What A Network Manager Really Wants For Christmas

Network managers are not superhuman, you know. Sure, they can perform feats of dazzling IT acrobatics. They have the patience of a churchyard yew. But they can get stressed out too. Look closely and you’ll spot the signs of strain: a throbbing vein beneath the left eye, perhaps, or the frayed cuff of a cardigan.

The reason is simple. They are walking a tightrope. They must constantly balance the need to maximise network resources with the ability to foresee any potential negative performance impacts on critical business applications. This balancing act requires not only expertise but also the best possible suite of tools, with NetFlow at its core. While the current system is good – very good, in fact – it is not perfect. There is still room for improvement.

In the twelve-plus years since Cisco introduced its NetFlow IP traffic flow monitoring capability, it has grown to become one of the most widely adopted technologies for managing the huge array of devices and interfaces involved in modern enterprise-level networks. It offers most of the functionality of traditional, expensive, resource-intensive packet inspection-based monitoring and it can be inexpensively implemented.

This fact, combined with NetFlow’s scalability and the relative ease with which it can be deployed and maintained, has made it an attractive option for enterprise and service provider organizations around the world. With the advent of NetFlow v9, the technology has seen significant improvements in functionality and customisation. Most notably, users can now choose among 200+ fields to generate customised reports that meet their unique requirements.

While NetFlow is an excellent tool, most implementations still involve some degree of manual synchronisation between flow-based monitoring and other network monitoring systems. This is the missing link for the network manager.

If they could unify the unique strengths of both high-capacity NetFlow-based collection and SNMP-based monitoring, in a single user workflow, their job would be that much easier. In practical terms, it would mean that users could react instantly to utilisation spikes and other performance alerts from any polled data source, seamlessly drilling down through NetFlow to determine what applications, devices, and addresses are involved.

The NetFlow approach to traffic analysis is an alternative to packet-sniffing systems since NetFlow systems focus on network traffic accounting – examining information about flows of packets instead of examining the content of packets. Network managers can be dragged down by packet-based monitoring solutions that require probes for each node on a network. Far better to find a solution that will monitor the most complex global networks, encompassing tens of thousands of interfaces, with fewer than a dozen appliances.

Ask any network manager what they want for Christmas this year and aside from the presentation box-set of the IT Crowd (Series 1-3); they may ask for a network system that gives them integrated monitoring, alerts, troubleshooting and analysis. One that would allow users to retrieve rich, detailed reports within seconds of being alerted about a change in a key performance indicator.

If the network team could yield information on every aspect of the event, including all associated devices and users, then they would be able to trace the issue back to its source. This would greatly reduce troubleshooting time, helping to identify and diagnose problems before they have a significant impact on network performance and significantly ease the daily workload, enabling network engineers to concentrate on other business critical activity.

Network managers want as much detail and depth as possible from a flow-based solution. Many current tools deny them the opportunity to dissect NetFlow field and extract sufficient information. Take, for example, the NBAR field, which provides information on application recognition. This field is composed of both engine ID and application ID. But in order to provide users with a deeper understanding of what is most important for the proper functioning of their networks network managers need to be able to break up this field into its components, storing and examining them as two separate fields.

One of the significant improvements that Cisco has made to version 9 of its NetFlow system is the inclusion of user-definable fields for collection templates. With over two hundred customizable data ranges that can be monitored and reported on, network managers have a unique opportunity to generate custom templates that deliver precisely the information that they need.

Of course, sifting through hundreds of options will make generating from scratch those templates a significant investment of time and effort. To the network manager’s wishlist, you can add a library of pre-defined templates that leverage some of the most useful and interconnected fields in NetFlow.

In-depth reports are all very well, especially if they are generated from a flow-based report synchronized to an SNMP alert. But a network manager covets an interface that can turn those reports into compelling, easy-to-grasp documents, which can be detached, and then appended to a unified reporting document generated on the fly based on each user’s specifications.

Users can then quickly create a report, analyse, chop, and reconfigure data, place it side-by-side for maximum impact (for example, aligning SNMP and flow-based reports of the same event on a single page), and convert it quickly to a PDF or other document format. Within minutes, users can both identify the source of a network issue, and generate a concise, rich, and colourful report that explains their findings to others. Again, the savings on blood, sweat and tears for the network manger are incalculable.

With most monitoring solutions, reporting bottlenecks are inevitable, as a host of monitoring appliances must all feed information to a central reporting hub. To overcome this, network managers need peer-to-peer-based architecture so that every collector handles its share of any reporting requirements, avoiding potential bottlenecks.

Network managers are not demanding by nature, but they wants a system that will collect as much raw flow data as possible, for as long as possible. If assisted by near 100% retention of granular data, they could ensure that critical, near-term troubleshooting information is not missed.

Bursts of short but intense traffic often occur in seconds or milliseconds. Resolution of these issues, which may be caused by improper QoS settings, can only occur with the most granular reporting possible. In the case of such common problems as clicks and noises on voice over IP calls or pixilation during video conferencing, the only way to determine the cause is the raw, unaggregated data provided, which is too often denied the frustrate network manager.

Network managers are not hard to shop for. They know what they like. They want a solution for network performance monitoring, reporting and troubleshooting, which reduces the time required to identify and resolve network issues that impact business productivity, while at the same time providing global, scalable, integrated SNMP and NetFlow monitoring. And when you consider that it can be provided at a fraction of the cost of a packet-based monitoring solution maybe it is not too much to ask. After all think what you will save your network manager in time, effort and cardigans.

Vess Bakalov is currently CTO of SevOne. Vess worked at BankOne in a number of senior technical positions, including Assistant Vice President and Network Architect. He also led the network management team for the Credit Card Services division, which was the largest issuer of VISA credit cards in the U.S. During his years at BankOne, Vess taught undergraduate and graduate courses as an Adjunct Professor of Computer Science at the University of Delaware. Vess began his career as a technical advisor for a fast-growing CLEC. There, he led the design and engineering effort behind that company's first DSL deployment. He was also in charge of architecting and developing the network management and instrumentation strategy for the firm.

  • It is exciting that Flexible NetFlow (FnF) which is based on NetFlow v9 can export 200+ fields. It is disappointing that most NetFlow Reporting tools only let Network Admins report or see a small subset of these fields. For example, only a couple companies report on NetFlow exported fields such as MAC Addresses, VLANs, Medianet, etc. I'm sure this will change in time.

    Jake

    • I agree, Jake. We are already allowing users to select any field in NetFlow v9 or IPFIX to include in their reports. This even includes enterprise fields that may not be defined in the standard – such as the fields used by Cisco ASA firewalls for NSEL or the fields needed for Medianet. Of course – we have also added canned reports for these popular technologies. SevOne has even added a couple of its own fields to better distinguish servers from clients to enhance application resolution and monitor response times.

      We think that we are only seeing the beginnings of what Flexible Flow technologies can do. I am looking forward to seeing equipment vendors enhance their offerings to take further advantage of this awesome technology.