white paper: integrating netflow data into your network...
TRANSCRIPT
Executive Summary
Where an easily accessible, high performing, and always-available network is essential toa company's business, visibility into its end users, business applications, and on-goingtraffic is crucial for fine-tuning its performance. This paper presents evidence supportingthe conclusion that NetScout’s nGenius Performance Management System offersorganizations a superior performance management solution based on NetFlow datasources because of its:
• Scalability• Advanced application recognition• Newspaper-style reporting• Integrated troubleshooting features• Extensibility to integrate other network
traffic data sources through NetScout’sCDM™ technology.
Integrating NetFlow Datainto Your Network andApplication PerformanceMonitoring SystemA Powerful Combination
What is NetFlow?
NetFlow enabled switches and routers from industry leading vendors trackIP flows as they enter an enabled interface of an infrastructure device inthe network. A recognized value of NetFlow is its ability to reduce databy aggregating exchanges between a source and destination as a conver-sation session in a single NetFlow datagram record.
Using NetFlow as a data source for network management solutions has anumber of benefits.
• It can be cost-effective because the infrastructure product that switchesand routes the packets also tracks and produces the NetFlow records.
• It is scalable to the number of NetFlow enabled ports and devices in thenetwork.
• It normalizes many packet exchanges between two endpoint IP addressesinto a logical flow based conversation record, reducing impact on thenetwork when sending to collectors.
• It allows visibility into traffic on encrypted or MPLS-enabled links
NetFlow information is transmitted in UDP datagrams that include a headeralong with one or more flow records. The UDP NetFlow Export Packet isapproximately 1500 bytes and could include up to 50 flow records. NetFlowrecords are sent to a NetFlow collector by configuring the router or switchwith a destination address. The packets are sent with greater frequencydepending upon how busy the NetFlow enabled ports become. Currentversions of NetFlow implemented in enterprise networks include NetFlowversion 1, 5, 7, 8 and 9.
CollectedNetFlow Data
nGeniusFlow Collector • Real Time Analysis
• ReportingCisco NetFlowEnabled Routers
nGenius Performance Manager
nGeniusFlow CollectornGenius Probe
nGenius Performance Manager
= NetFlow
nGenius Flow Collectors, as well as the nGenius 9000 and 2000 Series probes, can serve asNetFlow collectors. They aggregate data from multiple routers, perform advanced applicationrecognition, monitor and map the collected NetFlow data into the CDM framework for real-timeanalysis and reporting by nGenius Performance Manager.
NetFlow Datagram
A NetFlow datagram is defined by seven unique keys.These elements define one NetFlow record from another.
1. Source IP address
2. Destination IP addresses
3. Source Port Number (TCP or UDP)
4. Destination Port numbers (TCP or UDP)
5. Layer 3 Protocol Type (such as IP, ICMP)
6. Type of Service (ToS) bits
7. Input logical interface (ifIndex)
NetFlow Versions
Version 1: Original version of NetFlow
Version 5: The standard and most commonly deployed
Version 7: Specific to Cisco Catalyst 6500 and 7600 SeriesSwitches, similar to Version 5, but does not include
Autonomous System numbers, interface, TCP Flag and TOS information
Version 8: Added a choice of eleven aggregation schemes that reduce resource usage
Version 9: Added a flexible, extensible file export format for easier support of additional fields and technologies such as MPLS, Multicast, and BGP Next Hop
Integrating NetFlow Data intoYour Network and ApplicationPerformance Monitoring SystemA Powerful Combination
Integrating NetFlow Data into Your Network and Application Performance Monitoring System- A Powerful Combination 1
CollectedNetFlow Data
nGeniusFlow Collector • Real Time Analysis
• ReportingCisco NetFlowEnabled Routers
nGenius Performance Manager
nGeniusFlow CollectornGenius Probe
nGenius Performance Manager
Server Farm
= NetFlow
Using NetFlow Information in Enterprise Networks
Enterprises use the information collected from NetFlow for a variety ofbusiness applications. Some of these include:
• Usage Based Billing – Businesses and government agencies use NetFlowrecords that include IP addresses, packet and byte counts, timestamps,Type of Service, and application ports for interdepartmental billing.
• Autonomous System Traffic Engineering – NetFlow records that includeautonomous system numbers, needed by ISPs to distinguish each other,are used by traffic engineers to identify trends in order to more intelli-gently load balance traffic over all their network paths. Autonomoussystem numbers are available in the Exterior Border Gateway Protocolsused by routers – so they are available to routers, but not available“on the wire.”
• MPLS and VPN Traffic Analysis – MPLS affixes labels to IP traffic forprioritization and path selection, in the process obscuring importantIP flow information details from many performance instrumentationtechnologies. IP VPNs can also obscure important flow details byencrypting traffic streams and hiding application information. NetFlowcan be used to capture and preserve these important details by havingeither the ingress or egress edge device generate NetFlow records. Inthis way, crucial management visibility can be maintained.
nGenius Flow CollectorsNetFlow datagrams gathered from industry leading routers and/or switchesare sent to nGenius Flow Collectors where they are mapped into theCDM framework for display in the common format views of nGeniusPerformance Manager. The powerful combination of NetFlow data withnGenius Performance Manager analysis capabilities extends the conversa-tion information to yield top hosts or “top talkers,” application recognitionand utilization, QoS levels, autonomous system numbers and alarming.The resulting rich traffic information supports network management tasksand challenges including real-time monitoring, in-depth troubleshooting,and historical reporting.
NetFlow data resident in enterprise networks can be a valuable sourcein performing more than network and application performance manage-ment disciplines. The nGenius Flow Collector deployed with the standardnGenius Flow Director enables users to export the original NetFlow data-grams for use by other consumers of the data, such as billing services, orfor industry-standard security and intrusiondetection systems.
NetFlow datagrams are sent to nGenius Flow Collectors distributed throughout theenterprise network detailing conversation information by IP address, applications,and QoS levels.
NetScout’s Common Data Model Architecture providesa structure to collect and display up to seven categoriesof network and application information:
• Statistics – basic networkusage information such astraffic utilization, packets,bytes, bits sent andreceived, and throughput.
• Errors – network errorssuch as CRC errors
• Packet Trace – packetcapture and decode analysisacross any network topology
• Alarms – threshold alarms based onconfigurable events for overall segment utilization orfor application utilization in a segment
• Conversations – the source and destination addressesthat identify who is talking to whom in networkedapplications
• Talkers – analysis of top hosts utilized for networkedapplications
• Response Time – a mechanism that analyzes conver-sation details for determining, in milliseconds, theresponsiveness of particular networked applications
This information is collected from three primary categories of data sources:
• Standard SNMP data sources, such as MIBII andFrame Relay MIB, provide statistics and error infor-mation
• NetFlow enabled data sources, such as infrastructurerouters and switches, provide IP conversation infor-mation.
• nGenius Probe data sources, provide statistics, errors,packet trace, alarms conversations, talkers, andresponse time.
Integrating NetFlow Data into Your Network and Application Performance Monitoring System- A Powerful Combination2
Leveraging CDM Technology to Monitor NetFlow
NetScout’s CDM™ architecture provides the underlying structure for collectingand managing NetFlow information and mapping it to the powerful real-timeand historical analysis views and reports available in nGenius® PerformanceManager.
ConversationsAs described in the table “NetFlow Datagrams” on page 1, each NetFlowrecord details an IP based conversation. When an nGenius Flow Collectorreceives a NetFlow datagram it decodes the Flow record and populates itsCDM tables with the basic conversation layer details, that is, IP sourceand destination address and well-known TCP or UDP port information forthe application in use. The nGenius Flow Collector populates the applicationlayer conversation tables from the NetFlow records. The ability to see whois talking to whom in the network, at what time of the day and for whatapplications are the primary benefits of the conversation information.This conversation-level detail reveals how valuable network resources arebeing consumed, which, in many enterprises and government agencies,can then be used for other activities.
TalkersWhat distinguishes the nGenius Flow Collector from other solutions isits ability to gain even greater traffic insight by using NetScout’s CDMtechnology. As mentioned in the conversations section, once the nGeniusFlow Collector populates the conversation tables from the NetFlow records,it can analyze the information and populate the “Talkers” tables. Thisenables real-time and historical views of Top Talkers or Top Hosts in thenetwork, helping many IT organizations quickly identify Top abusers ofnetwork bandwidth.
Conversation and Talkers information, provided at an application layer forviews into the well-known TCP/UDP applications in use at the time, isvaluable information for IT organizations. They can, for example, see thatLotus Notes is the top host in their network, or that a Telnet conversationconsumed the most bandwidth yesterday. Having these details leads towell-informed troubleshooting and capacity planning.
Statistics and UtilizationThe nGenius Flow Collector can identify the interface port speeds of theNetFlow enabled infrastructure devices which enables the nGeniusPerformance Management solution to populate the CDM statistics tables.From the CDM statistics tables, the nGenius solution calculates totalpackets and utilization for NetFlow enabled ports. Organizations can usethis capability for two purposes:
• For real-time troubleshooting – With views of utilization per port, IT staffcan quickly identify under and over utilized ports and drill down to discov-er the applications, users, and conversations contributing to that activity.
• For historical reporting and trending – Most and Least Utilized portsrevealed in automated daily, weekly, and monthly newspaper stylereports help IT staff to make more informed traffic engineering andcapacity planning decisions.
This capability provides historical reports for Most and Least Utilized seg-ments, enterprise wide. Other solutions may offer most utilized NetFlowsegments, or most utilized MIB II segments, however, using informationfrom all the data sources to calculate these reports, nGenius PerformanceManager provides the broadest and most complete analysis of top utilizedsegments available.
Identifying Complex Applications from NetFlowNetFlow supports IP and its well-known TCP and UDP based applications,for example Lotus Notes, HTTP or Telnet. These applications are identi-fied by their well known TCP or UDP ports and are recognized by mostNetFlow collectors, including the nGenius Performance ManagementSolution. However, there are a number of applications that are more com-plex in nature, such as SAP or Exchange, which can be transported onmultiple ports. By comparison other NetFlow collection tools maintainapplication categories to track these types of activity and label them TCPOther or UDP Other.
NetScout, recognizing the importance of having these details available sothat IT organizations can make the most informed business troubleshootingand capacity planning decisions, makes the CDM Port available to usewith complex applications. As an example, the range of ports used by SAPcan be configured and assigned to a single CDM Port number for monitoringand tracking purposes. The nGenius Solution can then recognize relatedflow data that would otherwise have been labeled "TCP Other" or "UDPOther", and properly classify them as SAP. Further, the aggregate SAPactivity can now be tracked, monitored, and reported against, including alltalkers and conversations, providing an important system-wide view of allactivity associated with this important business application.
Integrating NetFlow Data into Your Network and Application Performance Monitoring System- A Powerful Combination 3
Autonomous System NumbersNetScout tracks NetFlow records with Autonomous System (AS) numbers.AS numbers are unique identifiers for telecommunications providers globallythat are assigned to that particular provider or ISP. They are found in BorderGateway Protocols that are used by routers and are thus available torouters for inclusion in NetFlow records, but are not available “on thewire.” The nGenius Solution collects this information from each NetFlowrecord, which is particularly useful for ISPs in distinguishing among them-selves for billing purposes. The information is equally beneficial to trafficengineers trending network activity for more informed traffic load balancingthroughout their network paths.
QoS MonitoringNetFlow records include, as one of the seven key distinguishing pieces ofinformation, the Type of Service bits used to prioritize applications withina particular Quality of Service class. For example, when organizationsimplement a QoS policy and want to prioritize voice traffic over revenueapplications, and revenue applications over web surfing, they use ToS. The nGenius solution identifies the ToS bits and categorizes traffic with itsassociated QoS class. This allows granular views of a NetFlow interfacesimultaneously with all the QoS levels discovered in that segment. Further,it can identify and track the applications assigned within each QoS level.This level of detail empowers IT staff to quickly uncover configurationerrors, whether it is a QoS level that should not exist or an applicationthat may have been assigned to a wrong QoS class.
nGenius Performance Manager Analysis
Long-Term ReportingThe nGenius Performance Manager collects data from the nGenius FlowCollectors for historical reporting via the nGenius NewsPaper, a customreport that users can disseminate to other users remotely via a web-basedrepository called a NewsStand. NewsPapers are composed of sections andarticles (categories and reports) that contain information relating to networkperformance. The categories include: Executive Summary, Capacity Planningand Predictive Analysis (Situations To Watch). Automated daily, weekly, andmonthly NewsPapers can be tailored for specific audiences, such as separateNewsPapers for a company’s North America, European, and Asian IT depart-ments or for their IT staff, finance, and other business managers.
The Executive Summary section provides senior management, finance, andbusiness managers a high level view of activity both enterprise wide or byarea of the network, such as the WAN. From articles published in thissection, organizations can quickly identify top applications and busiestNetFlow ports. This lets companies making substantial investments inparticular applications, Lotus Notes for instance, see how widely deployedand utilized it is throughout the network.
The Capacity Planning section of the nGenius NewsPaper is where NetFlowstatistics offer a significant value. nGenius Performance Manager softwareprovides trended data for applications, hosts, and conversation utilizationwith an integrated baseline of activity. The data link, network, and appli-cation layer activities are automatically trended in long term reporting(NewsPapers) as well as in real time views in the nGenius PerformanceManager console. Specific hosts can be trended for historical analysis aswell. The Situations to Watch section further helps in this regard by lookingat growing trends in the network and making predictions against segmentsand circuits.
Use of Other CDM Data SourcesAn additional element nGenius Performance Manager brings to the overallCapacity Planning solution, as well as to real-time troubleshooting, is theability to bring in statistics from other SNMP standard devices. Industrystandard routers, switches, and DSU/CSUs that support MIBII,miniRMON, or the Frame Relay MIB contribute significant details tocapacity planning. nGenius Performance Manager collects packets, bytes,bits and errors, sent and received by network infrastructure products toprovide a broader more complete view of the network activity enterprise-wide. Combined with the statistics gathered from the nGenius FlowCollectors and nGenius Probes, the Capacity Planning reports in nGeniusNewsPapers have a broader, richer analysis of Most Utilized and LeastUtilized segments and ports in the network by including data from allsources. Overall, IT organizations can better focus their traffic engineeringactivities with broad, network wide, trended information from as manydata sources as available.
Integrating NetFlow Data into Your Network and Application Performance Monitoring System- A Powerful Combination4
Scalability and FlexibilityThe nGenius Flow Collector combined with the nGenius PerformanceManager scales to fit different network environments in a number of criticalareas. It can accommodate NetFlow enabled devices and ports from small,concentrated campus deployments to large, distributed, global deploymentsof NetFlow traffic. This is accomplished through the flexibility of thenGenius Performance Manager whether it is configured as a single cen-tralized server or as a centralized global server with as many distributedlocal servers, as the network requires. Distributing the NetFlow collectionwith local servers regionally, such as North America, Europe and Asia forglobal organizations, or Northeast, South and West for US-based companies,reduces the impact of additional traffic on the network of these largedistributed enterprises.
The nGenius Performance Management solution collects and aggregatesstatistics from all these distributed NetFlow enabled ports to provideenterprise wide analysis. For intelligent capacity planning and infrastruc-ture decisions, both IT organizations and their business counterparts needto see the most utilized and least utilized ports as well as the busiestapplications enterprise-wide requiring that data from all distributedservers be included in the analysis. For effective troubleshooting, usersmay require seeing multiple ports simultaneously on the real-time screens.
The nGenius Solution can deliver these key requirements by providing aseamless transition between historical and real-time views and analysis.With a simple mouse click from an historical report, a user can transferdirectly to the real-time screen for that part of the network and view currentapplication and conversation activity. The scalability and flexibility the nGeniusSolution places all the information users’ needs right at their fingertips.
Solution Benefits
The nGenius Performance Management System offers a significantvalue to organizations that use NetFlow as part of their network andapplication performance monitoring solution. Some of the benefitsusers can derive by deploying nGenius Performance Manager incombination with nGenius Flow Collectors include:
• Real-time views and analysis of NetFlow data for effectivetroubleshooting of end-user and application problems enterprise-wide.
• Displays of multiple NetFlow enabled devices and ports simulta-neously for quickly pinpointing over and under utilized ports.
• Rich, application recognition applied to NetFlow collected recordsby the CDM Port for trending critical business applications andservices
• Drill-downs on NetFlow ports for applications, talkers, andconversations in use for identifying who contributes to highutilization in a particular port and for highlighting misuse ofnetwork resources
• Conversation details that are made available to other consumersof NetFlow records, such as usage based billing solutions
• Long-term reports of network activity based on NetFlow recordsfor helping traffic engineers properly size network segments andcontracting with telecommunications service providers forexpensive WAN services.
• Collection of information from multiple data sources for viewing anddisplaying in the common format real-time graphs and historicalreports of nGenius Performance Manager.
For organizations that need an open holistic solution for real-timeand historical analysis of all their network management data sources,NetFlow datagrams and MIBII, to RMON based Network AnalysisModules and probes, the nGenius Performance Management solutionoffers the only single unified application for collecting, aggregating,analyzing and displaying all this rich information.
Conclusion
IT organizations in corporations and government agencies alike arecontinuously challenged to optimize the performance of business-critical applications enterprise-wide. Detailed monitoring and trackingof applications and users is essential to optimize the performanceof the networks they run on. NetScout’s nGenius PerformanceManagement System in combination with rich NetFlow data offersthe right combination of scalability, advanced application recognition,newspaper-style reporting, integrated troubleshooting, and supportof multiple network management data sources. This is the type ofexpert information that IT departments need in order to deliver highquality business services to their users. Accept nothing less!!!
Integrating NetFlow Data into Your Network and Application Performance Monitoring System- A Powerful Combination 5
NetScout Systems, Inc.Corporate Headquarters310 Littleton RoadWestford, MA 01886 USATelephone (978) 614-4000Fax (978) 614-4004Web: www.netscout.com
EuropeRegus House268 Bath RoadSlough, Berkshire, SL1 4DX UKPhone: +44 1753 725561Fax: +44 1753 725562
Asia/PacificRoom 105, 17F/B, No. 167Tun Hua N. RoadTaipei, TaiwanTelephone +886 2 2717 1999Fax +886 2 2547 7010
The nGenius® Solution is comprisedof nGenius® Performance Manager,nGenius® Probes and for specializedsituations, additional appliancesincluding nGenius® Flow Collectorand nGenius® Flow Recorder.
nGenius Performance Manager is a software application that analyzesthe information collected by nGeniusProbes as well as other network devices,and delivers the features and functionsof multiple performance managementdisciplines in a single product.
nGenius Probes are hardware monitoringdevices that are the industry’s mostadvanced sources for identifying, collecting and analyzing application-level traffic data across the enterprise.
nGenius Flow Collectors are dedicatedhardware devices optimized for collectingapplication conversation data viaNetFlow records produced by leadingnetwork infrastructure devices.
nGenius Flow Recorder is an appliancethat couples storage for large packettrace captures and graphics-based datamining software. It continuously recordsall traffic and produces a network audittrail for post-event forensics requiringfull packet payload details.
©2005 NetScout Systems, Inc. All rights reserved.NetScout and the NetScout logo, nGenius and Quantivaare registered trademarks of NetScout Systems, Inc. TheCDM logo, MasterCare and the MasterCare logo aretrademarks of NetScout Systems, Inc. Other brands,product names and trademarks are property of theirrespective owners. NetScout reserves the right, at itssole discretion, to make changes at any time in its tech-nical information and specifications, and service andsupport programs.
CC-0175-04
For more information on thistopic and others like it
CLICK HEREor visit www.netscout.com