Network management software with high detailed traffic report
Does any one know the NMS (network management software) which can do the fallowing: 1. Monitor on Cisco Routers/Switches interface utilization every 5-10 seconds and send e-mail alarm when utilization low or high of predefined thresholds. 2. Collect net-flow statistics (at least src/dst) with granularity of 5-10- seconds. The main idea is to have detailed monitoring of the external links and to be able to know why (by what traffic type) and when link was highly utilized. Existing flow-collector can store netflow reports only with 1 minute granularity but we need 5-10 second. As about e-mail alarms - now I do it by embedded event manager on the router. But I think it would be better to use external SNMP software for that. As about detailed to 5-10 second netflow statistics there are 2 ways. 1st - Use port mirror and use some software which can analyze captured traffic and made a good reports. Do you know such software? 2nd - Use SNMP or telnet/ssh for access to the router/switch every 5-10 seconds and catch netflow counters. Do you now such software? thanks in advance for you help.
Does any one know the NMS (network management software) which can do the fallowing:
1. Monitor on Cisco Routers/Switches interface utilization every 5-10 seconds and send e-mail alarm when utilization low or high of predefined thresholds. 2. Collect net-flow statistics (at least src/dst) with granularity of 5-10- seconds.
The main idea is to have detailed monitoring of the external links and to be able to know why (by what traffic type) and when link was highly utilized.
Your requirements are somewhat unrealistic. Even if your NMS can fetch SNMP counters / Netflow info every 5-10 seconds, you have no guarantee that the router *updates* the counters / Netflow info this often. Talk to your router vendor first. Steinar Haug, Nethelp consulting, sthaug@nethelp.no
Steinar, I'm sure that router updates its counter more often than 5 seconds. On 22 November 2010 12:46, <sthaug@nethelp.no> wrote:
Does any one know the NMS (network management software) which can do the fallowing:
1. Monitor on Cisco Routers/Switches interface utilization every 5-10 seconds and send e-mail alarm when utilization low or high of predefined thresholds. 2. Collect net-flow statistics (at least src/dst) with granularity of 5-10- seconds.
The main idea is to have detailed monitoring of the external links and to be able to know why (by what traffic type) and when link was highly utilized.
Your requirements are somewhat unrealistic. Even if your NMS can fetch SNMP counters / Netflow info every 5-10 seconds, you have no guarantee that the router *updates* the counters / Netflow info this often.
Talk to your router vendor first.
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
IT depends on the manufacturer. Cisco can updates OIDs even on 1 second time basis (maybe less?). A long time ago I've made an "real time monitor" to troubleshooting problems at the WAN. IT was not a NMS, only visual graphs using PHP and RRDtool in one page showing IfOctests, IfDiscards, IfErrors, IfNUnicast and, in some cases, BECN and FECN for frame relay. 2010/11/22 Sergey Voropaev <serge.devorop@gmail.com>
Steinar,
I'm sure that router updates its counter more often than 5 seconds.
On 22 November 2010 12:46, <sthaug@nethelp.no> wrote:
Does any one know the NMS (network management software) which can do the fallowing:
1. Monitor on Cisco Routers/Switches interface utilization every 5-10 seconds and send e-mail alarm when utilization low or high of predefined thresholds. 2. Collect net-flow statistics (at least src/dst) with granularity of 5-10- seconds.
The main idea is to have detailed monitoring of the external links and to be able to know why (by what traffic type) and when link was highly utilized.
Your requirements are somewhat unrealistic. Even if your NMS can fetch SNMP counters / Netflow info every 5-10 seconds, you have no guarantee that the router *updates* the counters / Netflow info this often.
Talk to your router vendor first.
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
-- []'s Lívio Zanol Puppim
Good to know. It such a dificult information to find in documentation. 2010/11/22 Nick Hilliard <nick@foobar.org>
On 22/11/2010 10:00, Sergey Voropaev wrote:
I'm sure that router updates its counter more often than 5 seconds.
some do, some don't. For example, sup720 snmp counters are updated every 9 seconds, while the "show interface" counters are updated every 30 seconds.
Nick
-- []'s Lívio Zanol Puppim
On Mon, 22 Nov 2010, Nick Hilliard wrote:
some do, some don't. For example, sup720 snmp counters are updated every 9 seconds, while the "show interface" counters are updated every 30 seconds.
That is most certainly NOT true. The 'show interface' counters update at least once a second. Perhaps you are thinking about the rate counters that are often _configured_ to use the last 30 seconds of data to compute the average but also update much more often than every 30 seconds (and default to a 5 minute average). -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
On Mon, 22 Nov 2010, Nick Hilliard wrote:
On 22/11/2010 14:02, Brandon Ross wrote:
That is most certainly NOT true.
You're correct that I'm mistaken. It's 9 second updates for both snmp and the interface (packets / bytes) counters, at least on 6700 cards / SXI. Are you getting different measurements?
No, I have no evidence that it updates more frequently than 9 seconds. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Well, on the RSP720, the "show interface" byte counters are definitely not every second, though I can't say it's been as long as 9 seconds. I typically look at them while making changes and they definitely stand still for a few seconds. Frank -----Original Message----- From: Brandon Ross [mailto:bross@pobox.com] Sent: Monday, November 22, 2010 8:03 AM To: Nick Hilliard Cc: nanog@nanog.org Subject: Re: Network management software with high detailed traffic report On Mon, 22 Nov 2010, Nick Hilliard wrote:
some do, some don't. For example, sup720 snmp counters are updated every 9 seconds, while the "show interface" counters are updated every 30 seconds.
That is most certainly NOT true. The 'show interface' counters update at least once a second. Perhaps you are thinking about the rate counters that are often _configured_ to use the last 30 seconds of data to compute the average but also update much more often than every 30 seconds (and default to a 5 minute average). -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
On Mon, 22 Nov 2010, Brandon Ross wrote:
On Mon, 22 Nov 2010, Nick Hilliard wrote:
some do, some don't. For example, sup720 snmp counters are updated every 9 seconds, while the "show interface" counters are updated every 30 seconds.
That is most certainly NOT true. The 'show interface' counters update at least once a second. Perhaps you are thinking about the rate counters that are often _configured_ to use the last 30 seconds of data to compute the average but also update much more often than every 30 seconds (and default to a 5 minute average).
I didn't think it was true either...but after reading Nick's message I checked a X6408A interface on one of our sup720's running "relatively" recent code (SXI1), and there definitely is some time between updates both the packet counters and the time averaged rates. Just repeating the command and looking at my watch, I'd say Nick is right. It's easy to test yourself. Pick an int, and repeat "sh int <int name> | inc packets. The numbers really don't change but every 9 seconds or so. Same goes for the avg numbers...mine are set to 30 sec load interval, and they only change every ~9 seconds. This does vary by platform. 3550 swiches and 7200 routers both seem to update the counters about 1/s. Maybe the delayed updates are just a 6500 thing. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Does "service counters max age" help in any way?* *According to Cisco, setting it too low might upset the snmp counters.* * -- Tassos Jon Lewis wrote on 23/11/2010 00:19:
On Mon, 22 Nov 2010, Brandon Ross wrote:
On Mon, 22 Nov 2010, Nick Hilliard wrote:
some do, some don't. For example, sup720 snmp counters are updated every 9 seconds, while the "show interface" counters are updated every 30 seconds.
That is most certainly NOT true. The 'show interface' counters update at least once a second. Perhaps you are thinking about the rate counters that are often _configured_ to use the last 30 seconds of data to compute the average but also update much more often than every 30 seconds (and default to a 5 minute average).
I didn't think it was true either...but after reading Nick's message I checked a X6408A interface on one of our sup720's running "relatively" recent code (SXI1), and there definitely is some time between updates both the packet counters and the time averaged rates.
Just repeating the command and looking at my watch, I'd say Nick is right. It's easy to test yourself. Pick an int, and repeat "sh int <int name> | inc packets. The numbers really don't change but every 9 seconds or so. Same goes for the avg numbers...mine are set to 30 sec load interval, and they only change every ~9 seconds.
This does vary by platform. 3550 swiches and 7200 routers both seem to update the counters about 1/s. Maybe the delayed updates are just a 6500 thing.
---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On 22/11/2010 22:56, Tassos Chatzithomaoglou wrote:
Does "service counters max age" help in any way?* *According to Cisco, setting it too low might upset the snmp counters.*
https://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_r1.ht...
The "Usage Guidelines" are instructive. :-) Although the update interval defaults to 5 seconds, it still appears to update every 9 seconds on my boxes. Nick
There is also CSCsg23226 which might be related. -- Tassos Nick Hilliard wrote on 23/11/2010 01:35:
On 22/11/2010 22:56, Tassos Chatzithomaoglou wrote:
Does "service counters max age" help in any way?* *According to Cisco, setting it too low might upset the snmp counters.*
https://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_r1.ht...
The "Usage Guidelines" are instructive. :-)
Although the update interval defaults to 5 seconds, it still appears to update every 9 seconds on my boxes.
Nick
On 11/22/2010 4:19 PM, Jon Lewis wrote:
This does vary by platform. 3550 swiches and 7200 routers both seem to update the counters about 1/s. Maybe the delayed updates are just a 6500 thing.
Distributed platforms take longer to update counters by default. The old 7500 was really fun in how it handled counters between VIP and RSP. I've always seen it around 15s, not 30, though. You will also see this on any of the virtual chassis switches when referencing any interface that is not the current master switch. The 6500 is uniform with all interfaces (and roughly looked like 10s update with current code level). Jack
On Mon, Nov 22, 2010 at 8:02 AM, Brandon Ross <bross@pobox.com> wrote:
On Mon, 22 Nov 2010, Nick Hilliard wrote: least once a second. Perhaps you are thinking about the rate counters that are often _configured_ to use the last 30 seconds of data to compute the average but also update much more often than every 30 seconds (and default to a 5 minute average).
Show interface rate counters, are not even truly average computed using the last 30 seconds of data. It is indicated as an exponential time-weighted (moving), where data is gathered every 5 seconds. Meaning every update time, a new value is calculated, by using three datapoints, the previous value of the average, and a calculation based on the change over the past 5 seconds (Current - Previous value). Avg(N) = exp(1/W) * (CurrentOctets - PreviousOctets) + (1 - exp(1/W) * Avg(N-1)) Where 'W' is computed based on the "time interval" averaged over Routers or sniffers can aggregate that data, but a NMS that gathered every 5s using SNMP would not scale very well, and TELNET/CLI would not work for that either; for that, you would need to use a different protocol, probably would need to be a new one designed for 5 second accurate timestamped readings. SNMP ifMib readings are not accurately timestamped, and you would encounter measurement errors. Asking a device about one particular statistic about one interface every 5 seconds isn't much trouble. If you have a router with 100 interfaces, and your NMS needs to query each interface every 5 seconds, you have 100 / 5 = 20 interfaces to query per second. Imagine how many packets you have to send if you have 100 devices with 5 interfaces, and you want to track 4 statistics for every interface 12 times per minute. 2000 queries every 5 seconds. You need some serious hardware to handle that on your routers and your NMS, which has 400 values to save per second, assuming your NMS perfectly distributes query load, and responses are never delayed (not likely). -- -JH
On Mon, Nov 22, 2010 at 11:35 AM, Sergey Voropaev <serge.devorop@gmail.com> wrote:
Does any one know the NMS (network management software) which can do the fallowing:
1. Monitor on Cisco Routers/Switches interface utilization every 5-10 seconds and send e-mail alarm when utilization low or high of predefined thresholds. 2. Collect net-flow statistics (at least src/dst) with granularity of 5-10- seconds.
The main idea is to have detailed monitoring of the external links and to be able to know why (by what traffic type) and when link was highly utilized.
Existing flow-collector can store netflow reports only with 1 minute granularity but we need 5-10 second.
As about e-mail alarms - now I do it by embedded event manager on the router. But I think it would be better to use external SNMP software for that. As about detailed to 5-10 second netflow statistics there are 2 ways. 1st - Use port mirror and use some software which can analyze captured traffic and made a good reports. Do you know such software? 2nd - Use SNMP or telnet/ssh for access to the router/switch every 5-10 seconds and catch netflow counters. Do you now such software?
thanks in advance for you help.
Take a look at <a href="http://www.andrisoft.com/software/netflow-traffic-monitoring">WANGuard Flow</a>. It builds traffic graphs with a configured granularity of 5 seconds and emails alarms when traffic thresholds are reached. It only needs Netflow.
participants (12)
-
Brandon Ross -
bross@pobox.com
-
Frank Bulk - iName.com -
Jack Bates -
James Hess -
Jon Lewis -
Livio Zanol Puppim -
Nick Hilliard -
Sergey Voropaev -
sthaug@nethelp.no -
Tassos Chatzithomaoglou -
Vasile Borcan