• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Traffic Analysis For Non Flow-Enabled Networks with WhatsUp Flow Publisher (Part 2 of 2)
 

Traffic Analysis For Non Flow-Enabled Networks with WhatsUp Flow Publisher (Part 2 of 2)

on

  • 1,670 views

Learn how WhatsUp Flow Publisher gives you traffic analysis on your network without requiring flow-enabled hardware.

Learn how WhatsUp Flow Publisher gives you traffic analysis on your network without requiring flow-enabled hardware.

Statistics

Views

Total Views
1,670
Views on SlideShare
1,669
Embed Views
1

Actions

Likes
0
Downloads
33
Comments
0

1 Embed 1

https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • http://en.wikipedia.org/wiki/Network_tap http://www.lovemytool.com/blog/2007/08/span-ports-or-t.html http://www.gigamon.com/span_port_or_tap.php

Traffic Analysis For Non Flow-Enabled Networks with WhatsUp Flow Publisher (Part 2 of 2) Traffic Analysis For Non Flow-Enabled Networks with WhatsUp Flow Publisher (Part 2 of 2) Presentation Transcript

  • Traffic Analysis How To Webinar Series Traffic Analysis for Non Flow-Enabled Networks: Port Mirroring/SPANing January 19, 2010
    • Today’s Presenters:
      • Kevin Gillis, VP Product Management, Network Management
      • Jason Williams, Product Manager & The WhatsUp Guru
    • Agenda:
      • The Need for Traffic Analysis
      • Session 1&2 Recap
      • Flow Publisher Overview
      • “ Mirroring”
      • Technical Demonstration
      • Q&A
      • Next Steps
    Agenda:
  • The Need for Traffic Analysis
    • My network is slow and I do not know why…
      • Existing tools don’t give me any or enough visibility…
        • Into user and application network bandwidth utilization
        • Into network performance issues
        • Into locating and troubleshooting issues
        • Into applications and their effect on the network
        • Into security breaches and unauthorized usage
    Tools are either too expensive or complex to deploy
  • The Need for Traffic Analysis
    • My network is slow and my network does not know why…
      • Existing hardware does not give me any or enough visibility…
        • My network hardware is not NetFlow, sFlow or J-Flow capable
        • My network hardware is not NetFlow, sFlow or J-Flow enabled
        • My network hardware is flow capable but it’s too expensive enable by taking down the network, adding hardware and upgrading the IOS
        • The segment of my network is not 100% flow enabled
    • Current solutions
      • Require expertise in packet level and protocol level analysis
      • Require device or network upgrades/downtime
      • Require investment in appliances or probes
    Flow enabled hardware is either too expensive or complex to deploy
  • Recap of Traffic Analysis Series Session 1: Application and User Traffic Analysis
  • Application and User Traffic Analysis
    • Rapid isolation of server versus network based issues
    • Insight into reasons for application traffic
      • Traffic loads
      • Users
      • Peak usage timeframes
    • Locate under and over subscribed applications and servers
      • Standalone servers
      • Virtualized servers
        • Traffic to individual virtual machines (VMs)
    Why is server based traffic analysis important? Creates opportunity to optimize server infrastructures based upon actual user and application utilization data
  • Server Traffic Analysis Deployment
    • Flow Publisher Server Agent
      • Windows Server
        • 32 & 64 bit: Standard and Enterprise Server 2008 and Standard & Enterprise Server 2003 SP2
        • Non-virtualized and virtualized servers
        • Network interface
      • Runs as a Windows service
        • Small resource footprint
    Application and user traffic analysis at the source
  • Recap of Traffic Analysis Series Session 2: Traffic Analysis for Non Flow-Enabled Networks: “TAP”ing
  • TAPing…
    • What’s a TAP and how does it work?
      • TAP stands for Test Access Point.
      • A network tap is a fully passive device.
      • Electrically or optically packets are copied onto the tap ports.
    • Considerations
      • Fidelity: You get 100% guaranteed view of network traffic even with larger deployments of 10 Gigabit+. They are completely passive and do not cause any distortion even on FDX and full bandwidth networks.
      • Security: Taps are not addressable network devices & therefore cannot be hacked
      • Ease of Use: Taps have no setups or command line issues so getting all the data is assured and saves users time. They are also fault tolerant.
    • Summary:
      • Taps offers high integrity and fidelity with 100% packet capturing; no packet or frame alterations.
      • As a fully passive device, it does not impact the performance or scalability of the switch or router unit.
      • Requires additional hardware to be purchased and installed potentially leading to downtime.
  • This Switch does not support port mirroring or SPAN Example TAP Deployment
  • Mirroring and SPANing
  • SPANing by any other name…
    • What’s a SPAN and how does it work?
      • Port Mirroring, Port Monitoring, Switched Port Analyzer or SPAN (Cisco world), or Roving Analysis Port (RAP-3COM)
      • The network device must support port mirroring
      • A port mirror is active packet duplication
        • The network device physically has the duty of copying packets onto a mirror port.
        • This device has to carry on this task by using some resources (e.g. CPU) and that both traffic directions will be copied into the same port.
        • The entire packet is copied and sent out through a next-hop interface.
    • Considerations
      • Packet Loss: Full duplex links can’t exceed the network speed before packet loss occurs. This because there’s physically no space to copy packets.
      • Not WYSIWYG:
        • LAN switches are designed to groom data (change timing, add delay), extract bad frames and ignore all layer 1 & 2 information.
        • VLAN tags are not normally passed which can lead to false issues detected and difficulty in finding VLAN issues.
        • Frame interaction timing is changed, corrupt packets and/or small packets are dropped.
      • Time Consuming and Potentially Political:
        • Proper spanning requires that a network engineer configure the switches properly
        • You must ensure that no packet flow is mirrored more than once.
        • Often times configurations can become a political issue between IT team, the security team and the compliance team
  • SPANing by any other name…
    • Summary:
      • Port mirroring may not require any new hardware as it can be performed by many switches (but not all)
      • Fidelity and integrity must be considered. Packet loss can happen for a variety of reasons.
      • Scalability is a legitimate concern: With Gigabit and 10 Gigabit technologies (and Full Duplexing doubling the base bandwidth), switches or routers can’t always handle replicating/mirroring all this data plus handling its primary job of switching and routing.
  • SPANing roots… Networks are getting more tiered and segmented for many reasons.
  • Flow Publisher 1.0 Overview
  • Flow Publisher v1.0 Summary
    • Flow data generated from raw network traffic
      • Convert raw traffic into NetFlow v1, v5 and v9 compliant flow records
        • Full range of NetFlow information
        • Not sampled flow data
    • Pinpoint or broad traffic analysis
      • Windows servers and any applications (e.g. Oracle, SAP, Exchange)
      • Passive using TAPs (Test Access Point)
      • Active packet duplication through virtually any network device supporting port mirroring
    • High impact: non-invasive and inexpensive to maintain
      • Leverages existing network infrastructure
      • No device hardware or software upgrades required
      • Does not require network or device downtime
    Enables flow analysis for non-flow capable devices
  • Flow Publisher v1.0 Features
    • Two Components
      • Agent Manager Interface
        • Configure and manage a single or multiple agents
      • Flow Publisher Agent
        • Processes raw traffic data
        • Standalone installation
            • Windows computer
          • TAP or mirrored interfaces
          • Accepts raw traffic from up to 4 individual interfaces
        • Hosted installation
          • Directly on Windows Servers
            • Application monitoring
            • User monitoring
            • VMware Virtualized Systems
    Software only solution 2. 1.
  • Flow Publisher v1.0 Features cont’d
    • Integrates with v14.x of WhatsUp Gold and v2.0 of Flow Monitor for:
      • Real-time traffic monitoring and analysis
      • Threshold alerting
      • 40+ reports (web and mobile)
    • Maps MAC addresses to reported interfaces
    • Jumbo and fragmented packet support
    • Configurable logging
      • 3 levels of detail
    • 2 levels of traffic capture
      • Normal
      • Promiscuous
  • Flow Publisher v1.0 Features cont’d
    • Provides the same information into Flow Monitor for analysis and reporting as other NetFlow sources. This includes the following:
      • Protocol
      • Application (port number)
      • Conversations
      • Sender host
      • Receiver host
      • Sender domain
      • Receiver domain
      • Sender top level domain (TLD)
      • Receiver TLD
      • Top sender country
      • Top receiver country
      • Type of service (ToS)
      • Top Senders with the Most Conversation Partners
      • Top Senders with the Most Failed Connections
      • ICMP Types
      • Top Receivers with the Most Conversation Partners
      • Top Receivers with the Most Failed Connections
      • Packet Size Distribution
  • Flow monitoring on non flow-enabled network
    • Rapid isolation of server versus network based issues
    • Insight into reasons for network traffic
      • Traffic loads
      • Users
      • Peak usage timeframes
    • Establish a performance baseline
    Why is network traffic analysis important? Creates opportunity to generate flow based traffic without expensive software, hardware, operating system upgrades or sacrificing down-time.
  • Agent & Collector High-level Interaction Three flexible deployment models provide unlimited choices Switch forwards mirrored traffic to Flow Publisher agent Agent forwards NetFlow records to Flow Monitor collector TAP forwards bi-directional traffic to Flow Publisher agent Server based agent forwards NetFlow records to Flow Monitor collector Flow Publisher agent on PC WhatsUp Gold and Flow Monitor collector
  • Non Flow-Enabled Flow Monitoring Technical Demonstration
  • Example SPANing Deployment
  • Next Steps…
    • Find out more about Flow Publisher v1.0
    • http://www.whatsupgold.com/whatsnew
    • Try - free 30 day evaluation
    • http://www.whatsupgold.com/download
    • Buy – (3) ways to purchase
    • www.whatsupgold.com/buy
      • 1. WhatsUp Gold Representative 2. An Ipswitch Reseller Partner of your choice 3. Online via our ecommerce shop
    Increased visibility into single segment, multi-segment, application and user traffic on your network!
    • 1 randomly selected attendee will receive a Flip Mino camcorder
    Flip over this…
  • Questions from customers…
    • Anthony F
      • Q: Did I hear and see correctly...This application will flow monitoring of non-flow enabled devices?  Such as some of Cisco's smaller catalysts switches.
      • A: That is correct.  Our other sessions will go into details on how to set that up.
    • Michael M
      • Q: Can you set thresholds per TOS field per device? For example can I set up a threshold that will alarm me if EXP traffic exceeds 30% on any device?
      • A: Yes, you should be able by creating a Flow Monitor Custom Threshold.
    • Scot L
      • Q: How can unclassified traffic be further defined?
      • A: By configuring or monitoring the ports.
    • Temple M
      • Q: In a case where you are spanning or mirroring a core switch to the agent, which in turn reports to the Whatsup box, does that create an intense increase in traffic or storage to the Whatup system?
      • A: It may, but remember that Flows contains only headers and there are several options to keep the volume under control.
    • Kai M
      • Q: But a switch with port mirroring is as good as a tap right?
      • A: Yes, but mirroring has a small limitation in performance, when both directions are used at the same time at higher level. It may drop some packets.
    • Ming W
      • Q: Is the Flow Monitor licensed based on the number of WUG devices licensing?
      • A: The Flow Monitor license is based on the number of devices sending netflow data, totally independent of the WhatsUp devices.
  • Q & A Please submit your questions via the Q&A feature in the lower right corner Additional Questions? Jason Williams – guru@ipswitch.com Kevin Gillis – k@ipswitch.com or http://whatsupgold.com/community – then go to Forums
  • Traffic Analysis How To Webinar Series
    • Session 1 – 11:00 AM EST Tuesday, December 10, 2009
      • Traffic Analysis for Non-flow Enabled Networks
        • To access and view granular user and application traffic to and from servers
        • To understand and troubleshoot issues for both non-virtualized and virtualized systems and applications
    • Session 2 – 11:00 AM EST Tuesday, January 12, 2010
      • Traffic Analysis for Non Flow-Enabled Networks (Part 1 of 2 - TAPs)
        • To understand single or multi-segment traffic patterns
        • To pinpoint origins of slow network performance in real-time
    • Session 3 – 11:00 AM EST Tuesday, January 19, 2010
      • Traffic Analysis for Non Flow-Enabled Networks (Part 2 of 2 - Mirroring)
        • To increase defense against internal and external threats
        • To provide cost effective traffic analysis without upgrades or downtime
    • Session 4 – 11:00 AM EST Tuesday, January 26, 2010
      • Traffic Analysis Techniques for Flow and Non-flow Networks
        • To optimize the power of flow-based traffic analysis in networks
        • To create valuable strategies to ensure future network stability and security
  • Thank you!