Configuration and Fault Management

As networks have grown larger over the years , so has the need for a better monitoring system. As the number of devices you have on your network increases , the complexity, monitoring responsibilities, and possible number of network failures also increase. Network management has been defined by the International Organization for Standardization (ISO) as having five key areas: accounting management, configuration and name management, fault management, performance management, and security management. Fault management and configuration management are the two areas of network management that deal with troubleshooting.

Configuration management relies on the initial configuration of devices with agents so the devices are capable of being seen, of communicating on the network, and of reporting to a central monitoring system. The network is configured centrally to interact with the devices and respond to network upgrades the administrator may implement. The centrally monitored network will also be able to respond to failures and recover quickly. This is where fault management comes into play.

Fault management is described as the tracking and logging of an abnormal network event, which is usually defined as failing components or an excessive amount of errors. With early treatment of any network faults, the network downtime is minimal to none.

To find faults in the network, Network Management Systems (NMSs) use different methods to discover the network. An NMS is a complete package of hardware and software for monitoring a network and gathering information on system performance and security. The NMS begins by utilizing a central device to slowly discover anything that is configured for the central device to see. For the discovering device to be able to identify the network devices, those devices must contain information of the type the discovering device is searching for. Along with the discovery of the network, an NMS uses monitoring to be able to keep track of the network's statistics.

NMSs enable you to monitor your network 24 hours a day from a central location, and alert you in case of failure or other alarms configured by the administrator. An NMS enables you to gather information about a network, such as details about packets, errors, hosts , connectivity, and performance. NMSs use SNMP (Simple Network Management Protocol), discussed later in this chapter, to communicate with devices on the network. For your network to be managed by SNMP, you must have managed devices, such as routers and switches, running an SNMP software agent, and a central point that acts as the monitoring system.

How Network Monitors Work

When you think of a network monitor, you might think of it as a particular device or piece of equipment. However, a network monitor consists mainly of software that oversees the network monitoring. Network monitors continuously monitor the packets that are traversing the network, and track the information to provide a current snapshot of the network activity. Even though a network monitor looks at the packets, it only collects statistics; the packets are not analyzed for errors or problems.

A network monitor's main function is to keep track of all the statistical information about the network to provide a baseline , an average sample (using statistical data) of the activity on the network. After a baseline has been established, it can be configured to report any network activity that is considered abnormal. Network monitors alleviate the headache of trying to manually monitor the network all day, every day. Network monitors collect several pieces of information that enable you to see an accurate picture of the network. Some information a network monitoring system may gather includes the following:

• The number of packets being received or transmitted

• The size of the packets being sent and received

• Any errors in the packets

• Network utilization statistics

• Identities of hosts and their MAC addresses

• Connectivity with other devices

• Baseline statistics

• Average performance

A large network environment has hundreds and possibly thousands of devices promising a flawless network, especially in a large campus environment that is maintained 24 hours a day, 7 days a week. A network administrator or a group of network administrators can't possibly monitor all the devices without a monitoring system in place. An online system needs to be in place to control and report any network faults, as well as any performance, security, and accounting issues.

Simple Network Management Protocol (SNMP)

The most common protocol used in network monitoring is the Simple Network Management Protocol (SNMP). SNMP is a reporting and signaling protocol that enables network devices to exchange detailed device information about monitored devices. Online systems that use SNMP have proven to be dependable.

SNMP enables you to monitor network utilization, performance, uptime, and even traffic on ports for up to thousands of devices. Because most current network devices communicate with SNMP, an NMS can scan a network in about an hour , whereas it would take days for someone to physically walk around to all the devices and monitor each LAN or WAN segment. An SNMP online system enables system administrators to monitor the whole network from a central point, which can be anywhere from a network operations center to the desktop of the system administrator.

To have your network managed by SNMP, you have to implement the following types of devices:

• Managed devices ” Any node (including routers, servers, switches, computers, or printers) on your network running an SNMP agent that is being monitored. The agent collects management information and sends it back to the NMSs using SNMP.

• Agent ” The actual software module that runs on the managed devices and enables SNMP to communicate with the devices. The major requirement of the agent is to gather statistical information and store it in a management information base (MIB), a directory of the information and resources collected from the network that pertain to network management. SNMP uses MIBs to aid in monitoring the network. The device uses an MIB to store information about network management. The RMON MIB is one of the most widely used MIBs for remote access (you learn more about RMON MIB in an upcoming section of this chapter). The agent can also send traps or alarms, depending on the events happening on the network and how the agent is configured.

• Network management system ” An application that provides control and management of the devices connected to it. The information is gathered by the managed devices, and is sent back to the NMSs to monitor the network.

SNMP Community Strings

For the SNMP manager and the agent to communicate, the SNMP community string must be set. The community string can be thought of as a string of passwords that need to be set to permit access to the agent on the router. Strings or community names can be created with the characteristics of access control lists, read-only rights, read-write rights, and MIB views. The string can be made up of characteristics that associate the access with the string name. For example, you can set a string name of Cisco that allows access to a specific MIB, or you can assign a string name of Router that associates read-only or read and write permissions for specified MIB objects. To configure a community string, use the following commands in Global Configuration Mode:

 DCS2(config)# DCS2(config)#  snmp-server community router ?  <1-99>  Std IP accesslist allowing access with this community string ro      Read-only access with this community string rw      Read-write access with this community string view    Restrict this community to a named MIB view DCS2(config)#  snmp-server community router ro  DCS2(config)#  snmp-server community Cisco rw  DCS2(config)#  snmp-server community Support view ?  WORD  MIB view to which this community has access DCS2# 

Traps

A trap is an SNMP notification of an event that the router transmits to an NMS at the time of a severe network change. The event for which a trap should be sent can be defined by the network administrator. Configuring traps in your network will make life a lot easier for you as a network administrator, because you will be notified of any network problems when they happen. The trap is sent to the central location, thus triggering an alarm. Most systems are configured to alert a pager, for a faster response time, and usually enable you to be one step ahead of users' calls. Hopefully, with the few moments of advance notice from the network monitoring system, you can fix the problem before it has a large impact on users.

A trap is sent only once and is discarded as soon as it is sent so that it does not cause any congestion on the network, especially in cases in which the network may be suffering from congestion already. You can configure the router to send a trap to the central location when a network problem occurs, thereby sending an alarm. The following is an example of how to configure a router to send traps:

 DCSRootRTR# DCSRootRTR(config)#  snmp-server enable traps ?  appn         Enable SNMP appn traps   bgp          Enable BGP state change traps   config       Enable SNMP config traps   dlsw         Enable SNMP dlsw traps   entity       Enable SNMP entity traps   frame-relay  Enable SNMP frame-relay traps   isdn         Enable SNMP isdn traps   rtr          Enable SNMP Response Time Reporter traps   snmp         Enable SNMP traps   syslog       Enable SNMP syslog traps   <cr> DCSRootRTR# 

The above output shows the syntaxes available when enabling SNMP traps.

The next example shows how to designate a trap to be sent to a specific source for logging:

 DCSRoot (config)#  snmp-server trap-source ?  BRI       ISDN Basic Rate Interface   Ethernet  IEEE 802.3   Null      Null interface   Serial    Serial DCSRoot(config)#  snmp-server trap-source ethernet ?  <0-0>  Ethernet interface number DCSRoot(config)#  snmp-server trap-source ethernet0  DCSRoot(config)# 

The code above shows the process for designating an interface as an SNMP trap source.

The Remote Monitoring MIB (RMON MIB)

One of the most common MIBs is the Remote Monitoring, or RMON MIB. The RMON MIB is used in most devices to allow monitoring of different LAN segments in a network. RMON was defined by the user community (with the help of the Internet Engineering Task Force) to provide a mechanism for device communications; it became a standard as RFC 1757. RMON enables agents and network management systems to communicate with each other and exchange data. RMON also provides for comprehensive network-fault diagnosis, planning, and performance-tuning information using the MIB.

Several RMON groups apply to the standard, such as statistics for RMON (group 1) and history for RMON (group 2). Cisco devices are embedded with various RMON groups, depending on the device.

Cisco NMS Software

As stated previously, a monitoring system mainly consists of software. Cisco offers several software packages to maintain an NMS. The software is often referred to as Cisco Network Management Solutions. The software enables you to update the IOS, change configurations, provide baselines of your network, aid in troubleshooting, and instantly send an alarm in case of failure. This includes the following:

• CiscoWorks and CiscoView ” The CiscoWorks software allows for monitoring, configuration, fault management, troubleshooting, and performance tuning using CiscoView to graphically display a physical view of the network. CiscoView software can be integrated with Sun Microsystems, HP Open View, and IBM NetView.

• Traffic Director ” Analyzes network traffic patterns and reports the network trends in a switched internetwork. It can also be used for troubleshooting protocol problems and setting alarms to notify a system administrator in case of failure. Traffic Director utilizes the embedded RMON agents in catalyst switches to compile the data.

• CiscoWorks for Switched Internetworks (CWSI) ” A software suite that includes Traffic Director, CiscoView, and VlanDirector. CWSI works with SNMP, Cisco Discovery Protocol (CDP), Virtual Trunk Protocol (VTP), automated VLAN arrangement, and RMON for traffic monitoring. CWSI auto-discovers and creates a topology to allow system administrators to view the relationships and display VLANs.

• Cisco Netsys ” A simulation tool that enables the system administrator to see and test network performance of a new design before implementing it in the production network. Netsys uses object-oriented code that enables existing infrastructure code to be imported into Netsys, thereby allowing Netsys to simulate the performance of the new design before it is implemented.

The main function of a protocol analyzer is to capture, display, and analyze how a communications protocol is operating on the given network on a per-packet basis. The analyzer captures packets that are on the network at the given time, thus reporting in real time. To provide an accurate reading, the protocol analyzer must be physically attached to the specific network or broadcast domain you are trying to monitor. The protocol analyzer decodes the various layers and reports them in reference to each layer of the OSI model. A few examples of packet analyzers are NetBoy, LANWatch32, Wild Packets Etherpeek, Observer, Surveyor, Agilent Advisor, and Sniffer Pro.

When monitoring traffic, the protocol analyzer copies packets into its memory so that the packets can be analyzed without affecting the traffic. Using analyzers enables you to isolate a particular type of traffic or specify that you want to see only source and destination traffic. For example, if you are having an Ethernet problem, you don't need to look at all the routing traffic. This enables you to troubleshoot and analyze a particular area within a reasonably short period of time. Because many protocols are used in large campus environments, it is necessary to have a protocol analyzer that can discern different protocols.