Traffic Analysis and Device Management based
Contents
1. Best Practice Document Traffic Analysis and Device Management based on NetFlow data in MREN Table of Contents Executive Summary 1 Introduction 2 Network Traffic Analysis 2 1 Flow technologies 2 2 NetFlow Network Analysis 3 FNF Exporter Configuration 3 1 FNF Records Configuration 3 2 Defining the FNF Exporter 3 3 Creating the flow monitor 3 4 Flow monitor activation and deactivation 3 5 Displaying and removing the FNF record from the exporter 4 FNF collector installation and configuration 5 Example of Network Device Management in MREN 5 1 Management process 5 1 1 Flow collector 5 1 2 NMS Trap collector 5 1 3 Management mechanisms 5 1 4 Exporter 6 Application of proposed solution for management in MREN 7 Conclusion References Glossary Best Practice Document Traffic Analysis and Device Management based on NetFlow data in MREN N Oooo A A 15 15 16 18 20 22 23 25 27 29 Table of Figures Figure 4 1 Figure 4 2 Figure 4 3 Figure 4 4 Figure 4 5 Figure 4 6 Figure 4 7 Figure 4 8 Figure 4 9 Figure 5 1 Figure 5 2 Figure 5 3 Figure 5 4 Figure 5 5 Figure 5 6 Figure 5 7 Figure 5 8 Figure 5 9 Reviewing network traffic Reviewing established connections for the selected host Created IP Groups Interfaces on devices performing data export Most frequently used protocols Most frequently used applications Top network host c2. as shown in Figure 5 8 X Trap Receiver Action Add Configure Trap Receiver ne a Mits lee I No Actions Part of AND Group Actions Logging Miscellaneous Email ActionTrap A ctions N Watch Value i I Esplode Ac Varbind Value 1 3 6 1 4 1 2162 100 2 1 1 2 0ASR ASA Watch IV Execute Configure VarbindValue IF Email Configure F Discard Equals 1 3 6 1 4 1 2162 100 T Sound a penj Cancel Add Modify Delete OK Cancel Figure 5 8 Alert definition for the received trap message Automated action program code Trap collectors can receive trap messages and execute scripts or external programs but it is not possible to forward a set of CLI commands from the trap collector to the device To forward such commands to the device a specific script or program must be created which will perform the authentication to the device using SSH communication to enter a specific command set and terminate the connection Best Practice Document Traffic Analysis and Device 20 Management based on NetFlow data in MREN u AB GEANTY To code programs for the automated process of responding to alerts generated by parameters of the flow collector requires significant programming expertise in a variety of programming languages To code scripts in response to received alerts requires a basic understanding of scripting languages e g Visual Basic Script The PUTTY software is u
3. Best Practice Document Traffic Analysis and Device Management based on NetFlow data in MREN s Example of Network Device Management in AMUCG MREN The following example show the Network Device Management used by Akademske mreze Univerziteta Crne Gore AMUCG MREN The goal of such Management is limiting the flow of IP Group host which violate the Terms of Use of the Academic network of the University of Montenegro 9 Flow monitoring and traffic analysis Flow information Automated actions Trap messages NMS Trap collector Flow collector Management mechanisms Program Script Figure 5 1 Schematic overview of the Network Device Management process Administrator actions The schematic overview shown in Figure 5 1 is an illustration of the Network Device Management process intended for better understanding the elements procedures and steps involved in the management process as demonstrated in the following example 5 1 Management process Elements of the displayed system involved in the process are the flow collector NMS trap collector management mechanisms and the exporter Best Practice Document Traffic Analysis and Device Management based on NetFlow data in MREN eer GEANT Y 5 1 1 Flow collector Flow information from the exporter router are forwarded to the flow collector which collects analyses and displays data An alert is created at t
4. Traffic Analysisand Device Management based on NetFlow data in MREN Best Practice Document Produced by the MREN led working group on campus networking Authors M abak MREN V Gazivoda MREN B Krstaji MREN April 2015 O GEANT Association 2015 All rights reserved Document No Version date April 2015 Source language Montenegrin Original title Analiza saobra aja i upravljanje ure ajima na osnovu netflow podataka u AMUCG Original version date Version 1 28 April 2014 Contact Milan abak milan ac me Vladimir Gazivoda vladg ac me Bo o Krstaji bozok ac me MREN Centar Informacionog Sistema is responsible for the contents of this document The document was developed by the MREN led working group on campus networking with the purpose of implementing joint activities on the development and dissemination of documents encompassing technical guidelines and recommendations for network services in higher education and research institutions in Montenegro Parts of the report may be freely copied unaltered provided that the original source is acknowledged and copyright preserved The research leading to these results has received funding from the European Community s Seventh Framework Programme FP7 2007 2013 under grant agreement n 605243 relating to the project Multi Gigabit European Research and Education Network and Associated Services GN3plus GIMREN GEANT GEANTAY ASSOCIATION
5. TrapReceiver com Trap Receiver User Manual Cisco Systems Understanding Simple Network Management Protocol SNMP Traps Cisco Systems Inc October 2006 Cisco Systems PIX ASA 7 x SSH Telnet on the Inside and Outside Interface Configuration Example Cisco Systems Inc West Tasman Drive San Jose USA October 2008 Cisco Systems PIX ASA 7 x and Later Bandwidth Management Rate Limit Using QoS Policies Cisco Systems Inc West Tasman Drive San Jose USA September 2008 Best Practice Document Traffic Analysis and Device Management based on NetFlow data in MREN 27 u AA GEANTY 14 Cisco Systems Configuring QoS ASDM User Guide Cisco Systems Inc Chapter 26 September 2006 15 Cisco Systems Configuring IP Access Lists Cisco Systems Inc December 2007 16 Nancy Navato Easy Steps to Cisco Extended Access List GSEC Practical Assignment Version 1 2e SANS Institute 2001 17 Cisco Systems Simple Network Management Protocol Internetworking Technologies Handbook Cisco Systems Inc Chapter 56 September 2003 18 Asante Networks Inc Simple Network Management Protocol Introduction to SNMP April 2005 Best Practice Document Traffic Analysis and Device 28 Management based on NetFlow data in MREN Glossary ACL Access Control List AMUCG Akademska Mre a Univerziteta Crne Gore Academic Network of the University of Mo
6. The alert for exceeding default parameters detailed in the example is shown in Figure 5 4 Exceeding the flow of 5 Mbps as selected in the example is registered three times in a time span of 10 minutes and has caused the alert creation and sending of trap messages to the trap collector Best Practice Document Traffic Analysis and Device Management based on NetFlow data in MREN i7 gt ow 2 GEANT 5 1 2 NMS Trap collector The trap collector receives the trap message forwarded from the flow collector and initiates the scheduled actions based on the analysis of the received trap message 10 Actions can be partially automated sending e mail messages to the administrator and or fully automated executing the predefined program and changing device configuration Receiving trap messages on the trap collector The trap collector interface with received trap messages is shown in Figure 5 5 Trap Receiver E E Trap Source Port 162 Total Traps Received 2 oO 3 appUtilizationT rap 15 17 44 03 21 14 oO 3 1 3 6 1 4 1 2162 100 2 Type 6 1 15 14 42 03 21 14 a Figure 5 5 Trap collector interface with received trap messages The interface is simple and contains only basic fields and information the port used by the trap collector to listen for trap messages total number of received trap messages and the trap messages containing information on the sender message type and time of reception OID identi
7. Source Interface IP Groups Prekoracenje protoka od 5 Mbps Interface Group Selected Interfaces All Interfaces Modify Selection Define Alert Criteria IN Traffic O Port Protocol pscp Application IP Address IP Network IP Range IP Address Ega Define Thresholds and Action O Utilization 5 0 Mbps 3 Add More OUT Traffic Combined IP Address Volume Speed Packets times 10 Figure 5 3 Creating the warning action for exceeding the threshold value minutes Severity Warning SNMP Trap 163 162 public Default parameters for forwarding trap messages to the trap collector are shown on Figure 5 3 Exceeding the threshold flow value of 5 Mbps for the given IP Group will activate the alert Alerts must be registered at least three times in a time span of 10 minutes to avoid possible false positive warnings The selected action sends ihe trap message to the trap collector at the defined location listening on port 162 as shown in Figure 5 3 m Q 10 000 po 2 E 7 500 U 5 000 2 500 P H 13 58 14 00 Category Total E Traffic IN 60 17 MB Traffic OUT 1 13 GB 1 Minute Average Threshold 5 0Mbps 14 02 14 04 14 06 14 08 14 10 14 12 14 14 Time Max Min Avg 662 88 Kbps 135 65 Kbps 348 86 Kbps 11 48 Mbps 1 87 Mbps 6 59 Mbps Figure 5 4 Alert for exceeding the threshold value T 14 16 14 18 Standard Deviation 136 44 Kbps 2 42 Mbps
8. 44 31 MB 171 48 MB 129 55 MB 105 82 MB Figure 4 6 Most frequently used applications Usage of specific applications in a given time period of one hour is shown in Figure 4 6 HTTP applications are responsible for 67 or 12 54 GB of total generated traffic while applications using the HTTPS protocol generated 19 or 3 56 GB of data Top N Destination OUT sx CIS CO ASR ASA Last Hour Report of total traffic Options DestinationOUT u 2 u 132 La 108 ll a 130 109 Figure 4 7 Top network host conversations 1 01 GB 675 68 MB 604 04 MB 491 19 MB Hosts responsible for generating the most network traffic in one hour are shown in Figure 4 7 The administrator can select data to be monitored by creating appropriate profiles and filters as in Figure 4 8 Best Practice Document Traffic Analysis and Device Management based on NetFlow data in MREN 12 Add Profile Profile Name Device i Select Reports Application Report E Conversation Report Source Report gt gt Destination Report Source Network Report lt lt Destination Network Report Conversation Network Repon v Time Period Last Hour Y Filter Match All Filter s O Match Any Filter s dh New Filter DO CT5 X x S o CT4 o cT3 O cT2 o cTi gt JE JE JI x x X xX Add Cancel Figure 4 8 Creating profiles for data display Creating special profiles enables monitoring of onl
9. AppActivate command sets the name of the specific windows which is displayed in the program s title line WshShell SendKeys is used for sending CLI commands to the device after successfully establishing the session The commands can be verified by entering the name of specific keys between curly brackets that have to pressed on the keyboard e g ENTER ESC DELETE or leave an empty space between quotation marks if the SPACE key is to be used for the command Program code 1 is an automated program applied for the received trap message with the purpose of limiting the bandwidth of the IP Group using defined ACL policies on the device 15 16 set WshShell WScript CreateObject W Script Shell WshShell Run C putty exe 192 168 1 1 I user pw password WScript Sleep 5000 WshShell AppActivate 192 168 1 1 PuTTY WshShell SendKeys enable ENTER WshShell SendKeys password ENTER WshShell SendKeys configure terminal ENTER WshShell SendKeys int GigabitEthernet 0 3 ENTER WshShell SendKeys access list rate_limit_3000 extended permit ip x x x 2 any ENTER WshShell SendKeys access list rate_limit_3000 extended permit ip any x x x 2 ENTER WshShell SendKeys exit ENTER WshShell SendKeys exit ENTER Program code 1 Limiting the IP Group bandwidth on the router After executing Program code 1 The IP Group will be limited to the specified flow so that further inadequate flow usage will not impact other user
10. Speed 5000000 bps IP Address Netmask Port Protocol DSCP Include 105 All All O vAP ITI Enabled Description AP zgrada tehnickih fakulteta Speed 3000000 bps IP Address Netmask Port Protocol DSCP Include 99 All All O s Arhitektura O Enabled Description Arhitektonski fakultet Speed 4000000 bps IP Address Netmask Port Protocol DSCP Include 128 255 255 255 128 All All Figure 4 3 Created IP Groups Subnetworks IP Groups whose traffic is monitored from selected interfaces are shown in Figure 4 3 Selecting an IP Group displays the list of IP Group hosts with total generated traffic for each host Detailed statistics can be accessed by selecting the IP address of a particular host which displays the type of generated traffic ports and applications used in the communication as in Figure 4 2 NetFlow Analyzer provides the network administrators with various functions for achieving significant advantages and saves time during the discovery of network anomalies and so called bottlenecks critical for network operations Best Practice Document Traffic Analysis and Device 10 Management based on NetFlow data in MREN ra GEANTY 2 Routers Switches Show All Hide All Flow Rate in the past 1 hour 652 per second We Sflow Packets Revd 8549503 Interface Name IN Traffic OUT Traffic Alerts O FS DMZ ASA za 2 12 09 Mbps 14 94 Mbps m CIS CO IP NetFlow Packets Revd 9269415 Int
11. al links is generated For traffic generated within the academic network Best Practice Document Traffic Analysis and Device Management based on NetFlow data in MREN 23 u x oe GEANTY one should have more understanding and such traffic in most cases is not subject to limitations However if it is determined to carry out actions that may jeopardise the academic network traffic is blocked on the device s firewall With implementation of the described system with data obtained by qualitative analysis of network traffic it is possible to realise both simple and complex management of a computer network by changing the configuration of network devices Best Practice Document Traffic Analysis and Device 24 Management based on NetFlow data in MREN 7 Conclusion Implementing the monitoring system described arose from the need of the administrators of the University of Montenegro academic network for the qualitative analysis of network traffic Traditional SNMP monitoring has the biggest share in network traffic flow analysis 17 18 The main drawback of SNMP monitoring is the limited amount of information that can be collected on the generated flow with the aim of solving problems in the network During the implementation of the monitoring system obstacles have been resolved in the form of technology compatibility with available network devices and tested software solutions After the analysis and testing of sev
12. c analysis Best Practice Document Traffic Analysis and Device 1 Management based on NetFlow data in MREN 1 Introduction The complexity of today s computer networks is reflected in the variety of network types media technologies services and a large number of users Network administrators require automated tools that will collect information about network elements and successfully manage this complex system The need for tools which perform qualitative analysis of network traffic is becoming more prominent in order to have a better insight into the traffic passing through network links In today s networks we cannot rely only on the information about the quantity of traffic i e availability of links Information about who or what uses the network resources and when and how the resources are used is also necessary Network monitoring is a complex and challenging task of great importance for network administrators Monitoring represents collection and analysis of data about network traffic Specific mechanisms which will manage network devices and the system in general can be activated based on the collected data Best Practice Document Traffic Analysis and Device 1 Management based on NetFlow data in MREN 2 Network Traffic Analysis In modern computer networks it is of great importance to possess the tools for network traffic analysis A qualitative analysis of network traffic can be obtained from collec
13. col d 64 15 113 83 11 http 80 TCP A 151 249 89 9 11 http 80 TCP d 64 15 113 82 11 http 80 TCP A 208 91 198 111 11 http 80 TCP A 64 15 113 12 11 https 443 TCP ak 37 187 90 121 11 ttntspauto 3474 TCP Conversation To 2014 03 17 12 29 Showing 1 to 100 ga DSCP Default CS4 Default CS4 Default 101001 Figure 4 2 Reviewing established connections for the selected host Back View per page 100 Traffic 612 54 Percent 194 77 MB 32 39 48 MB 6 31 8 MB 5 25 07 MB 4 19 5 MB 3 16 9 MB 3 Selecting the host from Picture 1 and inspecting Picture 2 we can conclude that the host communicates with different hosts on the Internet mostly using standard ports 80 and 443 This example clearly demonstrates how easy it is to identify details of network resource used in a short time period Computer network resources are limited and wasted resources can cause a severe performance degradation Adequate monitoring can shorten the time necessary for the network administrator to discover sources of potential problems It is possible to determine host IP address application type protocol Best Practice Document Traffic Analysis and Device Management based on NetFlow data in MREN u Pt G ANT consumed traffic in a given time period Flow technologies enable a quick and simple processing of all notable information and can supply said information using adaptable format reports whether monit
14. delete the FNF data directly as well as remove the collected statistics Various filters for displaying the target information can be used for displaying data on the exporter Example 6 Displaying FNF records on the exporter show flow monitor Monitor FNF cache Example 7 Removing FNF data from the exporter Best Practice Document Traffic Analysis and Device 6 Management based on NetFlow data in MREN clear flow exporter Export FNF statistics clear flow monitor Monitor FNF cache Best Practice Document Traffic Analysis and Device Management based on NetFlow data in MREN 4 FNF Collector Installation and Configuration The Manageengine NetFlow Analyzer collector collects and analyses flow data acquired from the network device exporter Advantages of using the NetFlow Analyzer software include a scalable architecture supporting a large number of devices possible centralised and decentralised solutions and a greater number of supported flow technologies 3 The software does not require complex hardware collectors it can be operated on both Windows and Linux 32 bit and 64 bit operating systems and offers a free traffic analysis on up to two interfaces on one or two different devices It is a commercial solution meaning that a licence is required for monitoring more than two interfaces the licence pricing depends on the number of interfaces The collector can be trialled for up to 30 days without limitations af
15. dual IP Groups interfaces percentile representation of used protocols and applications can also be reviewed In addition to statistical data various alerts can be created during the parameter implementation phase which will be described in detail in section 5 Best Practice Document Traffic Analysis and Device Management based on NetFlow data in MREN Elektrotehnicki Action s err GEANTY More Reports Dashboards Traffic Application Source Last Hour 4 Destination Qos i From 2014 03 17 11 29 Resolve DNS Show Geo Locations Show Network Destination zad ald 248 109 fi o U 247 Figure 4 1 Reviewing network traffic Traffic Total 1 0 GB 481 81 MB 115 13 MB 96 23 MB 28 06 MB 16 85 MB 15 62 MB Conversation To 2014 03 17 12 29 Showing 1 to 26 View per page 100 of total traffic 48 M 11 I 10 E 3 E 2 2 Displaying the selected IP Group from Picture 1 we can notice a host which has consumed 46 of total traffic or 481 81 MB of data Selecting the IP address displays the list of hosts communicating with the network host and the used communication protocol Elektrotehnicki Action s More Reports Dashboards Traffic Application Source Top Destination Report 89 188 33 11 Resolve DNS Group by None Destination From 2014 03 17 11 29 Qos s Src IP Dst IP Application Port Proto
16. eral flow technologies data export with the Cisco ASR 1002 device was selected as the best solution for the University of Montenegro academic network Several flow collectors have been tested during work and NetFlow Analyzer was chosen not only because of its functionality but also for the fact that it was the only tested collector which adequately managed to analyse and display the information obtained by the selected device NetFlow Analyzer is a great solution for data flow analysis with a large number of additional functions In the second part of the document a simple automatic control system was proposed and implemented that based on warnings received by collector for network traffic analysis it triggers automated actions for managing network devices and the network as a whole The recommended system consists of a set of automated procedures combined with direct actions of the administrator Examples of automated procedures show that simple and complex computer network management can be realised by changing the configuration of network devices Some of these examples may be encountered in daily computer network operations and represent routine procedures utilised by the administrator dynamic flow limiting of the interface host port management etc Finally the suggested Network Management system using the flow monitoring system has found its application in the University of Montenegro Academic network and can be used as a basis for de
17. erface Name IN Traffic OUT Traffic Alerts O aF ASR ASA za E 10 17 87 MBps 41 11 Mbps gt m Interface Group Details for Last Hour Interface Group Name IN Traffic OUT Traffic Alerts ASR ASA E i 7 87 mbp 41 11 Mbps m DMZ ASA 2 2 09 Mbps 5 4 94 Mbps gt m Figure 4 4 Interfaces on devices performing data export Interface overview for devices performing flow data export is shown on Figure 4 4 This example shows data export on two interfaces Interface traffic can be monitored in any given moment as well as the number of flow packets received from the collector Selecting the interface displays detailed statistics Top N Protocol OUT 9x CIS CO ASR ASA Last Hour Report Options ProtocolOUT Traffic of total traffic m TCP 17 34 GB 94 m UDP 561 3 MB 3 m ICMP 2 14 MB 0 Others 585 68 MB 3 Figure 4 5 Most frequently used protocols Overview of most frequently used network protocols for a selected time period is shown in Figure 4 5 This example shows that the TCP protocol is used in 94 of established communications while the UDP protocol is used for only 3 of total generated traffic Best Practice Document Traffic Analysis and Device 11 Management based on NetFlow data in MREN Top N Application OUT CIS CO ASR ASA Last Hour Report ApplicationOUT of total traffic Options m https m Unknown_App eyetv smtp palace 5 m ttntspauto 12 54 GB 3 56 GB 513 74 MB 2
18. est Figure 5 7 Trap message with OID values Figure 5 7 shows the trap message used in the example but with OID values in their original form not substituted with values from the MIB database OID values displayed in this way are difficult to decipher and link to a corresponding OID identifier value Best Practice Document Traffic Analysis and Device 19 Management based on NetFlow data in MREN a x GEANTA 5 1 3 Management mechanisms It may be necessary to apply a partially or fully automated action to the trap message received on the trap collector Defining trap collector actions for the selected trap message Based on the received trap message on the trap collector an automated action may be defined which specifies the program code execution or a partially automated action which notifies the administrator of the specific alert The partially automated action requires more time between the moment an e mail message is sent and the action which involves the administrator making changes to the device configuration It is necessary to configure the value of the OID identifier from the MIB database for which the predefined action will be executed The Watch field must be set to Varbind Value for the defined action to be executed based on the selected trap message identifier Field Equals must contain the OID identifier value and the equals sign in the format lt OID identifier gt lt value gt lt condition gt
19. fiers contained in trap messages The trap collector translates and analyses OID information received in trap messages based on the flow collector s MIB database data as shown in Figure 5 6 Best Practice Document Traffic Analysis and Device 18 Management based on NetFlow data in MREN x G ANT Trap Type G Specific Type fi Community public TimeStamp jo days 00h 00m 10 00s Ip Address 9 Sender DID ho Trap Type SNMPyI Variable Bindings deviceName 0 String CI5 CO interfaceN ame 0 String ASR ASA interfacelndex 0 String 3 application O String IP Address 2 traffic 0 String IN and OUT E percentage 0 String 5 0 noOfTimes 0 Gauge 3 inMinutes 0 Gauge 10 ke gt Show Raw lt lt prev next Figure 5 6 Received trap message Trap message identifiers contain values from predefined alerts see Figure 5 2 Trap Details Trap Type G Specific Type fi Community public TimeStamp jo days 00h 00m 10 00s Ip Address 3 Sender OID 13 6 1 41 2162 100 2 Trap Type SNMPY1 Variable Bindings 1 3 6 1 4 1 2162 100 2 1 1 1 0 CI5 CO 1 3 6 1 4 1 2162 100 2 1 1 2 0 String ASR ASA 1 3 6 1 4 1 2162 100 2 1 1 3 0 String 3 1 3 6 1 4 1 2162 100 2 1 1 4 0 String IP Address ie 1 3 6 1 4 1 2162 100 2 1 1 5 0 String IN and OUT y 1 3 6 1 4 1 2162 100 2 1 1 6 0 String 5 0 1 3 6 1 4 1 2162 100 2 1 1 7 0 Gauge 3 1 3 6 1 4 1 2162 100 2 1 1 8 0 Gauge 10 i lt Show Raw lt lt prev n
20. fix calculations Best Practice Document Traffic Analysis and Device 3 Management based on NetFlow data in MREN 3 NF Exporter Configuration An exporter is a network device with active NetFlow service An exporter monitors packets passing through a device i e interfaces which are monitored and creates a flow of these packages Collected information is exported to the NetFlow collector in the form of flow records Flexible NetFlow FNF unlike Traditional NetFlow TNF has several additional fields which allows the organisation to oversee more specific information so that the total amount of information that is exported is reduced enabling improved scalability and aggregation 3 1 FNF Records Configuration Flexible NetFlow FNF requires explicit configuration of flow records with all necessary and optional fields The following configuration examples refer to the Cisco ASR 1002 network devices 2 Basic and additional FNF fields on a network device are defined as follows flow record record name description record description match field type field value collect field type field value Example 1 FNF record configuration with basic and additional fields flow record Record FNF description Flexible NetFlow match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source port match transport destination port match interface input match flow di
21. he collector which sends trap messages based on exceeding configured parameters to the trap collector 10 Flow monitoring and traffic analysis on the flow collector Information flow display for the selected IP Group is shown in Figure 5 2 Based on collected device information an alert is created on the flow collector which will activate the defined action upon the fulfilment of configured parameters 1 Minute Average 10 000 rn a 2 E S E pa E Category Total E iN 3 06 GB E OLT 87 2 MB 9 000 IN 95 ile 8 000 7 000 6 000 5 000 4 000 3 000 2 000 1 000 o 10 50 10 55 11 00 11 05 11 10 11 15 11 20 11 25 11 30 11 35 11 40 11 45 Time Max Min Avg Standard Deviation 95th Percentile 9 55 Mbps 2 68 Mbps 6 69 Mbps 1 48 Mbps 8 95 Mbps 275 21 Kbps 92 23 Kbps 190 61 Kbps 38 48 Kbps 258 89 Kbps Figure 5 2 Information flow display for the selected IP Group Creating the warning action for exceeding the threshold value Warning actions for exceeding the threshold value can be created based on multiple parameters previously described in this document Parameters most frequently selected during the creation of warnings for exceeding the threshold value will be used in the example Best Practice Document Traffic Analysis and Device Management based on NetFlow data in MREN 16 Modify Alert Profile Alert Profile Name Prekoracenje protoka Description Select
22. ms of Use of the Academic network of the University of Montenegro The application of this rule is stricter during working hours while outside working hours some of the limitations cease to apply enabling the networks and or hosts to use the academic network flow without limitations The Academic network of the University of Montenegro is responsible for providing Internet services to all its members however the principle of flow limitation differs from Internet service providers who carry out limitations on the level of the user With this method of limitation each user from his Internet provider receives a guaranteed flow which in most cases can be used without limitations depending on the type of the selected service package In the academic network this kind of limitation is not possible for the simple reason it is not possible to divide the available flow to the user level host Duration which will be active within working hours can be limited whereas access can be limited only for certain services and or servers The flow can be limited in one or both directions by activating the set of commands listed in the program codes presented in this document In addition to the limitations during working hours it is possible based on the insight into the amount of traffic generated for a particular month to set a flow limitation for the network or host until the end of the calendar month in which an excessive amount of network traffic to extern
23. n of this kind of data support one or more different flow technologies Flow technologies from different manufacturers are not compatible with each other although efforts are being made to standardise them 2 2 NetFlow Network Analysis Each IP packet forwarded by a network device i e an exporter is examined in order to find the set of IP data These data are IP packet identifiers and determine whether a packet is unique or part of a set of packets transmitted over a network The IP packet header consists of a set of 5 7 attributes IP address Best Practice Document Traffic Analysis and Device Management based on NetFlow data in MREN u Pt GEANT Y attributes used in NetFlow technology are source IP address destination IP address source port destination port type of service ToS field and network device interface Flow information is very useful in understanding the network behaviour The source address enables an understanding of who creates traffic the destination address provides information to whom the traffic is intended the port indicates which application performs the communication the type of service determines the priority of the traffic while grouped packets and data show the amount of generated traffic The flow also includes the following additional information the time used for understanding communication duration and packet computing next hop and the subnet mask of source and destination IP addresses pre
24. ntenegro CLI Command Line Interface FNF Flexible NetFlow IP Internet Protocol MIB Management Information Base MREN Montenegrin Research and Education Network NMS Network Monitoring System OID Object Identifier SNMP Simple Network Management Protocol SSH Secure Shell TCP Transmission Control Protocol TNF Traditional NetFlow ToS Type of Service UCG Univerzitet Crne Gore University of Montenegro UDP User Datagram Protocol VBS Visual Basic Script WAN Wide Area Network Best Practice Document Traffic Analysis and Device Management based on NetFlow data in MREN 29
25. onversations Creating profiles for data display Data display using filters Schematic overview of the Network Device Management process Information flow display for the selected IP Group Creating the warning action for exceeding the threshold value Alert for exceeding the threshold value Trap collector interface with received trap messages Received trap message Trap message with OID values Alert definition for the received trap message Exporter router ACL list Best Practice Document Traffic Analysis and Device Management based on NetFlow data in MREN 10 11 11 12 12 13 13 15 16 17 17 18 19 19 20 22 Executive Summary This document describes the monitoring and management methods for computer networks The quality and availability of computer network services depends on the performance of the monitoring system as well as the control system This document presents the flow collector for assembling and analysing data on generated network traffic data obtained from network device exporters A solution for network traffic analysis will be presented and used for implementing a network devices management system based on the qualitative analysis of network traffic Some of the basic techniques for computer network management will also be analysed The proposed solution sends warnings and automatic actions for changing the configuration of network devices based on data obtained from qualitative network traffi
26. oring the network in real time or performing network resource utilisation analysis for different times of day week or month NetFlow Analyzer enables the creation of IP Groups as well as device groups if multiple devices are used for exporting flow information alert profiles for alerting the administrator on notable specific network events various reports that can be created in specific times of day week or month profiles for displaying various information and user accounts 5 The Device Group Management lets you group tens or hundreds of devices depending on the size of the network and the number of devices exporting data When monitoring interfaces from different devices as one unit it is possible to create an Interface Group Creating Interface Groups is useful for monitoring specific interfaces from multiple devices Creating IP Groups lets you display separate monitored subnetworks IP Groups can be assigned to a specific administrator in charge of a single or multiple subnetworks while providing the lead administrator with access to all IP Groups and the view of the entire network on a global level IP Groups More Information on IPGroups Add Modify Copy Delete EnableAll DisableAll IP Group Name Status Details O AP Albanski O Enabled Description Albanski fakultet Speed 3000000 bps IP Address Netmask Port Protocol DSCP Include 108 All All O AP Index CIS Enabled Description AP zgrada tehnickih fakulteta
27. osed solution for management in MREN Members of the Academic Network of the University of Montenegro include organisational units of the University of Montenegro scientific research and educational institutions of Montenegro libraries student residences and other non profit institutions in the service of the academic community in Montenegro Based on the Terms of Use of the Academic network of the University of Montenegro any activity that causes unscheduled or unjustified burden to MREN resources or other networks resources as well as increased involvement of staff for maintenance of these resources within MREN or using the same shall be considered as activities that threaten the functionality of MREN and represent unauthorised use of resources The current flow of academic network to external links is maximally utilised Any unauthorised use of resources may cause difficulty in using MREN services For the aforementioned reasons it is necessary to carry out continuous monitoring and with prior warning to limit the flow to MREN member networks and hosts that do not comply with the Terms of Use of the Academic network of the University of Montenegro Flow limitation exemplified in the previous chapter applies in most cases during working hours when the academic network flow is under maximum load To avoid degradation of network services and possible congestions the flow is limited for networks and or hosts that are found to violate the Ter
28. rection match application name collect routing source as Best Practice Document Traffic Analysis and Device 4 Management based on NetFlow data in MREN collect routing destination as collect routing next hop address ipv4 collect ipv4 dscp collect ipv4 id collect ipv4 source prefix collect ipv4 source mask collect ipv4 destination mask collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys uptime first collect timestamp sys uptime last 3 2 Defining the FNF Exporter NetFlow data that is temporarily kept on the network device is analysed in detail after exporting to the collector Defining the FNF exporter is only required when exporting data to an external collector The FNF exporter is configured on a network device as follows flow exporter exporter name description exporter description destination NetFlow collector IP address source interface name transport UDP or TCP port number export protocol protocol name Example 2 FNF exporter configuration on a network device flow exporter Export FNF description FNF v9 destination 10 0 1 100 source GigabitEthernet0 0 2 transport udp 9996 export protocol netflow v9 option interface table option application table 3 3 Creating the flow monitor The flow monitor includes the previously defined flow record and one or more defined exporters used for the collection and analysis of acqui
29. red data The FNF monitor is configured on a network device as follows flow monitor flow monitor name description flow monitor description record defined record name exporter defined exporter name cache timeout active 60 export time for long lived records Best Practice Document Traffic Analysis and Device Management based on NetFlow data in MREN Example 3 FNF monitor configuration on a network device flow monitor Monitor FNF description FNF Traffic Analysis record Record FNF exporter Export FNF cache timeout active 60 3 4 Flow monitor activation and deactivation The last step of the configuration is assigning the flow monitor to interfaces on the network device which activates traffic monitoring and export of data to the defined external collector Flow monitor activation on a network device is performed as follows interface interface name ip flow monitor flow monitor name input ip flow monitor flow monitor name output Example 4 Flow monitor activation interface GigabitEthernet0 0 2 ip flow monitor Monitor FNF input ip flow monitor Monitor FNF output The following commands have to be applied for stopping the export of data and traffic monitoring Example 5 Flow monitor deactivation interface GigabitEthernet0 0 2 no ip flow monitor Monitor FNF input no ip flow monitor Monitor FNF output 3 5 Displaying and removing the FNF record from the exporter The exporter can display and
30. s of the Academic Network Best Practice Document Traffic Analysis and Device 21 Management based on NetFlow data in MREN u Pt GEANT Y With a little skill and understanding of programming basics and IOS CLI commands it is possible to automate many actions to be executed without the involvement of the administrator based on the warning messages acquired by the flow information analysis on network devices and with the help of the automated Management of Network Devices system introduced in this document 5 1 4 Exporter Finally whether or not the automated actions are implemented or the administrator executes actions on the exporter i e router the configuration changes because a new entry is added to the ACL list 13 14 rate_limit_3000 M any ae ip lt Permit Ho es Figure 5 9 Exporter router ACL list The IP Group from the example is added to the ACL list by executing the Program code 1 and the Group s bandwidth is automatically limited see Figure 5 9 By applying the suggested example the flow of the IP Group is limited but the service is still available for use A rational use of Academic Network resources is made possible for all users by implementing the preceding actions in compliance with the Terms of Use of the Academic network of the University of Montenegro Best Practice Document Traffic Analysis and Device 22 Management based on NetFlow data in MREN s Application of prop
31. sed for establishing communication between the Manager application and devices used in the example PUTTY is a freeware Telnet and SSH client software This software provides a quick and easy way for establishing communication with the device and executing proper CLI commandas It also supports the SSH protocol for secure authentication and device communication The problem arises during the automation of the entire process A set of commands to be executed on the device must be set without the intervention of the administrator Visual Basic Script VBS program language will be used in the example to circumvent this problem The Visual Basic script Program code 1 executed by the trap collector must open the PUTTY software establish communication with the device successfully create a session using proper access data and execute commands on the device itself after which it must terminate the communication The Visual Basic script contains a few commands A specific object is created at the start of the script WScript Shell Then the session is started using the WshShell Run command and entering the path to the PUTTY software between quotation marks and the username and password for accessing the device via the SSH connection 12 After creating the session the WScript Sleep 5000 command is used to input a specific pause of 5000 ms or 5 seconds until the session is established with the device and the first command can be executed The WshShell
32. ter the trial period ends the software can be used for monitoring up to two interfaces 4 The first step in collector implementation is choosing the hardware the host for the installation of the operating system and the collector Testing has shown that the NetFlow Analyzer operates equally well on both Windows and Linux platforms The choice of host depends on the number of monitored interfaces A greater number of network devices and interfaces require a better hardware configuration The installation on Windows and Linux operating systems is equally simple Following the installation of the operating system and the collector the flow monitor has to be configured and activated on the exporter from which the data for collector processing is acquired The configuration is explained in detail in section 3 of this document The second step consists of parameter adjustments on the collector The adjustments include entering the network architecture i e the subnetworks IP Groups for a simpler review of the collected data By using the NetFlow Analyzer collector it is possible to gain information on the volume of network traffic applications the source and destination addresses participating in the conversation as well as details of the used protocols ports and other network traffic characteristics for a given time period Picture 1 and Picture 2 Apart from this information the established connections for a chosen host traffic amount for indivi
33. tion of data contained in flow exporters as well as answers to questions about who or what when and how uses the network resources This knowledge is important for network administrators in terms of making the right decisions that can contribute to the whole organisation There are different methods and this document will provide a description of a flow oriented software solution that uses distributed techniques for data collection Unlike hardware monitoring devices flow oriented software techniques have advantages in terms of lower investment easier installation and achieving results in a short period of time 21 Flow technologies When selecting technologies one should take into account which versions of flow technologies are supported by the network devices in a computer network Implementation of flow oriented technology requires devices which support flow technology in their specifications Various manufacturers are developing different versions of flow technologies that are mainly variations of the same technology Therefore our NetFlow technology is supported mostly by Cisco devices 1 sFlow by Allied Telesis and others such as JFlow by Juniper Netstream by Huawei and IPFIX by Nortel network devices Selection of the flow technology depends on the types of devices in the network and technologies These technologies are quite different but one should take these small differences into account because different software used for collectio
34. traffic analysis can predict and remove a large number of potential incidents in the computer network that would otherwise hinder its functionality Best Practice Document Traffic Analysis and Device 26 Management based on NetFlow data in MREN References 1 2 3 4 5 6 7 8 9 10 11 12 13 Cisco Systems Introduction to Cisco IOS NetFlow Technical Overview October 2007 Cisco Systems Application Monitoring Using NetFlow Deployment Guide Cisco Systems Inc August 2012 Manageengine Enterprise Network Traffic Informatics CIO s Hand Guide ManageEngine University Campus Network Monitoring using NetFlow Analyzer A case study ZOHO Corp USA 2010 ManageEngine Bandwidth Monitoring amp Traffic Analysis User Guide ZOHO Corp USA 2010 ManageEngine Healthcare IT Risk Mitigation A Network Centric Approach White Paper NetFlow Analyzer abak Milan Bo o Krstaji Primjer automatskog upravljanja mre nim ure ajima u AMUCG XVII Nau no stru ni skup Informacione Tehnologije 2012 Montenegro abljak February 2012 abak Milan Bo o Krstaji Primjer monitoringa i upravljanja ra unarskom mre om primjenom FLOW tehnologija 19 Telecommunication forum TELFOR 2011 Serbia Belgrade November 2011 Centar informacionog sistema UCG Pravila o kori enju Akademske mre e Univerziteta Crne Gore
35. veloping a more complex system The system is currently being tested and the application of automated procedures is monitored by the administrators The continuously changing computer network as a system necessitates the implementation of changes modifications and innovations of program codes forming the base of the management system while making the role of the administrator an irreplaceable one The application of this and similar computer network management systems can improve the quality of services Best Practice Document Traffic Analysis and Device Management based on NetFlow data in MREN 25 a glee G ANT The future of computer networks is unthinkable without the tools for the qualitative analysis of network traffic and their implementation in the management process The expansion of the computer networks network applications and number of users creates an increasing need for the best use of resources The bandwidth of computer networks and other resources are permanently increasing but are by no means unlimited or free Each unplanned resource use can create problems in everyday operation of the network and connected services as well as lead to economic losses By improving the tools for automated network device management we contribute to the development of smart networks which will reduce or even eliminate the need for administrator s intervention These systems based on the data acquired through qualitative network
36. y significant information 6 It is possible to select the device for data monitoring interface report type time period for data monitoring and create appropriate filters Filters enable the administrator to display data in more detail extract and display data from a large information pool of and data significant to the monitoring process He can choose to display only certain applications source and destination addresses used by those applications and based on the protocols used in the configuration Figure 4 9 Filter Filter Name Filter Type Include Application pe Available Application s Selected Application s 1ci smes Destination 3Com nsd DSCP Name SPC_App 3com amp3 Protocol 3com net mgmt gt gt 3com njack 1 3com njack 2 3com tsmux 3com webview 3comfaxrpe 3comnetman 3d nfsd al Figure 4 9 Data display using filters By using the flow technology and collectors such as the NetFlow Analyzer it is possible to achieve total control monitoring of the entire computer network Best Practice Document Traffic Analysis and Device 13 Management based on NetFlow data in MREN ma GEANTY Besides the flow technology it is possible to implement other features of network devices for limiting interface host and protocol flows and achieving control over the network 7 8 Detailed information on this method and its implementation within the scope of the MREN is presented in section 5
Download Pdf Manuals
Related Search