The Reference Guide to

Network
Management
Protocols
sponsored by

Table of Contents
Prologue.........................................................................................................................................................................1
Volume 1: The Fundamental Protocols of Network Management............................................................2
ICMP.........................................................................................................................................................................2
SNMP........................................................................................................................................................................4
ICMP and SNMP in Todays NMSs...............................................................................................................6
Volume 2: The Windows Management Protocols..........................................................................................7
RPC............................................................................................................................................................................8
WMI...........................................................................................................................................................................8
WS-Management...................................................................................................................................................9
RDP.........................................................................................................................................................................10
Windows Management Protocols in Todays NMSs.............................................................................11
Volume 3: Telnet, SSH, and Syslog.................................................................................................................12
Telnet......................................................................................................................................................................12
SSH.........................................................................................................................................................................13
Syslog.....................................................................................................................................................................14
Volume 4: The Flow-Based Protocols.............................................................................................................17
Understanding Network Flows......................................................................................................................17
NetFlow, J-Flow, sFlow, and IPFIX............................................................................................................18
Leveraging NetFlow..........................................................................................................................................19
NetFlow in Todays Network Management Solutions..........................................................................20
Volume 5: Cisco IP Service Level Agreements............................................................................................21
IP SLA Extends Traditional Network Monitoring..................................................................................22
IP SLA Responders............................................................................................................................................23
IP SLA and Test Processing...........................................................................................................................24
IP SLA in Todays NMSs................................................................................................................................24

Prologue

Prologue
Networkmanagementhasbeenaroundsincetheveryfirstnetworkwasconnected.Any
timetwoormorecomputersarepluggedintoeachother,thereeventuallycomestheneed
tomanage,monitor,andanalyzetheircommunication.Tothatend,asuiteofmanagement
protocolshasbeendevelopedovertimethatassistsinunderstandingtheconversations
thatoccurbetweennetworkeddevices.
Thesespecializedprotocolsarefundamentallynecessaryduetothenatureofnetwork
communication.Yousimplycantseebitsandbytescrossingthewiresinyourdatacenter.
Thus,theonlywaytounderstandyourunderlyingnetworkbehaviorsisbyrelyingonthe
reporteddatathatiscollectedthroughthesespecialprotocols.
Yournetworktodaypassesnumerousprotocolsacrossitswires.Theseprotocolsaremost
commonlyTransmissionControlProtocol(TCP)andUserDatagramProtocol(UDP)inyour
LocalAreaNetwork(LAN),butmostnetworksalsohaverequirementsforthosethatare
lesscommon(forexample,AppleTalkandIPX)aswellasothersthatareusedforexternal
routing(forexample,BGPandEIGRP).Whatsinterestingaboutthenetworkmanagement
protocolsisthattheyoperatefunctionallydifferentlythanthosewhosejobistopassdata
betweencomputers.Assuch,theprotocolthatyouuseforapplicationaccessanddata
transferoperatesinparallelwiththoseyouusetomanageyournetwork.
ThegoalofthisfivepartReferenceGuideistoassistyouwithunderstandingand
successfullyemployingthosespecialnetworkmanagementprotocols.Buildinguponthe
verysimplestinInternetControlMessageProtocol(ICMP)andSimpleNetwork
ManagementProtocol(SNMP),thisguideexplorestodaysmodernsolutionsforfinding
meaninginotherwiseimpossiblemoundsofdata.

Volume 1

Volume1:TheFundamentalProtocolsof
NetworkManagement
Startingwiththebasicsarethetwofundamentalprotocolsofnetworkmanagement,
InternetControlMessageProtocol(ICMP)andSimpleNetworkManagementProtocol
(SNMP).Havingbeeninservicefornearlyaslongastheearliestnetworks,thesetwo
protocolsremainusefulascoretoolsfortroubleshootingandmanagingyournetwork.
Mostcommonlyknownthroughitspingcommand,ICMPcreatesalowlevelrequestand
responsethatensurescoreconnectivitybetweentwonetworkendpoints.SNMPgoesastep
further.Itelevatesthatlevelofgathereddatabyenablingdevicestosharetheirbasic
configurationandonboardmetrics.

ICMP
ICMPisconsideredoneofthecoreprotocolsintheInternetProtocol(IP)suite.Unlikethe
commondatatransferprotocols,suchasTCPandUDP,ICMPisnottypicallyusedby
applicationsasamethodofcommunication.RootedintheIPportionofTCP/IP,ICMP
operatesoutsidetherulesoftraditionalTCPandUDP.Simplyput,modifyingTCP
connectivityoraccessrulesdoesnothingtoimpactICMP,withthereversealsobeingtrue.
ThisisolationfromthecommondatatransferprotocolsiswhatgivesICMPgreatpowerin
troubleshootingandotherwisemanagingyournetwork.Itsprotocolspecificationenjoysan
extremelylimitedsetofcommands,whicharerestrictedbydesigntothetasksofexploring
hostandnetworkconnectivityandrouting.Assuch,ICMPtrafficiscommonlyavailablein
allbutthemosthighlysecuredofnetworks.
ICMPsmostcommoncommandisinvokedbyusingthecommandlinepingexecutable.
ThisexecutablebynameiscommonacrossvirtuallyeveryOperatingSystem(OS)and
InternetworkOperatingSystem(IOS)inexistencetoday.Executingapingagainstaremote
IPaddressreturnsasmall,butverypowerful,amountofinformationbacktotheuser.As
thefollowingcodesnippetshows,asuccessfulpingreplytellstheuserthatthehostisup,
operational,andrespondingtothemostbasicofnetworkrequests.
C:\>pingwww.solarwinds.com

Pingingwww.solarwinds.com[74.115.13.20]with32bytesofdata:
Replyfrom74.115.13.20:bytes=32time=34msTTL=117
Replyfrom74.115.13.20:bytes=32time=39msTTL=117
Replyfrom74.115.13.20:bytes=32time=34msTTL=117
Replyfrom74.115.13.20:bytes=32time=34msTTL=117

Pingstatisticsfor74.115.13.20:
Packets:Sent=4,Received=4,Lost=0(0%loss),
Approximateroundtriptimesinmilliseconds:
Minimum=34ms,Maximum=39ms,Average=35ms

Volume 1
Butthisisntalltheinformationthatisgainedfromapingcommandsresponse.Also
presentinthatpingreplyisadditionalinformationaboutthestateoftheconnection
betweenthesourceandtarget.Itsshortresponseilluminatesspecificsaboutthenumberof
millisecondsrequiredtocompletetheroundtriprequest.Thisinformationprovidesavery
highlevelperspectiveoftheconnectionslatency.Latentnetworkconnectionscanoccur
duetoalistoffactors,includingbandwidthcongestion,rateoferrorsthroughanyofthe
linksbetweensourceandtarget,andprocessingissuesthroughanyoftheconnected
devicesinthepath.
PingProvidesBasicInformation
Althoughtheresultfromapingcommandprovidesinformationabouta
networkrouteslatency,thisinformationisexceptionallycoarseinits
granularity.Latencyasdefinedbyapingresponserepresentslittlemore
thantheamountoftimethatoccurredbetweensendingthepingrequestand
receivingitsreply.Assuch,itsresponseilluminateslittleabouttheactual
routetakenandbehaviorsseenthroughitsjourneyfromsourcetotarget.For
moredetailedinformation,alternativeprotocolsandtechniquesare
necessary.Futurevolumesofthisguidewilldiscusstheseoptions.
Theeffectivetransferspeedbetweenasourceandtargetdependsheavilyonanumberof
factors.Asoneexample,eachandeverytimeapackethopsthroughanetworkdevice
router,switch,orfirewallasmallamountofdelayisintroducedintoitsroundtriptime.
Thus,asthenumberofhopsincreases,theeffectiveperformanceoftheconnection
decreasesslightly.
Apingresponsewillreportonthenumberofhopsrequiredtocompletethattravelfrom
sourcetodestinationasafunctionofitsTimeToLive(TTL)metric.Thisisdoneby
subtractingtheconfiguredTTLfromthereportedTTLfoundinapingresponse.Todays
WindowsOSsuseadefaultvalueof128astheirTTL,witheveryhopfromsourceto
destinationreducingthisvaluebyone.Asaresult,inthepreviouscodesnippet,a
connectiontotheWebsitewww.solarwinds.comrequires11individualhopstoroute
betweensourceanddestination.
Transferspeedcanalsobeaffectedbythesizeofthedatabeingtransferredfromsourceto
destination.Largersizeddataisusuallyfragmentedintransittoincreaseitsperformance
intransmittingfromsourcetotarget.Pingbydefaultwillsenda32bytestringofrepeating
alphabeticalcharactersasitspayloadduringarequest.Boththesizeofthatpayloadanda
settingthatdetermineswhetheritcanbefragmentedarecommonoptionswitheach
OS/IOSpingcommand.Somepingcommandsalsoenablethecustomizationoftheping
payloadasanadvancedoption.Thisisoftenusedtoverifywhetherthecompositionofthe
dataitselfispresentinganimpactonaconnectionsperformance.Eachofthesecapabilities
isavailabletoverifyhowwellaconnectionisperformingbasedonthesizeandcontentsof
apingrequestspayload.

Volume 1
AfinalpieceofcriticalinformationfoundthroughanICMPpingrelatestothehighlevel
qualityoftheconnectionbetweensourceandtarget.Listedinthefinalfourlinesofa
successfulpingresponseisinformationaboutthatconnectionspacketloss.Packetsthatdo
notsuccessfullymaketheirwayfromsourcetotargetareconsideredlostbyping.The
countoflostpackets(aswellastheresultingpercentageoflosttrafficasafunctionoftotal
traffic)representsaleveloftransferreddatathatmustbepresentedbyTCPtoensureits
payloadtransferssuccessfully.Thisdesignationoftenindicatesthataproblemisoccurring
withinthatnetworkconnection,suchassignaldegradation,oversaturatednetworklinks,
packetsthatwerecorruptedorrejectedintransit,faultynetworkinghardwareordrivers,
orotherproblemsintrinsictothenetworkpath.Althoughthespecificsoftheproblemare
lefttoothermoregranularprotocols,thissimplecommandprovidesaveryeasywayto
gaugeaconnectionshealthatthehighestoflevels.Althoughpacketlossfor
communicationssuchascommonfiletransferstendonlytoreducetheoverall
performanceofthelink,itspresencecanbeveryproblematicforcertaintypesofstream
orientedtraffic.Forexample,VoIP,videoconferencing,remoteaccess,streaming,andother
latencyinsensitivetraffictypesareparticularlyaffectedbypacketloss.

SNMP
AlthoughICMPisbothsimpleandpervasive,itscommandsarebydesignverysimplistic.
RunninganICMPquerygivesyouonlyverybasicinformationaboutahostsconnection,
whichiswhyitismostcommonlyusedtoverifyonlywhetherahostislistening.Ifyou
wanthigherqualitydata,youneedaprotocolwithgreaterreachintothedevicesonyour
network.
Oneoftheearliestoftheseprotocolsremainsinheavyusetoday.SNMPgoesbeyond
ICMPsverysimpleandhighlystructuredinformationtoenablethegatheringofvirtually
anykindofdatafromanetworkdevice.DuetoSNMPslonghistoryandwidespreaduse,
virtuallyeverynetworkdeviceandevenmanyserversandapplicationshavebeen
madeSNMPaware.Awarenessinthiscontextmeansthatthedeviceisconfiguredto
receiveandrespondtoSNMPrequestsfromacentralNetworkManagementSolution
(NMS).
ThestructureofanSNMPoperationisbasedonarequestforinformation,fundamentally
usingSNMPsGETandGETNEXToperations.ThesetwocommandsenableanSNMP
requestortoaskforaparticularpieceofinformationthatisstoredonatargetdevice.The
GETcommandisfollowedwithatypeofaddressfortheinformationthatisdesired.GET
NEXTisusedwhentherequestorwantstolocatethenextpieceofinformationthatis
storedinthatdeviceshierarchy.Bothcommandsleverageport161/UDPfortheir
communication,whichisaconfigurableportonvirtuallyalldevices.

Volume 1
Toaccessthatinformation,eachregisteroneachdevicerequiresitsownuniqueidentifier.
Thisidentifiermustobviouslybeuniqueacrosseverydeviceinexistenceandwitheach
registerofinformationitselfrequiringitsownaddress.LikeIPaddresses,SNMPusesa
dotteddecimalnotationfordenotingthatuniqueidentifier,calledanObjectIdentifier
(OID).Forexample,toaccessthevalueoftheagentCurrentCPUUtilizationregisterona
particulartypeofCiscoswitch,SNMPwouldbeconfiguredtoGETitsvaluefromtheOID
1.3.6.1.4.1.14179.1.1.5.1attheswitchsIPaddress.
Obviously,thelistofpotentialOIDsforallthedevicesonyournetworkisunfathomably
large.YourNMSwilltypicallyarrivewithalargesetofOIDsalreadypresentinitsdatabase.
AdditionalOIDscanusuallybedownloadedfromthevendorandautomaticallyingested
intoyourSNMPsolutionsdatabase.BecauseSNMPisintendedtobeacrossvendor
solution,thisextensibilityenablesasingleNMStomanageandmonitorinformationacross
allclassesofSNMPawaredevicesandapplications.
TheresultisthatasinglecentralNMScancreateanongoingpictureoftheinternal
behaviorsofthedevicesonyournetwork.Thatpictureincludesinformationaboutdevice
performance,andcanincludeadditionaldetailssuchasconfigurations,environmental
characteristics,andnetworkstatistics.BecausetheNMSregularlypollsSNMPendpointson
yourbehalf,itcanstorethisinformationforlaterretrieval.
ThesecondjobofaneffectiveNMSisthecreationofvisualizationsofthisdatathatare
usefulforadministrators.Crunchingnumbersfromgatheredstatisticsandpresenting
visualizationsarekeyfactorsinfindinganNMSthatworksforyourenvironment.
AlthoughSNMPsGETcommandenablesthegatheringofdatafromnetworkdevices,a
secondcommand,SET,isusedtoupdateinformation.ForcertaintypesofOIDs,specifically
thosethatrelatetodeviceconfigurations,itispossibletousetheSETcommandwithan
OIDandthevaluetobechangedtoremotelychangetheconfigurationofanetworked
device.
Ineverycase,foranNMSorotherrequestortoworkwitharemotedevice,thatdevice
mustbepreconfiguredwithanSNMPCommunityString.Thisstringofwhichoneis
typicallyusedforreadinginformationwithaseparateandsecondoneusedforupdating
informationoperatesasatypeofsharedsecretpasswordbetweentheNMSandevery
deviceitmanages.Asasharedsecret,thisstringmustbeenteredintoeachdeviceandinto
theNMSbeforeeachhalfwillcommunicatewiththeother.Themanagementofthese
CommunityStringsisacommonadministrativeheadacheintheuseofSNMP,onethatis
easedthroughtheuseoffullyfeaturedNMSs.

Volume 1

SNMPandSecurity
SNMPisaunifiedsolutionforgatheringandupdatingdataacrossallthe
devicesandapplicationsonyournetwork,soitgoeswithoutsayingthatyou
mustbecarefulinitsimplementation.ProperlysecuringSNMPiscritical.
Thatsecuritycanoccurthrougharangeoftactics,includingtheuseofaccess
listsonfirewallstoisolateSNMPtraffic,ensuringthatstrongCommunity
Stringsareusedtopreventhacking,leveragingtheprivacyandencryption
functionsthatareavailableinSNMPv3,and/ortheuseofisolated
managementVLANsthatarededicatedforSNMPcommunication.Anyorall
ofthesecapabilitiesgoesfarinsecuringSNMPagainstthethreatofexternal
attack.
Asyoucanseewiththisimplementation,thecommandsdiscussedtothispointareuseful
onlywhenanNMScanregularlypolleachdeviceonthenetwork.Somesituations,
however,maymandatethatadeviceunilaterallyinformitsNMSaboutaparticular
preconfiguredcondition.Inthiscase,anunsolicitedSNMPTRAPcommandcanbesentin
onedirectionfromdevicetoNMStoinformthattheconditionhasoccurred.Thistrapcan
relatetotheserverbeingpoweredupordownorapreconfigurednetworkconditionsuch
ascongestionthatiscurrentlyoccurringwithinthedevicessensors.SNMPTRAP
commandsaresentacrossadifferentport,162/UDPbydefault.Thisportcanadditionally
bechangedonvirtuallyalldevicesifdesired.

ICMPandSNMPinTodaysNMSs
TodaysNMSsrelyheavilyuponbothICMPandSNMPfortheirmonitoringofnetwork
conditions.ICMPiscommonlyusedforinformationonaperdeviceorpernodebasis,such
asdevicestatusmonitoring,availabilitymonitoring,andnetworklatencytoindividual
devices.SNMPaugmentsthisinformationthroughitsaddeddataaboutdevicebehaviors
andcharacteristics.SNMPcancollectandreportondeepermetricsassociatedwitheach
device,suchasinternalperformancestatisticsoritsconfiguration.SNMPsdeeperlevelof
datailluminatesmoredetailaboutanenvironment,providinginformationsuchas
individualinterfacestatus,CPU/memory/diskutilizationandperformance,andper
interfacetrafficandleveloferrors.
AdvancedNMSssuchastheOrionNetworkPerformanceMonitor(NPM)fromSolarWinds
enablesallthesefeaturesinasingularsolution.Italsooffersseveralcapabilitiesaboveand
beyondthoselisted.OrionNPMenablesadministratorstocollectinformationandcombine
itwithadditionaldata.

Volume 2

Volume2:TheWindowsManagement
Protocols
ThesuccessfulmonitoringandmanagementofWindowsbasedsystemsrequiresmore
thanstandardsbasedprotocolssuchasInternetControlMessageProtocol(ICMP)and
SimpleNetworkManagementProtocol(SNMP).AlsoneededareWindowsspecific
protocols.TheseprotocolsexisthighintheIPstacksApplicationlayerandbydesignrely
onothersbelowthemforroutingandswitchingsupport.Theseaddedprotocolsareused
forapplicationssuchasDNS,theWeb,FTP,andmailtransferamongmanyothers.
WherethisdiscussionleadsintermsofWindowsmanagementisrelatedtothosevery
Applicationlayerprotocols.TheMicrosoftWindowsOperatingSystem(OS)leveragesits
ownsuiteofprotocolsforcommunicationsbetweenWindowsserversandworkstations.
TheseprotocolslayeratopcoreTCPandUDPtoenableserverandservicecommunication
acrossanIPnetwork.TwoexamplesofthesehighlevelprotocolsaretheRemote
ProcedureCall(RPC)protocolusedforWindowsinterprocesscommunications,andthe
RemoteDesktopProtocol(RDP),whichisusedfortransferringdisplayandcontrol
informationbetweenaserverandclient.
OtherprotocolsthatareusedbytheMicrosoftWindowsOSincludetheWindows
ManagementInstrumentation(WMI)protocolaswellasthemorerecentimplementation
ofWSManagement.WSManagementismanifestedwithintheMicrosoftWindowsOS
throughitsWindowsRemoteManagementv1.1andv2.0implementations.
HighlightingtheseOSspecificprotocolsisnecessarybecauseoftheinformationthatthey
canilluminatetothenetworkadministrator.ProtocolssuchasICMPandSNMP,discussed
inVolume1,arecapablebydesignofpresentingonlycertaintypesofmetricsbacktothe
administrator.AlthoughSNMPcanbeextendedtosupportthestorageofvirtuallyanydata
point,thatextensionmustbepreconfiguredwithineachOSorapplication.Suchextensions
forSNMPawarenesshavenotbeenundertakenforalargeamountofonsystemdatathatis
neededfortrulyholisticmanagement.
Microsoft,however,hasmadeasubstantialeffortinenablingWMIawarenessforitsOSs
andapplications.Thus,deepmonitoringsupportthatcouldnototherwisebemonitored
throughICMPorSNMPisavailableformanyapplicationsusingWMI.Thus,anyNetwork
ManagementSolution(NMS)thatdesirestopeerintotheWindowsOSanditsapplications
mustadditionallyprovidesupportfortheseotherprotocols.

Volume 2

RPC
ThebackboneofWindowsnetworkcommunicationrestsontheRPCprotocol,andassuch,
RCPisanecessarypartofallWindowsenvironments.Atthesametime,thatpervasiveness
makesitespeciallyproblematicfornetworksecurity.TheMicrosoftimplementationofthe
RPCprotocolleveragesanRPCendpointmappingservice,whichisgiventhejobof
identifyingandcatalogingwhichportsaretobeusedbywhichservicesonaWindows
server.Thisdeterminationismadewhenthemachinestartsupaswellaswhenservices
arestartedduringnormaloperations.
AlthoughRPCsdynamicnatureenablesalargenumberofservicesoneachsystemto
intercommunicateacrossalocalareaconnection,thatsamedynamicapproachmeansany
numberofTCPportscanbeopenandlisteningonaWindowsinstanceatanypointintime.
AnRPCconnectiononWindowsServer2008canoccurbetweenarangeofportsbetween
49152/TCPand65535/TCPatboththesourceanddestination.Thoseportsoftenchange
asservicesandprocessesinstantiate,close,aswellasmakeandcompleterequestsacross
thenetwork.Becauseofthis,ineveryWindowsnetwork,theseephemeralportsarealways
listeningandalwayschanging.
Asaresult,aneffectiveNMSmustbeabletomonitorfortheavailabilityofRPCbased
communicationaswellaswhichservicesarelisteningonwhichports.Thisinformation
providesgreatinsightintothetypesofcommunicationthatareoccurringonthenetwork,
andhelpstoisolateproblemsthatrelatetointerprocesscommunications.Further,as
manyformsofmalwareleveragethesamedynamicinfrastructurethatisusedby
legitimateWindowsservices,thislevelofmonitoringenablesadministratorstorootout
infectionsinrealtimeastheyoccur.

WMI
RPCtrafficinandofitselfprovidesonlyahighlevelrepresentationoftheoverall
communicationflow.InitsWindowsOS,MicrosofthasdevelopedtheWMIprotocolasa
proprietaryalternativetoSNMP.Thisremotemonitoringandmanagementprotocol
representsMicrosoftsimplementationoftheWebBasedEnterpriseManagement(WBEM)
CommonInformationModel(CIM)standardsfromtheDistributedManagementTaskForce
(DMTF).WMIoperatesmuchlikeSNMPinthatWMIcanbeusedforgatheringmetricsdata
andupdatingcertainconfigurations.However,WMIismuchdifferentthanSNMPinthat
WMIsreachislimitedtotheWindowsOSandinstalledapplications.
WMIisfurtherdifferentfromSNMPthroughthewaysinwhichWMIsdatabasecanbe
interfaced.SNMPsrequest/responseactivityisdefineddirectlyinSNMP;incontrast,WMI
requestscanbewrappedintooneofmanylanguages.Asexamplesforadministrative
scripting,MicrosoftsimplementationsofbothVBScriptandWindowsPowerShellinclude
supportforcreatingWMIqueries.

Volume 2
ThequerysyntaxusedforWMIcallsisalsoextensible.WhereasSNMPincludesbuttwo
commandsforrequestinginformation(GETandGETNEXT),WMIoffersthemuchricher
WMIQueryLanguage(WQL)forqueries.SpecificWMIproviderscanleveragetheirown
querysupportifanenumerationtechniqueisbuiltintotheprovider.Forexample,the
genericWQLqueryforenumeratinginformationfromtheWin32_DiskDriveprovider
wouldresembleSelect*fromWin32_DiskDrive.Theresultingquerywouldresultina
collectionofitemsfromthatprovider.WQLincludesadditionalconstraintsforlimiting
resultinginformation,althoughacommonpracticeistobuildconstraintsintothe
surroundingscriptinglanguagewherepossible.Doingsoprovidesthegreatestlevelof
flexibilitywhilecircumventinglimitationsintheconstraintoptionsnativetoWQL.
FreeTool:SolarWindsWMIMonitor
WMIspowerfulextensibilityalsoexposesameasureofcomplexity.This
complexitymeansthatmostadministratorsleverageexternaltoolsfor
workingwithWMI.OnesuchtoolistheSolarWindsWMIMonitor,whichcan
bedownloadedfrom
http://www.solarwinds.com/products/freetools/wmi_monitor.Thistool
enablesthemonitoringofmanyfacetsofyourWindowsserversand
applicationsthroughasingleuserinterface(UI).

WSManagement
WMIsnativetransportforWindowsOSspriortoWindowsServer2008wasthe
DistributedCommonObjectModel(DCOM).RelyingonRPCforitsconnectivity
underpinnings,DCOMfunctionedwellforuseinLocalAreaNetworks(LANs).However,
RPCsdynamicnaturemakesitbothproblematicaswellasinsecuretooperatethrough
firewallsornetworkarchitecturesthatarentrelativelyopen.Thislimitationmeantthat
accomplishingtheremotemanagementofsystemsoutsidethetraditionalLANwasdifficult
orimpossiblethroughtheWMI/DCOMcombinationalone.
Toaddresstheproblem,MicrosoftlateradoptedtheindustrystandardWSManagement
frameworkinWindowsServer2008.MicrosoftsimplementationofWSManagementis
representedwithitsWindowsRemoteManagement(WinRM)service.Thisindustry
specificationisbasedonDMTFopenstandardsandInternetstandardsforWebServices.It
leveragesthefirewallfriendlySimpleObjectAccessProtocol(SOAP)foritsexchangeof
information,extendingthemonitoringreachofWMItomanynewareas.
AsaWebServicesimplementationratherthanrelyingonRPC,WSManagement(andthus
WinRM)canmuchmoreeasilypassWMIdataoverfirewallednetworks.AWebService
representsaWebbasedendpointwherebyaclientcaninterfacetorequestandsubmit
information.AsaWebService,thisendpointcanoperateoverasingle,knownport
(commonly,80/TCPor443/TCP)ratherthanarangeofdynamicports.

Volume 2
ItisimportanttorecognizethatMicrosoftsimplementationofWSManagementlayers
atopthetraditionalWMI/DCOMstack,enablingexposuretothestackthroughthe
structuredWebService.Whenenabled(asitisnotenabledbydefault),thisarchitecture
retainstheformerWMI/DCOMcompatibilitywithtraditionalWMIscriptsandapplication
infrastructureswhileaddingtheabilityforSOAPawareclientstointeractwiththeserver
viaaWebfriendlytransport.
WhatthismeanstotheaverageITorganizationisthattraditionallyunmanageable
systemssuchasthoseinDMZsoronExtranetscannowbemanagedthroughWS
ManagementenabledNMSs.Ineffect,thesametypesofinformationthatcanbegathered
throughWMIbasedsolutionscanbenowobtainedinthesesystemsthatarentontheLAN.

RDP
ThefinalWindowsmanagementprotocolofnoteisRDP,whichhasdramaticallygrownin
usesinceitsinceptionwithWindowsNT4.0Server,TerminalServerEdition.Originally
designedforspecializeduseinconnectingremoteuserstoapplicationsonacentralizedset
ofservers,useofRDPhasgrowntoincludeadministrativeconnectionstoserverdesktops.
UnlikethemoretransactionbasedprotocolsseeninSNMP,WMI,andothers,RDPcanbe
consideredmorelikeastreamingprotocol,althoughthisdescriptionisnotcompletely
accurate.RDPsendsscreenupdatesfromservertoclientwhentheserversessionsscreen
changes.Itsendskeyboardandmousecommandsfromclienttoserverwhenkeysare
pressedormouseinterruptsareprocessed.InterceptingdatafromanRDPconnectionwill
resultinajumbleofscreenpartupdatesinterspersedwithkeyboardandmouse
commands,makingreconstructionnontrivialwithoutspecializedtools.
Bydefault,RDPoperatesoverthetargetport3389/TCP.Thus,thissingleTCPportmustbe
routablethroughfirewallsorthroughnetworkACLsforconnectivitytoRDPhosts.RDPcan
bereconfiguredtoroutethroughalternativeports.Highsecurityenvironmentsoftenuse
toolstoencapsulateRDPtrafficwithinSSL,whichchangesitsdefaultportto443/TCP,adds
securityandauthentication,andenablesthesecurepassingofRDPtrafficacrossthe
Internet.
RDPsstreamdrivennatureenablesittopassupdatesacrossverylowbandwidth
connections.Thus,highuseconnectionscanremaininthedatacenter,withonlythe
resultingpresentationdatabeingsubmittedtotheuser.Forcertainapplications,thisisa
boontoremotesupport.However,thissameinteractivitymakestheprotocolhighly
latencyinsensitive.Ineffect,ifyoumoveyourmouse,youwantitscursortotrackwith
yourhandsmovementratherthandelayingbysecondsorpartialseconds.
Asaresult,monitoringneedsforRDPtendtowardsaggregatestatisticsoverandabove
specificsessiondetails.Withremoteapplicationsupportuseontherise,yournetwork
managementofRDPwilllikelyincludethenecessarymonitoringintegrations(bothatthe
networklevelandviaWindowsspecificintegrationssuchasWMI)toidentifyandreport
onuserexperienceconditions.

10

Volume 2

WindowsManagementProtocolsinTodaysNMSs
TodaysNMSsaretearingdownthetraditionalbarriersbetweentheoldmanagementsilos
ofnetworkversusserversandapplications.Thisisaccomplishedthroughbuiltin
integrationsdirectlyintotheWindowsOSanditsinstalledapplications.Withaneffective
NMSinplace,itispossibletomeasureaggregatenetworkstatisticsacrossWindowsbased
protocolssuchasRPCandRDP,aswellasintegratewithWindowsWMIthroughboth
RPC/DCOMandWSManagement(WinRM).TheresultisanabilitytogatherOSand
applicationstatisticsoffyourserversjustlikethenetworkstatisticsyougetfromICMPand
SNMP.
OrionApplicationPerformanceMonitor(APM)fromSolarWindsisonesolutionthat
accomplishesallthisinaneasytousepackage.OrionAPMincludesnativesupportfor
WMI,includingtheabilitytodefinecustomWMImonitors.Withitsinternalcredential
managementcapabilities,OrionAPMcanquicklyconnecttoserversandapplicationsfor
theautomatedgatheringofandreportingonWindowsbaseddata.
OrionApplicationPerformanceMonitor(APM)addsadvancedapplicationmonitoring
capabilitiessuchasenduserexperiencemonitoringtocreateanendtoendsolutionfor
verifyingapplicationperformance.OrionAPMprovidesdeepinsightintodistributed
applications,presentingalertsaswellastrendingandanalysisforeverypartofan
applicationsinfrastructure.
Thenetresultisasinglepaneofglassthatenablesthecentralmonitoringofnetwork
healthalongsideapplicationhealth.Viewingandbeingalertedonserverdiskspace
consumptionorMicrosoftExchangedatabaseperformancecanbeaccomplishedviathe
sameinterfaceasnetworkbandwidthorlatencyinformation.ByaggregatingtheWindows
focuswiththenetworkfocus,rootcausesofenvironmentproblemscanbebettertracked
totheirproblemdomain.Thisfunctionalityimprovestheoveralltroubleshootingprocess
whileensuringthatnetworkteamsandserverteamsallworkfromthesamesetof
information.

11

Volume 3

Volume3:Telnet,SSH,andSyslog
AlthoughtheWindowsnetworkmanagementprotocolstendtowardsspecificallydesigned
extensibility,thetraditionalUNIXbasedprotocols,suchastelnet,ssh,andSyslog,tendto
beveryhandyintroubleshootingacrossarangeofnetworkissues.Theseprotocolscanbe
usedfortroubleshootingbasicIPnetworkconnectivity,and,inthecaseoftelnet,caneven
beusedasacommandlinesolutionfortestingthestatusofindividualTCPports.Infact,
theuseoftheseprotocolshasgrownsoubiquitousacrossallkindsofnetworksthat
referringtothemasUNIXbasednolongertrulyrepresentstheircrossplatformutility.
Intodaysnetworks,protocolssuchastelnet,SSH,andSyslogarecommonlyusedin
connectingtoandmanagingallmannerofnetworkdevices.Thisthirdvolumewillexplore
thesethreeprotocolsindepth,discussingwheretheyfitintoconnectingtoandmanaging
thebusinessnetwork.Inallthreecases,theseprotocolsenablevisionintonetworkdevices
andserverbehaviorsthatilluminatespecificconditionsorconfigurationsonthenetwork.

Telnet
Telnetisconsideredoneoftheoldestprotocolsstillincommonusetoday.Developedfirst
in1969,telnetactuallyrepresentsanacronymthatstoodforteletypenetwork.Inthat
time,thetelnetcommandwasusedinconnectingtoearlymainframesystems,withthat
sameutilityrelativelyunchangedthroughoutitslifespan.Todaysuseofthetelnet
commandisprimarilyasamechanismforaccessingaUNIXorLinuxsystemscommand
lineinterface.Innetworkingdomains,telnetisalsocommonlyusedforconnectingtoa
networkdevicescommandlinemanagementinterface.
SincethereleaseofWindowsNT4.0SP3,theMicrosoftWindowsOperatingSystem(OS)
hasincorporatedatelnetserverintoitsServicesforUNIXaddonproduct,whichwaslater
renamedtoSubsystemforUNIXbasedApplications(SUA)inWindowsServer2003R2.
AlthoughMicrosoftstelnetserverindeedcreatesaWindowsservice(daemon)for
receivingtelnetrequests,itsuseontheWindowsplatformisrelativelyuncommonin
networkstoday.
Thetelnetcommandencapsulatesuserdataintothesamechannelasitsowncontrol
informationasitpassestothetargetcomputerordevice.Thus,telnetfunctionallyoperates
asbothamanagementprotocolandadatatransferprotocol.TelnetresidesintheIPsuites
Applicationlayer,ridingatoptheTCPtransportandcommonlyusing23/TCPasits
networkport.
Todaysuseoftelnethasfallenoutofcommonpracticeformanybusinessnetworksdueto
itsinherentincapabilitytoauthenticatetargetservers.Telnetalsolackskeyencryption
capabilitiesthatensureitsdataissecureintransit.Thecombinationoftheselimitations
meansthattelnetandtelnettingtoaserverordeviceisnolongerasecuritybestpractice.
Replacingthetelnetcommandisthesshcommand,discussedinthenextsection,which
includesthenecessarycapabilitiesforconnectionsecurity.

12

Volume 3
However,thislimitationontelnetsusehasfarfromeliminateditfromtheadministrators
quiverofmanagementtools.Onefeatureoftelnetthatremainsincommonuseeventoday
isinitsabilitytocreaterawTCPconnectionsbetweenasourceandtarget.Thisraw
connectionisusedtoverifylayer3andlayer4(TCPandport)connectivitybetweentwo
hosts.Thefollowingcodesnippetshowshowthetelnetcommandcanbeinvokedagainsta
remoteserverandTCPportasalowleveltestforalisteningserviceatthetargetIP:
telnet192.168.0.2280

Inthissnippet,youcanseehowthetelnetcommandisinvokedagainsttheremoteserver
192.168.0.22andpointedtowardsport80/TCP.InvokingthisonaMicrosoftWindows
instanceagainsttheremoteserverwillaccomplishoneoftworesults:eithertherequest
willberejectedwithanobviouserrormessageorthecommandwindowwillrefreshto
showablankscreen.Ascreenrefreshtoablankscreentellstheadministratorthatthe
remoteserverisindeedlisteningonthatremoteportandthatnetworkingaccesscontrol
lists(ACLs)orhostfirewallsarenotblockingitscommunication.
FindingtelnetinTodaysMicrosoftOSs
TodaysMicrosoftOSs(WindowsVistaorlaterclientsandWindowsServer
2008orlaterservers)nolongerhavethetelnetcommandnativelyavailable.
ThecommandmustbeinstalledafteranOSinstallationfromwithinthe
ControlPanel.Todoso,navigatetotheProgramsandFeaturesnode,and
selectTurnWindowsfeaturesonoroff.Intheresultingwindow,chooseto
enabletheTelnetClientfeature.

SSH
Thesshorsecureshellcommandhasinmostenvironmentssupersededtelnetasthebest
practiceforconnectingtoremoteserversanddesktops.Fromtheperspectiveoftheuser,
sshsmostbasicfunctionalityperformsessentiallythesamefunctionastelnetitopensa
connectiontothecommandlineinterfaceonanidentifiedremoteserver.Wheresshdiffers
isinhowitsecuresthatconnectionfromendtoend.
Originallydevelopedin1995,sshusespublickeycryptographytofirstauthenticatethe
remotecomputer.Onceauthenticated,sshcreatesaconnectionthatisthensecuredto
ensurebothdataintegrityandconfidentialityasitcrossesthenetwork.Unliketelnet,
whosecodebasehasrelativelystabilizedthroughitslonghistory,anumberofssh
implementationsareavailabletoday.Itsmyriadversionshavebeencreatedinmanyways
duetothediscoveryofsecurityvulnerabilitiesinpreviousversions.Thecurrently
acceptedversionofsshistitledSSH2andisaproposedInternetstandardunderreview
bytheInternetEngineeringTaskForce(IETF).

13

Volume 3
Theactualuseofsshdiffersfromtelnetinthatsshcanbeaplatformuponwhichadditional
functionalitycanbehosted.Inadditiontocreatingasecureconnectiontoacommandline
interface,thesshprotocolcanbeleveragedformanyuses:

Singlelinecommandexecution

Filetransfer,manifestedasSCP,SFTP,orrsync

Portforwardingortunneling

CreationofVPNconnections,enabledthroughtheOpenSSHdistribution

WebbrowsingviatheSOCKSprotocol

Remotedirectorymounting,manifestedasSSHFS

Inshort,althoughmostnetworkdevicesretainthecapabilitytousetelnetforremote
management,itisconsideredtheindustrybestpracticetousessh.Althoughsshisnot
nativelyavailableintheMicrosoftWindowsOSinanyedition,clientsforsshareavailable
asinstalledapplicationstoaccomplishnecessarymanagement.

Syslog
GroupedinthisvolumebecauseofitsUNIXbasedroots,Syslogisafundamentallydifferent
protocolintermsofitsutilitytonetworkmanagement.Syslogisamechanismwhereby
eventloginformationfromoneormoreserversordevicescanbeaggregatedintoasingle
databaseforstorageandhistoricalanalysis.Liketelnetandssh,Sysloghasalonghistory,
startingwithitsinitialdevelopmentinthe1980swiththeSendmailproject.
TheaggregationofeventlogdataprovidedbySyslogisusefulforthebusinessnetwork,
althoughmostspecificallyforuseinauditingpurposes.Beingeventbaseddatainnature,
thekindofdataaggregatedbySyslogtendstorelatetothecontentsofvariouslogson
individualdevicesthemselves.Thisismuchdifferentthanthekindsofsensordatathatis
usedinviewingnetworkpackets,analyzingflows,ormonitoringperformancemetrics.
Duetotherecentsurgeinmoreusefultechnologiesforthesekindsofanalysis(tobe
discussedinVolumes4and5),todaysuseofSyslogisoftenfocusedondataforauditors.
Atahighlevel,todaysindustryandregulatorycompliancelawsmandatethatinformation
aboutuserandadministratoractionsmustbeconsolidatedintoaprotecteddatabase.That
databasegenerallymustincludenonrepudiationfeaturesthatprotectitfrommalicious
corruptionordeletion.Thiscapabilityisnottypicallyavailableonindividualdevices.Using
Syslogtoconsolidatethisinformationacrossmultipledevicesandintoaseparatedatabase
fulfillsthosenecessaryauditingrequirements.

14

Volume 3

FreeTool:SolarWindsKiwiSyslogServer
TheserversthatgatherandstoreSysloginformationfromdevicesacrossthe
networkcomeinmanyshapesandsizes.Onesolutionthataccomplishesthe
jobwithmanydesiredfeaturesisSolarWindsKiwiSyslogServer,whichcan
befreelydownloadedfrom
http://www.solarwinds.com/products/freetools/kiwi_syslog_server.This
downloadincludesboththeSyslogserversoftwareforgatheringandstoring
loginformationaswellasthenecessaryLogForwardingsoftwarethatis
installedtoeachWindowsdeviceundermanagement.
TheimplementationofSysloginserversandnetworkdevicescanandusuallyis
dramaticallydifferentdependingonthedevice.Forexample,configuringaCiscoPIX
firewallforSyslogcanuseacommandstructuresimilartothefollowingexample:
loggingon
loggingstandby
loggingtimestamp
loggingtrapnotifications
loggingfacility19
logginghostinside192.168.1.100

Incontrast,configuringthesamekindofloggingonaCiscoCatOSswitchcanusethe
followingcommandstructure:
setloggingserverenable
setloggingserver192.168.1.100
setlogginglevelall5
setloggingserverseverity6

UNIX,Linux,andMicrosoftWindowsOSsalsohavedifferentmechanismsforenabling
Sysloglogging.Refertoyourproductdocumentationforspecificinformationassociated
withenablingandconfiguringSyslogoneachdevice.BeawarealsothataSyslogserviceor
daemonmustbeenabledonthetargethost(192.168.1.100,inthepreviousexamples)to
receivetheinformation.
Telnet,SSH,andSyslogintodaysNMSs,aswiththosefocusedonMicrosoftWindows,are
usefulforthemanagementofyournetwork.Telnetandssharebothusefulfornetwork
testingaswellasconnectingtothedevicesacrossyournetwork.TheenablingofSyslog
acrossdevicesonyournetworkautomaticallycreatesanauditabledatabaseofinformation
usefulforcomplianceauditors.

15

Volume 3
Yetinallthesesituations,thecommandisonlyasusefulastheendpointtowhichyou
targetit.KnowingthatyoucanusetelnettoverifyTCPportlistenersisusefulifyoure
willingtorepeatedlyenterTCPportstoverify.Creatingaproactiveenvironmentwhere
openportsareautomaticallytestedandalertedisnteasytocreatewithcommandlines
only.SimplyfindingtherightIPaddressestoconnectandinterfacewithgrowsunwieldyas
yourenvironmentscales.SettingupSyslogandconfiguringitacrossarangeofdevices(and
deviceconfigurations)isamanualanderrorproneactivity.
ToolssuchasSolarWindsKiwiSyslogServer,SolarWindsOrionNetworkPerformance
Monitor,andtheSolarWindsOrionNetworkConfigurationManager(NCM)easethe
managementburdenofeachoftheseprocessesthroughhighlevelsofbuiltinautomation.
Onceinstalled,SolarWindssoftwarecaneasilydiscoverthedevicesonyournetwork,
immediatelycreatingamapofconnectionsforyouradministrationwhilequicklybringing
thosedevicesunderunifiedmanagement.IntegratingSyslogcapabilitieswithitsotherfault
andperformanceutilities,thecomponentsintheSolarWindsOrionfamilyaidinfinding
performanceissuesandupdatingconfigurationsthroughtheirunifiedinterface.

16

Volume 4

Volume4:TheFlowBasedProtocols
ThemanagementprotocolsdiscussedinthisReferenceGuidehavethusfardealtheavily
withtheneedsforconfigurationmanagementandinventory.Basictroubleshooting
capabilitieswerealsodiscussedwithtoolssuchaspingandtelnet.Yetanynetworkthat
growsbeyondjustafewcomponentsrequiresadvancedanalysiscapabilitiesthatsimply
arentavailablewiththesebasictoolsets.Whenuserscalltoinformyouthatthenetwork
isslowtoday,youneedadditionalfunctionalitythatcluesyouintotheproblemsroot
cause.
Traditionaltoolstoaccomplishthisdeepleveloftroubleshootinghaveoftenfocusedon
packetanalysisandinspection.However,theprocessoffindingmeaninginindividual
packetsisexceptionallydifficultforallbutthemostexperiencedofnetworkengineers.
Additionally,thesetoolsarentdesignedtogivethatengineerahighlevelviewofnetwork
behaviors.Theirlowlevelperspectivesimplydoesntprovidethekindofmetricsthat
explainhowdatamovesaroundthenetworkinaggregate.
Neededisthathigherlevelofperspective.Withsuchaperspective,anetworkengineercan
lookathighlevelflowstoquicklyisolatebandwidthutilizationandidentifytraffic
behaviorsbasedonports,protocols,endpoints,andevenindividualnetworked
applications.Thathighlevelperspectiveisgainedthroughasuiteofprotocolscommonly
referredtoasNetFlow.

UnderstandingNetworkFlows
Tobegin,considerfirstwhatanetworkflowis.Aflowisidentifiedbycombiningasetof
keyfieldsfromastreamofnetworkpackets.Thosekeyfieldstendtoincludethefollowing:

SourceanddestinationIPaddress

Sourceanddestinationportnumber

Layer3protocoldesignation

TypeofService(ToS)byte

Logicalinterfaceindex

Anynetworkflowbydefinitionwillbecomprisedofallnetworkpacketsthathavethesame
informationineachofthesefields.Forexample,ifanetworkserviceononeserveris
communicatingwithanother,thatservicescommunicationwilltendtooccurbetween
thosetwocomputers,overanunchangingport,usinganunchangingprotocolandToS,and
viathesamelogicalinterface.

17

Volume 4
Onceasetofdatathatcontainsthesesamesevenelementsisgathered,foursetsof
statisticalinformationcangenerallybeacquired:

Systemuptimeatstartofflow

Systemuptimeatendofflow

Numberofpacketsinflow

Numberofbytesinflow

Althoughsmallincount,thesefourpiecesofinformationilluminatealargeamountof
detailabouttheconversationbetweenthetwocomputers.Therateofdataexchangecan
nowbemeasured.Thetimeittakesforcommunicationtooccuraswellastheamountof
timethatthetwocomputersspendcommunicatingwitheachothercansimilarlybe
gathered.Thesheeramountofdatabeingtransferredduringthattimeisanother
importantmetricgainedthroughthismeasurement.
Obviously,NetFlowinformationmustoccurfromtheperspectiveofthedevicethatis
sendingand/orreceivingthepackets.Thus,anyflowbasedinformationmustbeviewed
withrecognitionofitsmeasurementsource.Forexample,ifanetworkspansthree
geographicallydispersedsites,flowbasedmetricsbetweentwocomputersarelikelytobe
drasticallydifferentifitismeasuredinSiteAversusSiteBorC.

NetFlow,JFlow,sFlow,andIPFIX
IndustryvernacularusesthetermNetFlowgenerically,buttheNetFlowprotocolis
actuallyadevelopmentofCiscoSystems.Assuch,anyCiscobaseddeviceswillusethe
NetFlowimplementationofflowbasedanalysis.FourversionsofCiscosNetFlowprotocol
remaininusetoday,withtworarelyseenintodaysbusinessnetworks:

NetFlowVersion5OriginallydevelopedbyCiscoSystemsbutcurrentlyinuseby
othervendorsincludingAdtran

NetFlowVersion7Rarelyseentoday;specifictoCiscoCatalystswitches

NetFlowVersion8Alsorarelyseentoday,asithasbeensupersededbyversion9;
version8introducedaggregationtechnology

NetFlowVersion9Mostcommonversionindeploymenttoday;includes
mainstreamavailabilityofearlierintroducedaggregationfeatureswhile
introducingflexibleNetFlowconcepts

18

Volume 4
AlthoughCiscoSystemsiscreditedwithdevelopingthefirstimplementation,other
vendorshavedevelopedtheirownvariantsofthearchitectureforusewithintheir
hardware.Thesealternativeimplementationsenableasimilarsetofoperational
functionalitybutwitheachsupportingtheirownuniquefeatureset.Threemajorexamples
include:

JFlowDevelopedbyJuniperNetworksforuseintheirhardware;effectivelythe
sameasCiscoNetFlowVersion5

sFlowAstandardsbasedimplementation(RFC3176)whosedevelopmentis
sharedbyHP,Extreme,Foundry,Juniper,andNortel,sFlowisuniqueinthatits
measurementsarebasedonastatisticalsamplingofflowdata,whichhastheeffect
ofreducingthetotalamountofdatathatisrequiredtobesampledtoachievea
statisticallysimilarresult

IPFIXCommonlyconsideredthenextversionofNetFlow,orNetFlowVersion10,
IPFIXisbasedonCiscoNetFlowVersion9;amongothercapabilities,IPFIXoffers
templatebasedexportingofdata

LeveragingNetFlow
Thepoweroftheflowbasedprotocolsisintheirubiquity.AswiththeSimpleNetwork
ManagementProtocol(SNMP),thenecessarycodeandprocessingtoenableanduseflow
basedprotocolsisalreadyincludedwithvirtuallyallnetworkhardwareavailabletoday.
Thus,existinghardwarecomponentsneedonlyhaveNetFlowconfiguredandenabledto
beginenjoyingitsanalysiscapabilities.AswithSyslogconfigurations,differentnetwork
deviceOperatingSystems(OSs)willhavedifferentmechanismsforenablingtheexportof
flowinformation.
ForaCiscoIOSrouter,theconfigurationstepsmightresemblethefollowingexample:
router#enable
Password:*****
router#configureterminal
router1234(config)#interfaceFastEthernet0/1
router1234(configif)#iproutecacheflow
router1234(configif)#exit
router1234(config)#ipflowexportdestination192.168.1.1009996
router1234(config)#ipflowexportsourceFastEthernet0/1
router1234(config)#ipflowexportversion5
router1234(config)#ipflowcachetimeoutactive1
router1234(config)#ipflowcachetimeoutinactive15
router1234(config)#snmpserverifindexpersist
router1234(config)#^Z
router#write

ThesestepsenabletheexportofflowinformationontheinterfaceFastEthernet0/1tobe
directedtotheserverat192.168.1.100overport9996.Thisconfigurationmustbeenabled
foreachoftheinterfacesonwhichflowinformationshouldbeexported.

19

Volume 4
Obviously,configuringNetFlowinformationacrossthenetworkdevicesandinterfacesin
yourenvironmentonlyaccomplishesonehalfofthesetup.Thelevelofinformationbeing
gatheredbyaNetFlowenabledinterfaceislargeandrequiresadditionalcalculationbya
serveratthetargetendpointifitsdataistobeusefultoanadministrator.Thus,thejobof
thatserverisincalculatingthedata,measuringitagainstotherinboundflowinformation,
andcreatingvisualizationsthatdisplayactionableinformation.
FreeTool:SolarWindsNetFlowConfigurator&RealtimeNetflow
Analyzer
IfthepreviouslymentionedprocesstoconfigureadeviceforNetFlow
appearschallenging,beawarethattoolsexisttoautomatetheprocess.
SolarWindsNetFlowConfiguratorisafreetoolthatleveragesSNMPto
configureNetFlowonsupporteddevices.StatisticsfromNetFlowconfigured
devicescanbeanalyzedusingSolarWindsfreeRealtimeNetFlowAnalyzer
tool.BothtoolscanbedownloadedfromtheSolarWindsWebsiteat
http://www.solarwinds.com/products/freetools/.

NetFlowinTodaysNetworkManagementSolutions
Gettingthebestdataaboutyournetworkinfrastructuremeansleveragingmodern
protocolssuchasNetFlowanditsplatformspecificvariants.Freetoolssuchasthe
SolarWindsNetFlowConfiguratorandRealtimeNetFlowAnalyzerbringalimitedbut
usefulviewintothosemetrics.Withthesetools,itispossibletovisualizenetworktraffic
flowsacrossasingleconfigureddeviceinrealtime.
Forlargescalerequirements,othermorecomprehensivetoolsareoftennecessary.Orion
NetFlowTrafficAnalyzer(NTA)greatlyexpandsyourvisionbeyondtherangeoffreetools
throughbothrealtimeandhistoricalviewsofflowbaseddata.Theresultisaquick
implementation,gatheringtherightlevelofdatatoimprovetroubleshootingandgaina
betterunderstandingofthetypesandlevelsofdatapassingacrossyourdistributed
network.

20

Volume 5

Volume5:CiscoIPServiceLevel
Agreements
ThefinalmanagementprotocoltobediscussedinthisReferenceGuideisaproprietary
featurethatisincludedwiththeCiscoIOS.Thisfeature,calledIPServiceLevelAgreements
(IPSLA),representsanothermechanismbywhichstatisticsandotherperformanceand
utilizationmetricscanbemeasuredacrossnetworkwires.
AlthoughtheinformationgainedwithIPSLAisoftenusedforthesametypesof
troubleshootingandanalysisactivitiesasisdonewithNetFlowdata,theactualinformation
gatheredisfundamentallydifferent.WithNetFlow,individualdevicesgatheraggregate
statisticsacrossindividualinterfaces,presentingtheresults(alsoinaggregate)toa
centralizedserverforprocessing.Thiskindofdatacanbeconsideredvolumebaseddata
becauseitilluminatesthebehaviorsonanetworkfromaveryhighlevelperspective.
ThedatagainedbyenablingIPSLAmetricsisdifferentinthatitrepresentstheresultsofa
seriesofongoingteststhatarepreconfiguredforspecificnetworkdevices.Theseperiodic
testsareusedtovalidateconnectivityaswellasevaluateinstantaneousperformance
metricsacrossspecifiedinterfaces.TheSLAinIPSLAreferstothisprotocolscapability
toautomaticallyandrepeatedlytestwhetheraparticularnetworkbehaviorisfunctioning
toexpectedlevels.
Forexample,businessnetworksthatincorporateVoiceoverIP(VoIP)servicesintothe
networkrequireanawarenessthattheirusersqualityofserviceremainsatahighlevel.
WhenthenetworkcannotkeepupwiththeneedsofitsVoIPusers,thecallqualityforall
userssuffers.AlthoughNetFlowinformationprovidesanunderstandingofthevolumeof
dataoccurringacrossdifferentdevicesonthenetwork,additionaltestdataisusefulfor
repeatedlymeasuringandreportingonthatuserexperience.
Forexample,inthecaseofVoIPservices,thelevelofUserDatagramProtocol(UDP)jitter
acrossthenetworkisonemetricwhosevaluecanbedirectlytranslatedintocallquality.
UDPjitteroccurswhenlatencyacrossnetworkconnectionsoccursbutnotataconstant
rate.DuetothenatureofVoIPservices,jittersrapidshiftingofconnectionlatencyhasa
dramaticeffectoncallquality.Toidentifywhenthisbehaviorgoesbeyondacceptable
thresholds,anIPSLAtestcanbeconfiguredtomeasurejitterbetweentwoendpoints.
Thissingletesthelpstheadministratorunderstandthebehaviorthatoccursatthatsingle
location.ButwhereIPSLAsgreatestpowercomesisintheabilitytosynchronizesimilar
testsallacrossthedistributednetwork,effectivelyshowingthesamemetricacrossthe
entireenvironmentatonce.ForadistributedapplicationsuchasVoIP,thiswidespread
visionassistsnetworkadministratorswithtrackingdownnetworkproblemsaswellas
theirlocality.

21

Volume 5
PreciseTimingIsCritical
IPSLAscapabilitytodistributetestloadsdirectlytothedevicesthat
participateinnetworkingmeansthatresultingstatisticswillbesubmittedto
theNetworkManagementSolution(NMS)frommultiplelocationsatonce.
Thus,themaintenanceofprecisetimeacrossalldevicesisexceptionally
important.ThecentralNMSthatgathersthesestatisticsmustrelyon
submittedtimeacrossalldevicestoanalyzeinputsingenerating
visualizations.Assuch,incorrecttimeacrossanydeviceonthenetworkwill
inadvertentlyskewIPSLAresults.

IPSLAExtendsTraditionalNetworkMonitoring
Thisconceptofbeingeverywhereatoncegoesfarintoextendingthereachoftraditional
networkmonitoringdevices.Intraditionalnetworkmonitoring,thearchitectureassumesa
typeofhubandspokemethodology.InthehubliestheNMSandradiatingawayasspokes
arethatNMSpollsoutwardtoindividualdevices.
Thissolutionfunctionsacceptablyforsimplenetworksthosethatdontspreadacross
multiplesitesorgeographiclocations.However,thetraditionalhubandspoke
methodologyseesitslimitationswhenattemptingtomeasureperformancefromonesiteto
another.ThissetupisparticularlyproblematicwhenthecentralNMSdoesnotexistin
eitherofthetwositestobemeasured.Alsochallengingarenetworkarchitecturesthatdo
notrouteInternetaccessthroughasingle,centralconnection.Whenindividualsites
connectviaMultiProtocolLabelSwitching(MPLS)connectionsand/orleveragetheirown
Internetconnections,gatheringtherightkindsofstatisticsischallengingusingtraditional
methods.
Oneearlymechanismforcircumventingthislimitationwastheuseofhardwareprobes,
whoseinstallationrequiredaphysicalconnectiontothenetworktheywerechargedwith
monitoring.Networkprobespassivelymonitordataacrossthenetworktowhichtheyre
connected,submittingmetricsbacktothecentralNMS.Becauseprobesoperateinline
withthenetwork,thebehaviorstheyseerelatetotheindividualnetworksegmentwhere
theyreinstalled.
Yetthefactthathardwareprobesarephysicaldevicesaddsasignificantlevelof
administrativeoverheadtotheiruse.Installingtheprobemeansbeingphysicallypresent
atthemonitoringlocation.Purchasingprobesinvolvescost,whichscaleslinearlyasmore
probesareneeded.Ultimately,althoughprobescanprovidethelevelofdetailnecessaryto
measuretheaforementionedmetrics,theydosowithanaccompanyingburden.

22

Volume 5
LikethecodebasethatenablesNetFlowmetricscollection,IPSLAscodebaseismature
andlikelyalreadyinstalledintonetworkequipment.Thus,enablingitforuseinvolveslittle
morethanreconfiguringnetworkdevices,determiningtheteststoberun,andpointingthe
resultstoanNMSforprocessing.Forexample,toconfigureabasicInternetControl
MessageProtocol(ICMP)pingtesttooccurevery30secondsbetweenthenetworkdevice
andtheremoteIPaddress192.168.1.100,acommandstructuresimilartothefollowing
couldbeused:
Switch(config)#ipsla1
Switch(configipsla)#icmpecho192.168.1.100
Switch(configipslaecho)#frequency30
Switch(configipslaecho)#exit
Switch(config)#ipslaschedule5starttimenowlifeforever
Switch(config)#end

Inthisstructure,theICMPtestsourcedfromtheswitchandwiththehost192.168.1.100as
thetargetisconfiguredtooccurevery30secondsandrunforever.IPSLAinformationis
passedbacktoacentralNMSthroughthesamechannelusedbySimpleNetwork
ManagementProtocol(SNMP).Assuch,thedevicesSNMPconfigurationmustbeenabled
forIPSLAinformationtobesubmitted.
FreeTool:SolarWindsIPSLAMonitor
AlthoughafullyfeaturedNMSisrequiredforsupportoftheentirerangeof
IPSLAtests,oftenonlyasmallsampleoftestsisnecessary.Forthoselimited
uses,SolarWindsprovidesafreeIPSLAMonitortoolthatcanbedownloaded
fromhttp://www.solarwinds.com/products/freetools/ip_sla_monitor/.This
toolconfiguresandenablesIPSLAonCiscoroutersandswitches,configures
thetestdetailsforeachdevice,anddisplaystheresultinginformationina
usefulheadsupdisplay.

IPSLAResponders
AsimpleICMPtestwithIPSLArequiresverylittleforitsfullfunctionality.Itsping
responsestatisticscanbetriviallysubmittedbacktoanNMSwithnoadditionalnumerical
processing.However,somenetworktestsrequirethepresenceofapartneronthenetwork
tovalidatedatatransmissionstatistics.Theaforementionedjittertestisoneexample
wherethatsecondpartyinthetestisrequired.InIPSLAterms,thissecondpartyis
referredtoastheIPSLAResponderandismanifestedasanadditionalcomponentintheIP
SLAcodebasethatisalreadypresentonnetworkdevices.

23

Volume 5
Toparticipateinthetest,anIPSLARespondermustbeconfiguredinmuchthesameway
astheIPSLAtest.BeawarethattheIPSLARespondercodebaseispresentinonlysome
classesofnetworkdevices,limitingwhereResponderscanbeenabledintheinfrastructure.
Inthecaseofthejittertest,aResponderisrequiredduetothenatureofthetestitself.A
networkdevicecanrequiretensofmillisecondstoprocessincomingpackets.Thiscanbe
duetotheregularprocessingofnetworktrafficorbecauseofotherhighpriorityprocesses
enabledonthedevice.Thisaddeddelaywillinadvertentlyskewjitterstatisticswithout
compensationandsubsequentrecalculationbybothsidesofthetest.Configuringa
responderforsuchatestcanbedonewithacommandstructuresimilartothefollowing
example:
ipslaresponderudpecho192.168.1.1005000

IPSLAandTestProcessing
AlthoughIPSLAsinstrumentationispresentinthenetworkdeviceitself,theprocessingof
itsdatagenerallyrequiresthesupportofanexternalserver.AswithNetFlowdata,therole
ofanexternalserveristoreceiveinboundIPSLAmetricsdata,calculateusefulmetrics,and
ultimatelycreatevisualizationsfromthosemetrics.
ThiscapabilityisparticularlynecessarywithIPSLAenvironmentsasitsdatacanbe
arrivingfrommultiplelocationsatonceviaSNMPtraps.Withtheinstrumentationinthe
individualnetworkdevice,thatdevicesjobistomeasureandreport.Meaningfromthat
datatypicallyarriveswhenthatindividualsensorsdataiscorrelatedwithothersacross
thenetwork.Uponreceiptofmetrics,calculationsarerequiredbytheNMStogeneratethe
rightstatisticsforusebytheadministrator.
AnadditionalrequirementoftheNMSisinthemaintenanceoftestcharacteristics.
Althoughthepreviousexampleshowshowasingletestcanbecreatedbetweentwo
endpoints,IPSLAisdesignedforscalableuseacrossamultiplesiteWAN.Thus,although
creatingasingletestcanconsumejustafewlines,recreatingthattestacrossmultiple
devicesinmultiplelocationsaddsanadministrativeburdenastheenvironmentscales.
Combiningmultipletestswithmultipledevicesmeansageometricallyincreasingnumber
ofconfigurationstomanageandmaintain.

IPSLAinTodaysNMSs
SolarWindsOrionNetworkPerformanceMonitor(NPM)andOrionIPSLAManageraretwo
solutionsthatcombinethecorrelationandvisualizationcapabilitiesofanNMSwiththe
configurationcontrolneedsofthatNMSadministrators.Boththeconfigurationandthe
datatransferofmetricsforIPSLAtestsoccurthroughSNMP.Thus,onceanetworkdevice
isconfiguredforusewithinOrionNPM,itispossibletoquicklydistributeatesttothat
devicethroughitsSNMPchannel.Atthesametime,theSNMPconnectionbetweendevice
andNMSprovidesalocationtosendresultingtestdataforprocessing.

24

Volume 5
Oncetestsarerunninganddataisbeingsubmitted,OrionNPMprovidesasuiteof
visualizationsthatintegratewithbuiltinmaps.ThesemapsenableOriontodisplay
informationabouttestsacrossarangeofsites,allowingadministratorstodrilldownto
problemareaswithafewclicks.Bycontrollingboththetestconfigurationandtheresulting
visualization,SolarWindsOrionprovidesasinglelocationformonitoringandmanagingthe
entiredistributednetwork.Inaddition,OrionIPSLAManagerenablesyoutomonitorkey
WANapplicationsbyanalyzingtheperformanceoftheunderlyingnetworkprotocols,
includingDNSlookups,FTP,HTTP,TCPconnect,andUDPjitter.Lastly,youcancontinueto
monitorVoIPcallpathstoensurequalityofserviceforyourvoicetrafficonyournetwork
withOrionIPSLAManager.

25