Q5: Monitoring for quality of service
Nick you better consider using SAA on the router instead of netflow because SAA gives you parameters like Jitter, TCP window scale etc.
Consider the use of IPM (Internetwork Performance Monitor)
See this url for SAA
http://www.cisco.com/en/US/tech/tk447/tk823/tech_protocol_home.html
And this one for IPM
http://www.cisco.com/en/US/products/sw/cscowork/ps1008/products_user_guide_chapter09186a0080087847.html
I advise the use of NTOP to gather the bulk traffic Stats and IPM to get QOS levels.
Q3: Passing on the collected data / Q2: One central ntop or one per international router?
You can specify on the router more than one destination for Netflow so you can have a several "regional" NTOP machine and a "central" NTOP machine.
It really depends on the ammount of traffic you are monitoring but you can specify the interval between the netflow updates to control traffic updates,
I advise you to create a netflow interface on the NTOP machine per group of networks or site.
Best Regards,
----- Original Message ----- From: "Nick Sharp" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Saturday, February 19, 2005 10:10 PM
Subject: [Ntop] Questions about ntop for monitoring an international network
Questions about ntop for monitoring an international network
Dear folks
I have configured Cisco routers for many years, though I would not claim to be expert!
I have just started considering ntop for monitoring an international network of Cisco routers running IOS 12.3 by feeding ntop with NetFlow. To gain my initial understanding of ntop, I am using the W32 demo version of 3.1 on my PC and targetting the NetFlow data to it from afar.
I could use a little help! Perhaps there are some points from my questions that would lead to additional ntop documentation, but perhaps I have just failed to read something that is already "out there" on ntop.org or cisco.com; if so, please forgive!
Q1: NetFlow version 9
=====================
I have trialled ntop with NetFlow version 5, which works well, and version 9, which does not (see ntop report extract shown below). It seems all V9 flows were ignored because of "Unknown Templates", whereas v5 were processed.
I am aware in outline of the difference between NetFlow 5 and 9.
SHOULD I want to use v9 with ntop????
If so, I feel sure I would need to do something to the router or ntop or both.
Flow Statistics . Number of V9 Flows Received 0 Number of V9 Flows with Unknown Templates Received 41
Discarded Flows . Number of Flows with Unknown Template 41
Q2: One central ntop or one per international router?
====================================================
Should a production system have an ntop collector/analyser right next to each international router, with some method of sending all the data onwards to one central store and analyser for answering the global questions, or is the flow rate** low enough to consider just one ntop box, probably located at the most powerful site. (**I see Cisco suggestions that NetFlow volume is 1~2% of the user traffic.) Maybe there are drawbacks to one site, such as difficulty in performing analysis of the data for just one of the routers when all the netFlow data has been gathered in one place?
Q3: Passing on the collected data
=================================
If I locate an ntop collector at each site, how should it pass on all its NetFlow data (as it is? or after modification?) to a central location, where further analysis is possible?
Q4: Spotting some virus traffic
===============================
One significant monitoring desire is to automate the spotting of some viruses. When I look at a router's SHOW IP ACCOUNTING, it is easy to spot infected machines as they are sending the same sized set of packets to hundreds of destinations. I assume such data is also in the NetFlow. How might one best attempt to automate spotting such traffic? I am thinking that it might be best done by the central machine, as (a) it is there that the staff responsible for global network security would reside and (b) one might not want to put modifications into each relatively standard ntop collector at each site, if that is the better architecture.
I am aware that a more complete approach to virus spotting involves an IDS examining all data; I wonder whether there are possibilities of amalgamating devices for IDS and ntop functionality.
Q5: Monitoring for quality of service
=====================================
There are interactive central systems, with remote users. How should we monitor to ensure that the network is providing acceptable delivery? This could be done by examining the interactive flows at each end of each international link.
Can this be done by capturing data through NetFlow?
For example, provided that each router is on Network Time Protocol, and provided that each flow record is timestamped, it would be possible centrally to reconstruct the complete flow, thus showing whether the international circuit was responsible for any serious delay.
I appreciate that some of these ideas are beyond the scope of ntop and NetFlow alone, but they are practical needs within the area addressed by these tools. I look forward to your thoughts and suggestions.
Best regards -- Nick Sharp MA Hons (Oxon), MBCS, CITP International ICT Infrastructure Consultant eMl: [EMAIL PROTECTED] Add: 77 Brighton Street Harbord NSW 2096 Australia Tel: +61 2 9938 3459 Mob: +61 413 948 375 _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
