RETIRED! Exam
SNMP: The SNMPv3 Management Framework addresses the deficiencies in SNMPv2 relating to security and administration. The new features of SNMPv3 (in addition to those of SNMPv2 listed above) include:
NetFlow: NetFlow is a feature that was introduced on Cisco routers that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion.
The three major components of NetFlow are:
Flow exporter (Accounting): aggregates packets into flows and exports flow records towards one or more flow collectors. Routers and switches are examples of exporter devices that collects and export data in a pre-defined format.
Flow collector: responsible for reception, storage and pre-processing of flow data received from a flow exporter.
Analyzer application: analyzes received flow data in the context of intrusion detection or traffic profiling, for example.
Note that MIB Groups is a feature of RMON2, another traffic analysis tool.
Netflow facilitates solutions to many common problems encountered by IT professionals.
1. Analyze new applications and their network impact: Identify new application network loads such as VoIP or remote site additions.
2. Reduction in peak WAN traffic: Use NetFlow statistics to measure WAN traffic improvement from application-policy changes; understand who is utilizing the network and the network top talkers.
3. Troubleshooting and understanding network pain points: Diagnose slow network performance, bandwidth hogs and bandwidth utilization quickly with command line interface or reporting tools.
4. Detection of unauthorized WAN traffic: Avoid costly upgrades by identifying the applications causing congestion.
5. Security and anomaly detection: NetFlow can be used for anomaly detection and worm diagnosis along with applications such as Cisco
6. CS-Mars.
The following steps are used to implement NetFlow data reporting:
1. NetFlow is configured to capture flows to the NetFlow cache
2. NetFlow export is configured to send flows to the collector
3. The NetFlow cache is searched for flows that have terminated and these are exported to the NetFlow collector server
4. Approximately 30 to 50 flows are bundled together and typically transported in UDP format to the NetFlow collector server
5. The NetFlow collector software creates real-time or historical reports from the data
IP Packet attributes used by NetFlow:
1. IP source address
2. IP destination address
3. Source port
4. Destination port
5. Layer 3 protocol type
6. Class of Service
7. Router or switch interface
All packets with the same source/destination IP address, source/destination ports, protocol interface and class of service are grouped into a flow and then packets and bytes are tallied.
Note that SNMP does not provide granular traffic analysis and hence can not fully characterize the network.
SPAN is Switch Port Analyzer, and it is used for mirroring one or more switch ports to a monitoring station.
NBAR: NBAR short for Network Based Application Recognition, intelligently classifies and allows you to enforce QoS policy on today's mission-critical applications.
1. NBAR supports a wide range of network protocols, including some of the stateful protocols that were difficult to classify before NBAR/ Examples include http classification by URL, host, and MIME type, Microsoft Exchange, RealAudio, etc.
2. NBAR also classifies traditional static port protocols for supporting a wide range of solutions.
3. Support for new protocols can be easily and quickly added using packet description language modules (PDLMs) from Cisco Systems.
4. Protocol discovery shows you the mix of applications currently running on the network. This helps you define QoS classes and polices, such as how much bandwidth to provide to mission-critical applications and how to determine which protocols should be policed.
Note that NetFlow can also be used for traffic analysis but works at the IP layer of the protocol stack, where as NBAR works at the application layer and provides traffic analysis and control capabilities on a wide range of applications that use dynamic port assignment.
Syslog is a way for network devices to send event messages to a logging server usually known as a Syslog server. The Syslog protocol is supported by a wide range of devices and can be used to log different types of events. For example, a router might send messages about users logging on to console sessions, while a web-server might log access-denied events.
Syslog messages may be generated in a broad range of areas such as OSPF, CDP, HTTP, etc.
Syslog messages has a level ranging from 0 to 7. "0" corresponds to emergency, where as "7" corresponds to "debug" messages. Note that syslog creates huge amounts of network traffic if configured without discretion. One needs to enable and disable syslog messages as the need arises.
NetFlow - Collects flow data for network planning, performance, and accounting.
CDP - Cisco proprietary protocol provides information about neighboring devices
Syslog - Reports state information based on facility and severity levels
RMON - Provides aggregate information of network statistics and LAN traffic.
RMON solutions are comprised of two components: a probe (or an agent or a monitor), and a client, usually a management station.
RMON probe also called RMON agent is a dedicated device including hardware or software or it can be software embedded into a network device like a router or a switch. RMON probe can also be software running on a standard operating system like Windows or Linux. Agents store network information within their RMON MIB The application and the agent communicate across the network using the Simple Network Management Protocol (SNMP).
RMON probes capture or monitor data packets from the network.
There are 2 versions of RMON:
1. RMON1 (RMONv1)and
2. RMON2 (RMONv2).
RMON1 defined 10 MIB groups for basic network monitoring, which can now be found on most modern network hardware. RMON2 (RMONv2) is an extension of RMON that focuses on higher layers of traffic above the medium access-control (MAC) layer. RMON2 has an emphasis on IP traffic and application-level traffic.
RMON2 allows network management applications to monitor packets on all network layers. This is difference from RMON which only allows network monitoring at MAC layer or below.
