|
|
This guide explains how to use the TrafficDirector application to monitor traffic and diagnose developing problems on network segments. If your network contains segments that use SwitchProbe devices, Network Analysis Modules, and switches, the TrafficDirector advanced technology can help you monitor these segments in the unique switching environment.
The following sections provide basic information about the TrafficDirector application, how it works, and how to use it:
The TrafficDirector application lets you monitor and record information about network usage, events, and trends, and identify and isolate many fault conditions in data communication networks.
The TrafficDirector application consists of a centralized, SNMP-compatible network management console and data-gathering agents located at various points on a network.
You can use the TrafficDirector application to perform several basic functions:
You should familiarize yourself with the common TrafficDirector terminology and concepts defined in Table 1-1.
| Term | Definition |
|---|---|
SwitchProbe device | A hardware device used for monitoring traffic associated with a network segment. Each SwitchProbe device provide full RMON statistics about the network segment. Cisco Systems offers a variety of SwitchProbe devices to address various types of network topologies. Depending on your topology and the connection media you choose, you could attach a SwitchProbe device to a network segment in a variety of ways---to a wire, a server link, a trunk existing between two switches, or to a switch for roving. For more information about Cisco SwitchProbe devices, and instructions for configuring and attaching them to your network segment, see the Cisco SwitchProbe Installation and Configuration Guide. |
Agent | A port on a SwitchProbe device, Network Analysis Module, or a switch configured for monitoring. A multiport SwitchProbe device is considered multiple agents. For information about defining a SwitchProbe device as an agent in Configuration Manager, see Chapter 3, "Using Configuration Manager." |
Agent Groups | A group of two or more agents, used to monitor multiple SwitchProbe locations simultaneously. For more information about defining agent groups and using them to monitor traffic on multiple segments, see Chapter 3, "Using Configuration Manager." |
Roving Agent | A SwitchProbe device or Network Analysis Module that lets you manage and monitor network traffic and isolate operational problems. |
Network Analysis Module | An internal probe device that extends (for Ethernet, Fast Ethernet, and gigabit Ethernet VLANs) the Remote Monitoring (RMON) support provided by the Cisco Catalyst 5000 series of switches. The Network Analysis Module provides RMON and RMON2 support for application monitoring, traffic analysis, and troubleshooting. It acts as a network data-gathering agent and provides network traffic monitoring when used with a client equipped with network-monitoring software. For more information about configuring Cisco Catalyst 5000 series devices and the Network Analysis Module, see the following Cisco publications:
|
Switch | A device that microseconds a local area network (LAN) by dividing it into many full and independent LANs, each of the same bandwidth as the original, resulting in fewer users on each LAN. The TrafficDirector software supports a number of Cisco switches. For more information, see Chapter 3, "Using Configuration Manager." Note Before the TrafficDirector software can communicate with an agent on your network, you must properly configure the agent and bring it up on your network. |
Frame Relay Agent | An interface on a WAN SwitchProbe device that monitors a Frame Relay network segment. |
Properties File | A file that determines what statistics are collected and logged by a SwitchProbe device, Network Analysis Module, or a switch. You can also use this file to establish thresholds on the device. SwitchProbe devices, Network Analysis Modules, and switches are shipped with default RMON properties files. After you configure an agent with Configuration Manager, you can associate different properties files to the device as needed. For more information about the different properties files you can use and create, see Chapter 6, "Working with Properties." |
The TrafficDirector software recognizes three types of interfaces: virtual, special, and physical. In most cases, the TrafficDirector software automatically learns the interfaces associated with a SwitchProbe device or a switch, and displays the information in the Interface list box in the Configuration Manager window. For more information about virtual, special, and physical interfaces, see Chapter 3, "Using Configuration Manager." |
The TrafficDirector application is based on two standards that allow it to operate in a multitopology, multivendor environment:
Other emerging standards are supported so you can simultaneously monitor multiple network segments from various topologies using the TrafficDirector applications. These emerging standards include:
TrafficDirector technology implements the basic concepts related to RMON standards (defined in detail in "Understanding RMON Groups") and incorporates key concepts that make TrafficDirector flexible to maintain and manage, including:
You use domains to monitor protocol traffic for a device or subnet on any segment of an enterprise network. Using domains, you can concentrate on the most significant network traffic parameters, devices, and network segments to effectively access all relevant data to resolve problems quickly.
A domain can include one protocol or a group of protocols. Domains are defined, maintained, and installed on SwitchProbe devices, Network Analysis Modules, and switches using the TrafficDirector administrative applications. You can install multiple domains on a single SwitchProbe device or Network Analysis Module.
The TrafficDirector software is shipped with several predefined domains that you can install on devices to isolate traffic by commonly used protocols (for example, IP and IPX). The predefined RMON domain allows you to see all traffic on a network segment.
The following section provides information about multidomain views:
In some cases, it is beneficial to isolate information captured by agents using domains (for example, a domain based only on IP traffic for a network segment). However, there are times when it is more appropriate for you to capture and aggregate information from multiple domains. The TrafficDirector application supports multidomain views, so all domain traffic at the network or application layer (all installed domains for the layer) can be collected, aggregated, and logged for reporting in the SQL report database. For example, you might want to evaluate all conversations for all domains defined for a particular agent.
Domains can be classified into two types:
For more information about domains, see Chapter 5, "Working with Domains."
Filters are software definitions that let you create customized, generic domains based on more finite criteria. For example, you can define specific filters to refine the conditions under which an agent captures only certain packets of interest. The packets can then be reported as statistics. The filters are used as part of the generic domain definitions that are added to the properties files. You also use the same filters when starting a data capture session.
For more information on filters, see Chapter 8, "Working with Filters."
All SwitchProbe devices, Network Analysis Modules, and switches collect statistics based on the definitions found in a properties file. The properties file contains:
There are three kinds of properties files:
For more information about properties files, see Chapter 6, "Working with Properties."
Agent groups represent a collection of individual agents you can configure for retrieving network data.
From an administrative perspective, agent groups can save you time and repetitive configuration. By grouping agents together, you can use the same configuration data for multiple agents and install the same properties file on all agents in the group without creating a new file for each agent.
For more information on agent groups, see Chapter 3, "Using Configuration Manager."
The TrafficDirector application operates on a centralized, SNMP-compatible, network management console in a distributed UNIX or Microsoft Windows environment and retrieves information from SwitchProbe devices and Network Analysis Modules attached to network segments.
You can achieve greater network visibility when you connect a SwitchProbe device or Network Analysis Module to a switch. Each port on a switch typically has only mini-RMON capabilities. Mini-RMON supports four groups for monitoring network traffic: statistics, history, alarm, and events. However, when you attach a SwitchProbe device or Network Analysis Module to a switch, you can achieve full RMON capabilities---that is, RMON and RMON2---allowing you to manage and monitor network traffic and isolate network operational problems. In the context of the TrafficDirector application, this concept is called roving. The SwitchProbe device and the Network Analysis Module are considered roving agents.
A typical network has multiple segments and multiple SwitchProbe devices and Network Analysis Modules that continuously collect data. At defined intervals, the TrafficDirector management station uploads statistics from the SwitchProbe device or Network Analysis Module, which aggregates the data and formats it for display and reporting.
Cisco Systems offers a variety of SwitchProbe devices to collect information about various network topologies including:
For more information about the different models and how to connect them to your network, see the Cisco SwitchProbe Installation and Configuration Guide.
The Network Analysis Modules supports the following topologies:
An alarm is a predefined condition based on either rising or falling data thresholds, or both.
In the TrafficDirector application, you establish thresholds that create alarms and events on the SwitchProbe device, Network Analysis Module, or switch. When this happens, a trap is sent to the TrafficDirector application.
You can configure alarms on network variables to determine whether a specific condition occurs. You can set multiple alarms on selected events associated with RMON MIB variables and any private MIBs you are monitoring. You configure a pair of thresholds on a network variable, then specify an interval at which the agent checks to see if the variable indicates that either threshold has been crossed.
As you add or modify alarms, you can define SNMP trap messages for both rising and falling thresholds. The messages are conveyed to the reporting console when a threshold is reached. The trap messages can be very useful because they help to isolate the source of the problem for switch ports or DLCIs you are monitoring.
When you configure the agent or switch to send the trap to a management station console, the Alert Monitor icon on the TrafficDirector management console blinks until you select it. You can also create UNIX scripts or DOS batch files to take specific action when a trap occurs.
For more information on traps and alarms, see Chapter 9, "Configuring Alarms."
The Trend Reporter application helps you establish an overall picture of your organization's network usage and health. You can use trend reports to troubleshoot congestion, monitor usage, and plan for future capacity requirements.
Trend Reporter is a TrafficDirector administrative application that lets you run standard reports at preselected intervals, or customize your own reporting scheme. All reporting information is stored in a SQL server database that you configure so you can evaluate it as required.
For more information on trend reports, see Chapter 31, "Configuring and Generating Reports."
The TrafficDirector software supports a number of advanced SwitchProbe software features, most of which are optional and you must purchase separately, that can generate the appropriate statistics in various TrafficDirector applications.
Table 1-2 shows the options available for SwitchProbe devices and the Network Analysis Module:
For more detailed information about any of the agent software options, see the Cisco SwitchProbe Installation and Configuration Guide or the Catalyst 5000 Series Network Analysis Module Configuration Note.
The following sections provide an overview of each of the advanced software options:
Figure 1-1 shows how monitoring remote, critical network resources can be difficult because polling the resource from the network manager occupies excessive bandwidth and consumes valuable network resources.
Figure 1-2 shows the SwitchProbe device attached to the network segment to collect specific data from the device. The SwitchProbe device stores the collected data internally and the TrafficDirector application retrieves the data when you request it through the proxy SNMP Resource.
The TrafficDirector software downloads MIB variables selected from a list to the agent onto the SwitchProbe device, and creates proxy resources. Instead of intensive polling from the management console, the SwitchProbe agent polls each of the selected MIB variables in the SNMP-based device at selected intervals and records the result. The device can support either SNMP get requests or IP ping requests to an IP device.
TrafficDirector applications and reports display round-trip delay or proxy SNMP data when this option is present. For more information about round-trip delay and proxy SNMP, see Chapter 6, "Working with Properties."
Other features of the Resource Monitor include:
NetFlow identifies IP packet flows, enables statistics collection, and exports those statistics to specified network-attached flow devices (the SwitchProbe device). The NetFlow data is mapped to the RMON2 MIB so you can evaluate it using TrafficDirector applications.
The TrafficDirector application supports access to utilization, alarms, protocol decodes, and real-time displays for NetFlow-generated data. Those SwitchProbe devices and Network Analysis Modules with the NetFlow option enabled act as NetFlow collectors for NetFlow Data Export versions 1.0 and 5.0 (for routers) and 7.0 (for switches).
A single device can collect data from multiple routers or multiple router interfaces and aggregate the data by AS number for billing and chargeback. When you set a generic IP filter in subnet mode and NetFlow is configured in the SwitchProbe device or the Network Analysis Module, statistics are displayed in the TrafficDirector host list using AS number-mapping conventions.
Cisco Ethernet SwitchProbe devices and the Network Analysis Module collect data from one router or switch; the Fast Ethernet SwitchProbe device can collect data from as many as eight routers or switches.
The Network Analysis Module can analyze Ethernet virtual LAN (VLAN) traffic from either or both:
With the Network Analysis Module, when the analyzer source is a trunk port and the VLAN Monitor option is enabled, the Network Analysis Module aggregates statistics by VLAN, rather than by source MAC address.
The TrafficDirector software supports the display and configuration of VLANs as individual interfaces for full RMON2 support. Cisco SwitchProbe devices support the SMON MIB for VLAN statistics, gathering the data from switches hosting the SMON protocol. Raw data capture of VLAN frames for ISL- and ISTP-type and 8802.1q communications are supported using the VLAN Monitor real-time application.
For more information about monitoring VLANs, see Chapter 13, "Monitoring Switches."
The ARTMIB, a proposed extension to the RMON2 standard (not yet an IETF draft), collects a series of application response time statistics such as connection retries, traffic load, and response time buckets. To collect these types of statistics using the TrafficDirector application, you must enable the ARTMIB Monitor option on the SwitchProbe device.
For more information about the ART Monitor application, see Chapter 27, "Using ART Monitor."
The Fast EtherChannel software option lets you aggregate the traffic of two or four separate full-duplex 200 mbps Fast Ethernet segments into one full-duplex trunk.
The Fast EtherChannel (FEC) option only functions on four-port Multiport Fast Ethernet SwitchProbe devices when you configure all Fast Ethernet ports on the device to full-duplex mode, and two full-duplex segments populate the four ports on the SwitchProbe device.
The WAN Decompression licensed software option lets Multiport T1/E1 WAN SwitchProbe devices monitor a WAN link that contains compressed data.This is a hardware-based compression---the device internally decompresses the WAN traffic being monitored.
WAN decompression currently supports only these compression types:
The following sections summarize the special capabilities of the TrafficDirector software when used with Frame Relay- and ATM-based technology:
You can use SwitchProbe devices to collect statistics from the following network topologies:
Cisco WAN SwitchProbe devices can also communicate with channel service unit/data service unit (CSU/DSU) devices that have embedded mini-RMON to collect a subset of RMON1 statistics for use in TrafficDirector applications. You can monitor both data terminal equipment (DTE) and data circuit-terminating (DCE) traffic across a Frame Relay link so communications in both directions on incoming and outgoing traffic are captured, to establish a baseline bandwidth for comparison against a CIR.
The TrafficDirector application can work with statistics from the various management protocols that a Frame Relay link may be using, including:
For LMI, Annex D and Annex A interfaces, the TrafficDirector application can autodiscover (learn) DLCI numbers for each permanent virtual circuit (PVC). The TrafficDirector application can also autodiscover CIRs when using LMI.
TrafficDirector applications can report on packets marked with a discard eligible (DE) tag, or with a forward explicit congestion notification (FECN) or backward explicit congestion notification (BECN). Doing so can help you determine whether the link is a sufficient size, or whether packet size is the cause of Frame Relay congestion.
TrafficDirector applications can also help you determine when to establish a new CIR based on increased utilization or isolate a particular DLCI that is using all of the trunk.
For more information on configuring the TrafficDirector software to work with Frame Relay agents, see Chapter 3, "Using Configuration Manager."
Cisco ATM SwitchProbe devices support the display of PVC channel traffic on OC-3 and DS-3 links to ATM switches and routers. You can monitor either LAN Emulation (LANE), Classical IP over ATM (CIP), or Multiprotocol over ATM (MPOA) type data LAN encapsulation.
To fully support ATM switching PVCs for analysis by a SwitchProbe device, the TrafficDirector application can display both ATM RMON statistics and generate ATM-based reports using an Ethernet shadow MIB.
You use the ATM Monitor real-time application to view ATM RMON MIB statistics. The ATM/Ethernet shadow MIB can map ATM-specific statistics such as cells and cell loss priority (CLP) count to Etherstats groups displayed in trend reports and other real-time monitoring applications. The shadow MIB also permits you to evaluate packet information related to ATM communications, because the ATM device must reassemble the cells into packets for display using the Ethernet shadow MIB. For more information on configuring the TrafficDirector software to work with PVC agents, see Chapter 3, "Using Configuration Manager."
The correlation between the TrafficDirector application network protocol models and the standard OSI model is shown in Figure 1-3:
The TrafficDirector application contains filters that can isolate an individual protocol from other network traffic. A second filtering process (for domains) separates components of the protocol stack for each supported protocol. For example, by using the Data Capture application and a filter that passes IBM traffic, you can select only IBM traffic in a segment. You then can use the Protocol Decode application to separate each packet (or frame) into its component layers and decode each layer according to the selected protocol (Figure 1-4). For more information, see Chapter 29, "Decoding Packets."
The following sections contain more information:
The TrafficDirector application agents selectively gather network traffic as frames from any operational segment protocol, node, or conversation. Agents store this information in an internal file and send the file to the TrafficDirector application when requested. The Protocol Decode application reads the data file and breaks each captured packet into individual protocols. You can then display or print either the raw data (in byte form) or the full seven-layer decode (Figure 1-5).
Table 1-3 lists the protocols supported by Protocol Decode.
| Ethernet | IEEE 8023 | IEEE 8025 | IEEE 8022 |
APPDSP | APPAEP | APPARP | APPASP |
APPLDDP | APPAFP | APPATP | APPSDDP |
APPRTMP | APPLAP | APPPAP | APPZIP |
DECDAP | APPNBP | CLNS | DECCTERM |
DECLAT | DECDRP | DECFOUND | DECMOPRC |
DECSMB | DECLDATA | DECMOPDL | DECSCP |
DODFTP | DECNICE | DECNSP | DODICMP |
DODGGP | DODARP | DODDNS | DODSMB |
DODIP | DODNTDAT | DODNTNAM | DODSMTP |
DODNTB | DODTCP | DODRARP | DODTLNT |
NOVERRP | DODTFTP | DODUDP | ES-IS |
NOVIPX | IBMSMB | ISO-Presentation | FTAM |
SNAPS | ISO-Session | NOVRIP | IBMNETB |
SNARHREQ | NCP | SNARU | NOVECHO |
SUNNFS | NOVSPX | SNATH | SNAFM |
SUNYP | SNARHRES | SUNMOUNT | SNMP |
TP 0/2/4 | SNAXID | VINEMAIL | SUNPMAP |
VINESARP | SUNRPC | VINESIP | VINESRTP |
VINESMM | VINESICP | VINESIPC | VINESSPP |
X400 | VINESST | XNSERRP | XNSPEXP |
XNSRIP | XNSECHO | XNSIPX | XNSSPX |
XNSSMB |
|
|
|
TrafficDirector applications use statistics based on the RMON standards groups:
Because TrafficDirector applications can interpret and manipulate both RMON1 and RMON2 data, you can monitor all seven layers of the OSI model.
The following sections provide more information:
Table 1-4 shows the statistics provided by the RMON1 groups.
| This Group... | Provides This Functionality |
Statistics | Counters for packets, octets, broadcasts, errors, and other statistics. |
History | A historical representation of the statistics counters, based on user-defined sample intervals. (A mini-RMON group.) |
Hosts | A table of statistical counters for each host. |
Host Top N | A user-defined subset (TopN) of the hosts, sorted by a statistical counter. By aggregating this data at the agent and returning only the results, management traffic is minimized. |
Traffic Matrix | Traffic and errors between pairs of hosts. |
Alarms | Thresholds, defined for any statistic, that return a trap to the management software. Alarms are the thresholds. (A mini-RMON group.) |
Events | SNMP traps based on the alarms group thresholds; also tracks alarms over time. (A mini-RMON group.) |
Filters | Criteria for selecting traffic for Packet Capture. |
Packet Capture | Stores network traffic to be uploaded later to the management software. |
Token Ring | Token Ring-specific information, including ring order and source routing. |
ATM is supported by ATM SwitchProbe devices using a shadow MIB to map ATM-specific counters to the etherStats group counters as shown in Table 1-5:
| ATM Statistic | Type | Description | ATM-to-Ethernet MIB Mapping |
|---|---|---|---|
Cells | Standard (as defined | Total number of error-free cells detected | UnderSize |
CallAttempts | Standard | Number of call attempted detected on all signaled ATM connections | Jabbers |
Calls | Standard | Number of successfully established calls detected on all signaled ATM connections | Fragments |
F5OAMCells | Proprietary | Number of F5 Operations and Maintenance (OAM) cells | OverSize |
CRCErrors | Proprietary | Sum of AAL5 PDUs detected with CRC32 errors plus non-AAL5 cells detected with CRC10 errors | CRC/Aligns |
CLPCount | Proprietary | Number of AAL5 PDUs detected with cell loss priority (CLP) bit set | Collisions |
Table 1-6 shows the statistics provided by the RMON2 groups:
| This Group... | Provides This Functionality |
|---|---|
ProtocolDir | Management stations may query RMON devices to learn from which domains they are collecting information. |
ProtocolDist | Defines how much traffic is distributed across the various protocols on the network, based on monitoring defined at the RMON device. |
AddressMap | A list developed by the RMON SwitchProbe device that matches host network addresses to MAC addresses. |
N1Host | Network-layer host statistics. |
N1Matrix | Network-layer host pair conversation statistics. |
A1Host | Application-layer host statistics. |
A1Matrix | Application-layer host pair conversation statistics. |
usrHistory | User-specified logging capability. |
probeConfig | Standards for device configuration, such as a method to define the current date and time settings, and reset controls, including running, warmBoot, and coldBoot states. |
Table 1-7 shows the directory structure created and used by the TrafficDirector software:
| Directory | Description |
$NSHOME/X | X server resource definition files |
$NSHOME/bin | Binary files (programs, icons, and so on) |
$NSHOME/binagent | Agent firmware |
$NSHOME/db | Logging database files |
$NSHOME/etc/help/tdir | Online help files (for use by GUI applications) |
$NSHOME/man | Manual pages (for UNIX man command) |
$NSHOME/msql | Mini-SQL files |
$NSHOME/reports | Reports generated by AutoReporter |
$NSHOME/samples | Sample user configuration and data files |
$NSHOME/ums | Files for integration with various umbrella management systems |
$NSHOME/usr | User configuration and data files |
$NSHOME/usr_version | Backup directory for $NSHOME/usr during upgrade installation |
Table 1-8 lists the standards adhered to and supported in this release:
| Standard | Pertinent RFC |
|---|---|
RMON | RFC 1757 |
Token-Ring RMON | RFC 1513 |
RMON2 | RFC 2021 and RFC 2024 |
ATM RMON | ATM Forum proposal |
HCRMON | IETF draft Note SwitchProbe devices do not use mediaIndependentGroup and usrHistoryHighCapacityGroup |
SMON | IETF draft Note SwitchProbe devices do not use dataSourceCaps, portCopyConfig, or smonRegistrationPoints. |
![]()
![]()
![]()
![]()
![]()
![]()
![]()
Posted: Fri Mar 31 08:52:16 PST 2000
Copyright 1989 - 2000©Cisco Systems Inc.