Netmon Professional Edition
[ORIGINAL POSTED on Network World | MAY 14, 2007 1:00 AM PT] PDF Version
By Barry Nance
The Netmon appliance went to work quickly to establish a baseline of network activity and begin identifying network problems.
Augmented by its built-in protocol analyzer, the Netmon appliance pinpointed network trouble spots in our tests by decoding key packets in addition to depicting the problematic network devices and servers. The Netmon device comprehensively monitored network traffic, specific protocols, bandwidth utilization, TCP/IP-based network services, switches, routers, routers, network printers, UPSes and application performance.
You’ll especially appreciate the Netmon appliance if you like solving network problems at a low level. Netmon Professional Edition lacked the application-layer perspective of Extended Technologies.
The device, through its browser-based Visual Network Explorer component, shows network activity in real time. You can display the packet decodes from Netmon’s raw packet-level capture facility in a protocol-analysis display utility, such as Ethereal or Wireshark. The vendor says Netmon can decode thousands of protocols.
Netmon detected half/full duplex mismatches, frame collisions and other low-level network issues. The Netmon appliance integrates closely with Cisco NetFlow to gather statistics from Cisco devices.
The appliance collects Windows performance statistics to display the status of Windows background services as well as CPU, memory and disk use. It includes a port scanner for monitoring switch and router health, and it examined router Address Resolution Protocol tables to identify new network nodes as they appeared on the network. It also did a good job of keeping a close eye on our event logs and security logs across multiple servers.
The Netmon device notified us via e-mail or pager when network activity exceeded previously set thresholds. However, it couldn’t express threshold interrelationships and time of day/day of week situations in as sophisticated a manner as the other products reviewed.
Netmon’s remediation feature can run a Python script or Linux command within the appliance. It does produce uptime/availability reports, bandwidth-use reports and historical reports of network errors. Netmon comes with clear and comprehensive online documentation. It installs in a few minutes.
[Original Article – Netmon Professional Edition on NetworkWorld.com]
Warning: Configuration of the Cisco device is your responsibility and you can potentially do damage to your device so please make backups of your router before making any changes. Commands can vary with different Versions of Cisco firmwares.
The traditional way is to mirror all traffic in its entirety on your switch for analysis. This requires an interface capable of speeds equivalent of the traffic you wish to monitor. NetFlow (and similar protocols) instead summarize and break traffic down for analysis resulting in much less data required.
In this blog I will set up NetFlow on a Cisco 2901 and configure it to export NetFlow in a very basic way (no security) to provide Netmon a remote view of a network at another location – on the other side of an internet connection.
These are the commands will be used:
snmp-server community public RO
ip flow-cache timeout active 1
ip flow-export source Vlan1
ip flow-export version 5
ip flow-export destination 10.10.1.50 9996
ip flow ingress
ip flow egress
How to configure Netflow
Let me show you where to put them. First elevate your privileges to configure the router.
# snmp-server community public RO
This enables the SNMP community string of ‘public’ and is Read Only. If you have already done this you can skip this step.
# ip flow-cache timeout active 1
This breaks up the NetFlow traffic into 1 minute blocks.
# ip flow-export source Vlan1
In Netmon Vlan1 will be the ip address the device has been configured. In my case this ip address is 10.66.0.2. The device in Netmon is configured as 10.66.0.2
# ip flow-export version 5
Netflow version 5 is the most common version of NetFlow used by many manufacturers of routers.
# ip flow-export destination 10.10.1.50 9996
10.10.1.50 is the private ip address of http://demo.netmon.ca and 9996 is the default port Netmon uses for NetFlow traffic.
User ID: demo
Next I have to decide which interface I wish to monitor. I could choose multiple. In my case I have Vlan 111 as a collector MPLS interface which represents all traffic for this network.
# interface Vlan111
# ip flow ingress
# ip flow egress
*Hold Control + Z*
Cisco2901# write mem
Everything is done on the Cisco Router. We move on to Netmon. Navigate to the ‘Devices’ tab of Netmon and click on “New Device”
The ip address we had chosen as a source which was Vlan 1 and the Read Only SNMP community string I configured as ‘public’
Click on the Network tab.
On the right side find the interface you are looking to view.
If you click on the interface here you will see a new window.
You can name this interface whatever you like. I select all 3 boxes.
You now know how to configure netflow on a Cisco device for Netmon. In a few minutes a graph on the front page will start populating. As it fills in you will see the breakdown of remote traffic summarized by NetFlow.
If we take a look at the impact NetFlow on the internet connection we see that it averages around 400 kbps. A common 5mbit/1mbit DSL connection can handle this traffic. Comparing that to to the traditional method of simply mirroring traffic this would not be possible as seen in previous graph where traffic is spiking up to 60.23 Mbps.