Depending on the situation and the router/IOS version there are a number of ways to analyse traffic passing through a Cisco router. I'll list those methods below with some of the Pros and Cons and then run individual articles on how to configure each part.
IP Accounting.
In the old days this was one way to look at the conversations at Layer 3 on the router. Effectively what this does is during the recursive lookup (on older routers) or via the packet inspection for the CEF switching (on newer routers)and it collects the source and destination IP address. You can then query the router for the table of conversations during the period of capture to see the bytes/packets passing per conversation.
Pros - Can be done on just about any router. Simple to enable. Doesn't require export or specialist config/mibs. Can be done per interface.
Cons - Can be very resource intensive, particularly on older routers, Doesn't show what the traffic is, the table is not always easy to extract, the output is purely cumulative so does not always give the data you would expect for short term bursts.
NBAR
NBAR (or Network Based Application Recognition to give it its full title) is a method for analysing protocol level data on a router. It is in many respects the predecessor to the more powerful netflow and here as a result, is not as powerful.
NBAR looks at the protocol level data but only recognises a set of well known applications. There is a basic application set with any IOS version which can be added to by downloading PDLM's from the Cisco site and uploading it to the router flash.
The NBAR won't tell you the hosts having the conversation but will just give you an aggregated table of the recognised traffic passing through it and an "unknown" category.
Pros - Can be run on a lot of routers, including many non Flow capable routers. Can be updated via PDLM. Can be used with other functions (like QoS). Can be queried via SNMP GETs.
Cons - Doesn't tell you which node is passing the traffic, doesn't cover full protocol suite. Data is cumulative so doesn't show flows well.
Netflow
By capturing the top 30 bytes or so of each Layer 3 packet of the router Netflow is able to construct traffic flow tables using the Source IP, Destination IP, Source Port, Destination Port, Protocol and in some versions as far as URL's and similar.
The router constructs tables of unique flows and cumulatively builds traffic amounts for the flows which can then be aggregated and exported via UDP or queried directly on the router.
Most people choose to export the data and store it in a database for simple or complex queries as the newer versions can collect a vast amount of data which builds up very quickly (into gigabytes).
However many people don't realise it is possible to do queries based on short term captures from the router itself using a service called Flow Top Talkers.
Pros - Can capture very detailed information traffic. Can be exported and stored. Can be leveraged for a number of applications.
Cons Data can build up very quickly when exporting, uses bandwidth to export, can use a lot of system resources in older versions or if improperly configured.
CEF Traffic Statistics
Although CEF is not as new a feature as it was, it is still new to a lot of people. CEF creates a layer 3 behaviour on routing more akin to switching to improve packet transit through devices and is an important precursor in things like MPLS. I will run a series of articles on CEF as leveraging it requires some knowledge but it can be a very useful tool.
SPAN/Packet Capture
Tools like Netflow are incredibly useful but once you've identified the traffic flowing over a network and resolved any underlying network issues you can still have situations where traffic sessions don't work or you need a deeper packet inspection.
Historically the logical choice would be to run Wireshark or similar near the source or destination device depending on the issue to get a full packet breakdown and use deep inspection to see whats going on "on the wire". Using this tool you can see protocol error codes, packet corruption, retransmits etc.
If you cannot get directly inline , it is possible to use a process called SPAN to duplicate traffic on switchports to an alternative port/vlan/svi for analysis. Whilst this is resource intensive it helps you analyse out-of-band (see article on in-band/out-of-band).
Historically this has been a reserve of the switch but with Hybrid devices (like the 877 SOHO router) or with newer devices/IOS (such as the 2800 series running 12.4(20) or higher) you can now perform Wireshark compatible packet grabs , save to flash and export via the usual methods for analysis.
Pros - This represents the deepest level of packet inspection possible and allows you to gain a complete picture of what is going on in the network.
Cons - It requires specific device/IOS combinations so is not currently widely available. Depending on the capture you need large memory cards or good export paths. It requires good understanding of tools like Wireshark.
Each item above will have a configuration article generated along with expanded articles, so check back for more and look for the tags.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment