-time traffic applications such as voice over IP (VoIP), video over IP, or real-time conferencing. Jitter means inter-packet delay variance. When multiple packets are sent consecutively from source to destination, (for example, 10 ms apart) and the network is behaving ideally, the destination should be receiving them 10 ms apart. If there are delays in the network (like queuing, arriving through alternate routes, and so on) the arrival delay between packets may be greater or less than 10 ms. Latency, Packet Loss, MOS White Paper: http://www.plixer.com/support/wp request.php?w7 Yes SHARKFEST '09 Stanford University June 15–18, 2009
IP SLA : Jitter Configuration plixer International Router (config)# ip sla monitor responder Router (config)# exit Router# show ip sla monitor responder Router# show ip sla monitor configuration Router (config)# ip sla monitor 1-2147483647 Router (config-sla-monitor)# type jitter dest-ipaddr host name or ip dest-port 1-65535 codec codec advantage-factor 0-20 Router (config-sla-monitor-jitter)# tag description of IP SLA Monitor Router(config-sla-monitor-jitter)# frequency 1-604800 Router (config-sla-monitor-jitter)# owner person or group Router (config-sla-monitor-jitter)# tos 0-255 Router (config-sla-monitor-jitter)# exit Router (config)# ip sla monitor schedule 1-2147483647 start-time now life forever Router# show ip sla monitor statistics 1-2147483647 Router#show ip sla monitor configuration 1-2147483647 Router (config)# no ip sla monitor 1-2147483647 White Paper: http://www.plixer.com/support/wp request.php?w7 Yes SHARKFEST '09 Stanford University June 15–18, 2009
IP SLA : Jitter Configuration plixer International SHARKFEST '09 Stanford University June 15–18, 2009
Demonstration plixer International Demonstration Setting up the Cisco Router Collecting the Data with SNMP SHARKFEST '09 Stanford University June 15–18, 2009 3.99
IP SLA Complements WireSharkplixer International Demonstration SHARKFEST '09 Stanford University June 15–18, 2009
NetFlow & IP SLA plixer International MOS via IP SLA Click for details Utilization via NetFlow Click for details SHARKFEST '09 Stanford University June 15–18, 2009
IP SLA Wrap Up plixer International WireShark provides the details when you need graphical packet by packet analysis of transaction latency SNMP Reporting provides the high level graphical details (e.g. latency trend) IP SLA like NetFlow allows admins to leverage existing routers as distributed probes. SHARKFEST '09 Stanford University June 15–18, 2009
plixer International Scrutinizer is to NetFlow what WireShark is to Packets Both are FREE SHARKFEST '09 Stanford University June 15–18, 2009
More Resources plixer International http://www.cisco.com/en/US/products/ps6601/products ios protocol group home.html http://www.plixer.com/support/netflow v5.html http://www.cisco.com/en/US/docs/ios/12 4/ip sla/configuration/guide/ hsthresh.html#wp1082249 http://www.plixer.com/products/free-netflow.php http://www.plixer.com/blog/general/scrutinizer-v70-for-netflow-sflow-analysis/ SHARKFEST '09 Stanford University June 15–18, 2009
plixer International SHARKFEST '09 Stanford University June 15–18, 2009
