Re: Network management software with high detailed traffic report
On Mon, Nov 22, 2010 at 11:35 AM, Sergey Voropaev serge.devo...@gmail.com wrote: Does any one know the NMS (network management software) which can do the fallowing: 1. Monitor on Cisco Routers/Switches interface utilization every 5-10 seconds and send e-mail alarm when utilization low or high of predefined thresholds. 2. Collect net-flow statistics (at least src/dst) with granularity of 5-10- seconds. The main idea is to have detailed monitoring of the external links and to be able to know why (by what traffic type) and when link was highly utilized. Existing flow-collector can store netflow reports only with 1 minute granularity but we need 5-10 second. As about e-mail alarms - now I do it by embedded event manager on the router. But I think it would be better to use external SNMP software for that. As about detailed to 5-10 second netflow statistics there are 2 ways. 1st - Use port mirror and use some software which can analyze captured traffic and made a good reports. Do you know such software? 2nd - Use SNMP or telnet/ssh for access to the router/switch every 5-10 seconds and catch netflow counters. Do you now such software? thanks in advance for you help. Take a look at a href=http://www.andrisoft.com/software/netflow-traffic-monitoring;WANGuard Flow/a. It builds traffic graphs with a configured granularity of 5 seconds and emails alarms when traffic thresholds are reached. It only needs Netflow.
Re: Network management software with high detailed traffic report
On Mon, Nov 22, 2010 at 8:02 AM, Brandon Ross br...@pobox.com wrote: On Mon, 22 Nov 2010, Nick Hilliard wrote: least once a second. Perhaps you are thinking about the rate counters that are often _configured_ to use the last 30 seconds of data to compute the average but also update much more often than every 30 seconds (and default to a 5 minute average). Show interface rate counters, are not even truly average computed using the last 30 seconds of data. It is indicated as an exponential time-weighted (moving), where data is gathered every 5 seconds. Meaning every update time, a new value is calculated, by using three datapoints, the previous value of the average, and a calculation based on the change over the past 5 seconds (Current - Previous value). Avg(N) = exp(1/W) * (CurrentOctets - PreviousOctets) + (1 - exp(1/W) * Avg(N-1)) Where 'W' is computed based on the time intervalaveraged over Routers or sniffers can aggregate that data, but a NMS that gathered every 5s using SNMP would not scale very well, and TELNET/CLI would not work for that either; for that, you would need to use a different protocol, probably would need to be a new one designed for 5 second accurate timestamped readings. SNMP ifMib readings are not accurately timestamped, and you would encounter measurement errors. Asking a device about one particular statistic about one interface every 5 seconds isn't much trouble.If you have a router with 100 interfaces, and your NMS needs to query each interface every 5 seconds, you have 100 / 5 = 20 interfaces to query per second.Imagine how many packets you have to send if you have 100 devices with 5 interfaces, and you want to track 4 statistics for every interface 12 times per minute. 2000 queries every 5 seconds.You need some serious hardware to handle that on your routers and your NMS, which has 400 values to save per second, assuming your NMS perfectly distributes query load, and responses are never delayed (not likely). -- -JH
Re: Network management software with high detailed traffic report
We are using cisco switches like as 3750, 6500 etc. So there is no fairqueue. On 26 November 2010 09:43, Mikael Abrahamsson swm...@swm.pp.se wrote: On Fri, 26 Nov 2010, Sergey Voropaev wrote: We use a several connections to the financial providers. This connections are low bandwidth (up to 2 Mbps). This connections used by a number of front end services from a nubmer of departments and we could not differentiate its and configure QoS. But from time to time some one produce an extremely high traffic spikes (less than 30 seconds) without congestion avoidance mechanisms. Our task - is to find such applications and report to management and developers a problem. Also if we'll be aware about it we could configure QoS. What kind of queuing are you using? It sounds like configuring fair-queue on the interface (if your platform supports that, usually the ones with 2M interfaces do), it should help with the problem you're describing. If you have CPU to spare, configure fair-queue everywhere you can where you don't have a better QoS-configuration in place. It really solves a lot of the problems people are seeing with FIFO and mixed traffic. -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: Network management software with high detailed traffic report
There is no problem with *NIX from the point of view qualification. But corporate politic use only Windows servers and no any other OS in the production. On 26 November 2010 15:05, Dobbins, Roland rdobb...@arbor.net wrote: On Nov 26, 2010, at 3:59 PM, Sergey Voropaev wrote: I work on this way too. There ais no problem with netflow-sensor. But I can not find good inexpensive collector for Windows which can collect data and do graphic report. Open-source = free. And you should be using *NIX, anyways. Using it for a simple project like this is a good learning experience. ; --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sell your computer and buy a guitar.
Re: Network management software with high detailed traffic report
On Nov 26, 2010, at 9:26 PM, Sergey Voropaev wrote: But corporate politic use only Windows servers and no any other OS in the production. They obviously use IOS or JunOS or what-have-you on their routers and other networking gear - classify this server as a piece of infrastructure equipment, and you're golden. ; --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sell your computer and buy a guitar.
Re: Network management software with high detailed traffic report
Sergey Voropaev serge.devo...@gmail.com wrote: Is it possible to view flows (at least srs and dst addresses) in the NMS or only interface utilization? In OpenNMS? No flow or conversation support built in as of today. Some have successfully integrated with cflowd, jflow, or other similar packages; I'm not familiar with the details of those integrations. -jeff
Re: Network management software with high detailed traffic report
On Fri, Nov 26, 2010 at 07:06:26AM +, Dobbins, Roland wrote: On Nov 26, 2010, at 1:36 PM, Sergey Voropaev wrote: Our task - is to find such applications and report to management and developers a problem. Also if we'll be aware about it we could configure QoS. One place to start would be an open-source NetFlow collector/analyzer like nfdump/nfsen: http://nfdump.sourceforge.net/ http://nfsen.sourceforge.net/ I use these tools with great success and can recommend them for a quick, easy setup and trouble free operation. Combined with a few Linux based internal gateways using fprobe-ulog (http://fprobe.sourceforge.net/) and you can get a good picture of what's happening on your network. This page may provide some guidance: http://mithrandi.net/blog/2010/03/netflow-traffic-monitoring-on-debian-lenny/ --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sell your computer and buy a guitar. LaDerrick
Re: Network management software with high detailed traffic report
On Fri, Nov 26, 2010 at 3:26 PM, Sergey Voropaev serge.devo...@gmail.comwrote: There is no problem with *NIX from the point of view qualification. But corporate politic use only Windows servers and no any other OS in the production. I wonder wether your are allowed to use cygwin on your windows machines; that way you'd might find http://qosient.com/argus/ helpfull; cheers, teemu
Re: Network management software with high detailed traffic report
On 26/11/10 6:51 AM, Dobbins, Roland wrote: On Nov 26, 2010, at 9:26 PM, Sergey Voropaev wrote: But corporate politic use only Windows servers and no any other OS in the production. They obviously use IOS or JunOS or what-have-you on their routers and other networking gear - classify this server as a piece of infrastructure equipment, and you're golden. ; until http://blogs.computerworld.com/17412/now_its_updated jc
Re: Re: Network management software with high detailed traffic report
Sure it upsets. We have a bunch of average-populated 6500s, using the default max age (which was, as far as I remember, 5) made the switches very slow in responding to SNMP queries. set them to 10, and, Gotcha! everything works very well. ivan Date: Tue, 23 Nov 2010 14:25:25 +0200 From: Tassos Chatzithomaoglou ach...@forthnet.gr Subject: Re: Network management software with high detailed traffic report To: nanog@nanog.org Message-ID: 4cebb2b5.5090...@forthnet.gr Content-Type: text/plain; charset=UTF-8; format=flowed There is also CSCsg23226 which might be related. -- Tassos Nick Hilliard wrote on 23/11/2010 01:35: On 22/11/2010 22:56, Tassos Chatzithomaoglou wrote: Does service counters max age help in any way?* *According to Cisco, setting it too low might upset the snmp counters.* https://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_r1.html#wp1067159 The Usage Guidelines are instructive. :-) Although the update interval defaults to 5 seconds, it still appears to update every 9 seconds on my boxes. Nick
Re: Network management software with high detailed traffic report
I am just curios what kind of application/network requires this aggressive monitoring. Is it possible to share this information ? Cheers On 11/26/10, Ivan Brunello ivan.brune...@gmail.com wrote: Sure it upsets. We have a bunch of average-populated 6500s, using the default max age (which was, as far as I remember, 5) made the switches very slow in responding to SNMP queries. set them to 10, and, Gotcha! everything works very well. ivan Date: Tue, 23 Nov 2010 14:25:25 +0200 From: Tassos Chatzithomaoglou ach...@forthnet.gr Subject: Re: Network management software with high detailed traffic report To: nanog@nanog.org Message-ID: 4cebb2b5.5090...@forthnet.gr Content-Type: text/plain; charset=UTF-8; format=flowed There is also CSCsg23226 which might be related. -- Tassos Nick Hilliard wrote on 23/11/2010 01:35: On 22/11/2010 22:56, Tassos Chatzithomaoglou wrote: Does service counters max age help in any way?* *According to Cisco, setting it too low might upset the snmp counters.* https://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_r1.html#wp1067159 The Usage Guidelines are instructive. :-) Although the update interval defaults to 5 seconds, it still appears to update every 9 seconds on my boxes. Nick -- Sent from my mobile device ./diogo -montagner
Re: Network management software with high detailed traffic report
We use a several connections to the financial providers. This connections are low bandwidth (up to 2 Mbps). This connections used by a number of front end services from a nubmer of departments and we could not differentiate its and configure QoS. But from time to time some one produce an extremely high traffic spikes (less than 30 seconds) without congestion avoidance mechanisms. Our task - is to find such applications and report to management and developers a problem. Also if we'll be aware about it we could configure QoS. On 26 November 2010 08:34, Diogo Montagner diogo.montag...@gmail.comwrote: I am just curios what kind of application/network requires this aggressive monitoring. Is it possible to share this information ? Cheers On 11/26/10, Ivan Brunello ivan.brune...@gmail.com wrote: Sure it upsets. We have a bunch of average-populated 6500s, using the default max age (which was, as far as I remember, 5) made the switches very slow in responding to SNMP queries. set them to 10, and, Gotcha! everything works very well. ivan Date: Tue, 23 Nov 2010 14:25:25 +0200 From: Tassos Chatzithomaoglou ach...@forthnet.gr Subject: Re: Network management software with high detailed traffic report To: nanog@nanog.org Message-ID: 4cebb2b5.5090...@forthnet.gr Content-Type: text/plain; charset=UTF-8; format=flowed There is also CSCsg23226 which might be related. -- Tassos Nick Hilliard wrote on 23/11/2010 01:35: On 22/11/2010 22:56, Tassos Chatzithomaoglou wrote: Does service counters max age help in any way?* *According to Cisco, setting it too low might upset the snmp counters.* https://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_r1.html#wp1067159 The Usage Guidelines are instructive. :-) Although the update interval defaults to 5 seconds, it still appears to update every 9 seconds on my boxes. Nick -- Sent from my mobile device ./diogo -montagner
Re: Network management software with high detailed traffic report
On Fri, 26 Nov 2010, Sergey Voropaev wrote: We use a several connections to the financial providers. This connections are low bandwidth (up to 2 Mbps). This connections used by a number of front end services from a nubmer of departments and we could not differentiate its and configure QoS. But from time to time some one produce an extremely high traffic spikes (less than 30 seconds) without congestion avoidance mechanisms. Our task - is to find such applications and report to management and developers a problem. Also if we'll be aware about it we could configure QoS. What kind of queuing are you using? It sounds like configuring fair-queue on the interface (if your platform supports that, usually the ones with 2M interfaces do), it should help with the problem you're describing. If you have CPU to spare, configure fair-queue everywhere you can where you don't have a better QoS-configuration in place. It really solves a lot of the problems people are seeing with FIFO and mixed traffic. -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: Network management software with high detailed traffic report
On Nov 26, 2010, at 1:36 PM, Sergey Voropaev wrote: Our task - is to find such applications and report to management and developers a problem. Also if we'll be aware about it we could configure QoS. One place to start would be an open-source NetFlow collector/analyzer like nfdump/nfsen: http://nfdump.sourceforge.net/ http://nfsen.sourceforge.net/ --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sell your computer and buy a guitar.
Re: Network management software with high detailed traffic report
There is also CSCsg23226 which might be related. -- Tassos Nick Hilliard wrote on 23/11/2010 01:35: On 22/11/2010 22:56, Tassos Chatzithomaoglou wrote: Does service counters max age help in any way?* *According to Cisco, setting it too low might upset the snmp counters.* https://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_r1.html#wp1067159 The Usage Guidelines are instructive. :-) Although the update interval defaults to 5 seconds, it still appears to update every 9 seconds on my boxes. Nick
Re: Network management software with high detailed traffic report
On 11/22/2010 4:19 PM, Jon Lewis wrote: This does vary by platform. 3550 swiches and 7200 routers both seem to update the counters about 1/s. Maybe the delayed updates are just a 6500 thing. Distributed platforms take longer to update counters by default. The old 7500 was really fun in how it handled counters between VIP and RSP. I've always seen it around 15s, not 30, though. You will also see this on any of the virtual chassis switches when referencing any interface that is not the current master switch. The 6500 is uniform with all interfaces (and roughly looked like 10s update with current code level). Jack
Re: Network management software with high detailed traffic report
Does any one know the NMS (network management software) which can do the fallowing: 1. Monitor on Cisco Routers/Switches interface utilization every 5-10 seconds and send e-mail alarm when utilization low or high of predefined thresholds. 2. Collect net-flow statistics (at least src/dst) with granularity of 5-10- seconds. The main idea is to have detailed monitoring of the external links and to be able to know why (by what traffic type) and when link was highly utilized. Your requirements are somewhat unrealistic. Even if your NMS can fetch SNMP counters / Netflow info every 5-10 seconds, you have no guarantee that the router *updates* the counters / Netflow info this often. Talk to your router vendor first. Steinar Haug, Nethelp consulting, sth...@nethelp.no
Re: Network management software with high detailed traffic report
Steinar, I'm sure that router updates its counter more often than 5 seconds. On 22 November 2010 12:46, sth...@nethelp.no wrote: Does any one know the NMS (network management software) which can do the fallowing: 1. Monitor on Cisco Routers/Switches interface utilization every 5-10 seconds and send e-mail alarm when utilization low or high of predefined thresholds. 2. Collect net-flow statistics (at least src/dst) with granularity of 5-10- seconds. The main idea is to have detailed monitoring of the external links and to be able to know why (by what traffic type) and when link was highly utilized. Your requirements are somewhat unrealistic. Even if your NMS can fetch SNMP counters / Netflow info every 5-10 seconds, you have no guarantee that the router *updates* the counters / Netflow info this often. Talk to your router vendor first. Steinar Haug, Nethelp consulting, sth...@nethelp.no
Re: Network management software with high detailed traffic report
IT depends on the manufacturer. Cisco can updates OIDs even on 1 second time basis (maybe less?). A long time ago I've made an real time monitor to troubleshooting problems at the WAN. IT was not a NMS, only visual graphs using PHP and RRDtool in one page showing IfOctests, IfDiscards, IfErrors, IfNUnicast and, in some cases, BECN and FECN for frame relay. 2010/11/22 Sergey Voropaev serge.devo...@gmail.com Steinar, I'm sure that router updates its counter more often than 5 seconds. On 22 November 2010 12:46, sth...@nethelp.no wrote: Does any one know the NMS (network management software) which can do the fallowing: 1. Monitor on Cisco Routers/Switches interface utilization every 5-10 seconds and send e-mail alarm when utilization low or high of predefined thresholds. 2. Collect net-flow statistics (at least src/dst) with granularity of 5-10- seconds. The main idea is to have detailed monitoring of the external links and to be able to know why (by what traffic type) and when link was highly utilized. Your requirements are somewhat unrealistic. Even if your NMS can fetch SNMP counters / Netflow info every 5-10 seconds, you have no guarantee that the router *updates* the counters / Netflow info this often. Talk to your router vendor first. Steinar Haug, Nethelp consulting, sth...@nethelp.no -- []'s Lívio Zanol Puppim
Re: Network management software with high detailed traffic report
On 22/11/2010 10:00, Sergey Voropaev wrote: I'm sure that router updates its counter more often than 5 seconds. some do, some don't. For example, sup720 snmp counters are updated every 9 seconds, while the show interface counters are updated every 30 seconds. Nick
Re: Network management software with high detailed traffic report
On 22/11/2010 10:47, Livio Zanol Puppim wrote: Good to know. It such a dificult information to find in documentation. I should have wrapped up that statement with a ymmv. Because probably, your mileage will vary. Nick
Re: Network management software with high detailed traffic report
On Mon, 22 Nov 2010, Nick Hilliard wrote: some do, some don't. For example, sup720 snmp counters are updated every 9 seconds, while the show interface counters are updated every 30 seconds. That is most certainly NOT true. The 'show interface' counters update at least once a second. Perhaps you are thinking about the rate counters that are often _configured_ to use the last 30 seconds of data to compute the average but also update much more often than every 30 seconds (and default to a 5 minute average). -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Network management software with high detailed traffic report
On 22/11/2010 14:02, Brandon Ross wrote: That is most certainly NOT true. You're correct that I'm mistaken. It's 9 second updates for both snmp and the interface (packets / bytes) counters, at least on 6700 cards / SXI. Are you getting different measurements? Nick
RE: Network management software with high detailed traffic report
Well, on the RSP720, the show interface byte counters are definitely not every second, though I can't say it's been as long as 9 seconds. I typically look at them while making changes and they definitely stand still for a few seconds. Frank -Original Message- From: Brandon Ross [mailto:br...@pobox.com] Sent: Monday, November 22, 2010 8:03 AM To: Nick Hilliard Cc: nanog@nanog.org Subject: Re: Network management software with high detailed traffic report On Mon, 22 Nov 2010, Nick Hilliard wrote: some do, some don't. For example, sup720 snmp counters are updated every 9 seconds, while the show interface counters are updated every 30 seconds. That is most certainly NOT true. The 'show interface' counters update at least once a second. Perhaps you are thinking about the rate counters that are often _configured_ to use the last 30 seconds of data to compute the average but also update much more often than every 30 seconds (and default to a 5 minute average). -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Network management software with high detailed traffic report
Does service counters max age help in any way?* *According to Cisco, setting it too low might upset the snmp counters.* * -- Tassos Jon Lewis wrote on 23/11/2010 00:19: On Mon, 22 Nov 2010, Brandon Ross wrote: On Mon, 22 Nov 2010, Nick Hilliard wrote: some do, some don't. For example, sup720 snmp counters are updated every 9 seconds, while the show interface counters are updated every 30 seconds. That is most certainly NOT true. The 'show interface' counters update at least once a second. Perhaps you are thinking about the rate counters that are often _configured_ to use the last 30 seconds of data to compute the average but also update much more often than every 30 seconds (and default to a 5 minute average). I didn't think it was true either...but after reading Nick's message I checked a X6408A interface on one of our sup720's running relatively recent code (SXI1), and there definitely is some time between updates both the packet counters and the time averaged rates. Just repeating the command and looking at my watch, I'd say Nick is right. It's easy to test yourself. Pick an int, and repeat sh int int name | inc packets. The numbers really don't change but every 9 seconds or so. Same goes for the avg numbers...mine are set to 30 sec load interval, and they only change every ~9 seconds. This does vary by platform. 3550 swiches and 7200 routers both seem to update the counters about 1/s. Maybe the delayed updates are just a 6500 thing. -- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Network management software with high detailed traffic report
On 22/11/2010 22:56, Tassos Chatzithomaoglou wrote: Does service counters max age help in any way?* *According to Cisco, setting it too low might upset the snmp counters.* https://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_r1.html#wp1067159 The Usage Guidelines are instructive. :-) Although the update interval defaults to 5 seconds, it still appears to update every 9 seconds on my boxes. Nick
