|
 |
|
General Information
|
Add To My Personal Library |
February 8, 2008
• Vol.30 Issue 6
Page(s) 1 in print issue
|
Improve Network Monitoring
Get The Most From Your Network’s Watchers
|
Imagine a bank equipped with a security system that only protects half of the bank building’s area, leaving multiple entry points into the building completely vulnerable. No one in their right mind would ever install such a deeply flawed system unless they wanted the bank to eventually be robbed.
The same analogy applies to network monitoring systems that help protect enterprise network resources: Many enterprises deploy expensive monitoring devices, but if they only see half of the network traffic, are they truly delivering value? As networks continue to evolve toward more advanced technologies—such as 10GbE—administrators must ensure their network monitoring can keep pace. After all, you know nothing about what you can’t monitor.
 Improving Monitoring SPAN
As a result, many manufacturers and industry watchers are proposing replacing SPAN (Switched Port Analyzer) as a means of enhancing network monitoring.
Jamie Lerner, CEO of CITTIO (www.cittio.com), says monitoring via SPAN port or mirror basically redirects all Ethernet traffic from a switch to an external monitoring device, such as a sniffer or analyzer. The problem with this approach is one of scalability, especially on large and 10GbE networks.
“The number of monitoring devices that have to be deployed to achieve full network coverage could be quite large, especially in more complicated VLAN-based network architectures,” says Lerner. That is why, he adds, flow analysis via IPFIX (IP Flow Information Export) is the direction in which network traffic analysis is moving.
Besides scalability, another issue with SPAN is that it may not provide a complete view of traffic on a network segment regardless of network speed. According to Chris Bihary, managing director of the Americas at Network Critical (www.criticaltap.com), “The replacement of SPAN is a requirement when real access is required for a 100% view of the traffic on a network segment.”
According to Network Critical, administrators should return to using TAPS (test access points) for 100% views of network traffic, especially at speeds of 10Gb and faster. This is because at those bandwidths, routers and switches must now replicate/mirror gigabit quantities of data. (For example, a full-duplex 10Gb link means 20Gb of potential data to replicate/mirror.) This can severely impact the switch/router’s ability to perform its primary function while replicating/mirroring packets for SPAN analysis.
But, the role of SPAN is still important with network monitoring. Jim McQuaid, director of product management at NetQoS (www.netqos.com), says SPAN remains a key point of access for both monitoring and analysis. However, as network media moves to higher and higher bandwidth, he notes, the value of SPAN does not change, but the probability of overloading SPAN ports rises somewhat. So, he says, devices that access packet flows via SPAN must continue to be as high performance as possible to keep up.
Enhancing Network Monitoring
So, how should administrators enhance their network monitoring capabilities? Mark Urban, director of product marketing at Packeteer (www.packeteer.com), says administrators should strive to be both proactive and to examine performance at the application and user level. For example, he adds, administrators should get an application view for network monitoring, study user response times, and use monitoring to assess needs when looking at new projects.
The design and placement of permanent access points with enterprise tapping solutions is one of the most important aspects of network monitoring, says Network Critical’s Bihary. Bihary likens network managers to physicians who rely on complete problem disclosures to make diagnoses; for the network professional, full disclosure comes in the form of permanent, 100% access to the network. But, he warns, many enterprise managers are still relying on access techniques that drop monitoring frames, groom errors from appearing in traffic, cause latency, and may even present kill points.
Lerner cites three elements that are key to successful monitoring deployments: the adoption of an automated monitoring approach, the consideration of all IP-attached devices, and the leveraging of industry standards. In addition, says Lerner, admins should avoid deploying “heavy” agents that consume resources, cause instability, and require frequent patches and upgrades. Other pitfalls include adopting “mega-suites” that claim to perform a smorgasbord of IT functions and the inability of IT administrators to present system performance and service-level agreements from a business perspective.
Increasingly, responsibility for application delivery to end users is falling on the shoulders of network professionals, notes NetQoS’s McQuaid. So, to take control of network performance, administrators should focus on three primary goals, he adds.
First, administrators should take stock of the infrastructure by identifying all of the critical applications supported by IT, the infrastructure components that support these services, and the bounds of acceptable performance from the end-user perspective. Second, administrators should get timely and actionable information to the right people by establishing processes that alert the right personnel about performance and infrastructure problems. Finally, says McQuaid, it’s necessary to continuously measure performance against agreed goals, identify the root causes of any deficiencies, and provide usage data for promoting efficient use of resources.
At the end of the day, says Network Critical’s Bihary, administrators should focus on the basic framework for network monitoring, which consists of three elements: access, capture, and analyze. Administrators should provide 100% access to all network traffic, should capture 100% of the data, and should analyze traffic with the required network appliances, such as analyzers, probes, IDS/IPS, and lawful intercept.
Bihary extends the physician analogy by providing an example of a doctor who is unable to make an accurate diagnosis for a patient over the phone because the phone reception goes bad and the physician only hears half of the symptoms. IT managers who need to accurately troubleshoot network issues must have access to 100% of the network traffic they are monitoring in order to properly assess issues and solve problems.
Network Monitoring Grows Up
As network bandwidths grow, the issues of scalability and performance will begin to significantly impact the ability of modern network monitoring tools, especially those that use SPAN, to provide the valuable information administrators need to properly diagnose and eliminate problems. These tools will also need to evolve, perhaps beyond the use of SPAN, in order to continue providing significant value. In an age when network administrators are tasked with guaranteeing top-notch application performance, network monitoring is more important than ever. 
by Sixto Ortiz Jr.
Network Monitoring Products
| Company/URL | Product | Description | CITTIO
www.cittio.com | CITTIO WatchTower | A network monitoring software system that automatically discovers and monitors existing and new devices using CITTIO’s Automation Stack | NetQoS
www.netqos.com | NetQoS Performance Center | Uses a Web-based console to present end users with various critical monitoring metrics, including application response times, network traffic analysis, and device performance management | Network Critical
www.criticaltap.com | CriticalConneX System
ConneX Chassis | A modular enterprise chassis system capable of governing the many-to-many network monitoring connections enterprise systems depend on | Packeteer
www.packeteer.com | PacketShaper | An all-in-one suite that provides monitoring, management, shaping, and acceleration in networked environments | |
|
|
