It’s All About Correlation!
Virtually every IT organization has introduced some type of cloud initiative and every IT organization is leveraging managed services or the Internet in their environment. We can never assume visibility into every network element due to administrative controls issues and it is impractical to expect traffic-flow collection on every device. Blind spots, in reality, are the norm. In this blog post, I want to walk through a couple of scenarios on how we correlate information reported from disparate parts of the network to connect the dots and present you a picture that reflects what is happening in your network.
1) Traversing Managed Services MPLS or Internet
In this simple Cisco’s Intelligent WAN (IWAN) deployment, HQ-B1, HQB2 and HQ-MC are three routers associated with the San Jose site. Branch1-B1 and Branch2-B1 are connected to Los Angeles and New York respectively. Both branch routers have dual links connected to the Internet (INET) and the MPLS Service Provider.
The system overlays NetFlow information onto the network topology to present you the picture of how traffic flows are going from east to west and north to south. You can think of NetFlow like turning the lights on in the room. Without this visibility, you do not know what is going on in your network.
You can trace flows through the system. For example, you can follow flows arriving from the San Jose router HQ-B1 ingressing on interface Eth0/0 egressing on interface Tunnel 101 going to the MPLS network.
Although we do not know all the hops within the MPLS network nor do we have visibility of the network elements within the MPLS network, we do know the devices are connected to the MPLS network over a particular subnet and over a particular link. We can report on the next hop IP address of the network element within the MPLS network so you can identify the particular network element you are connected to within the MPLS network.
Similarly, we can correlate information from the far end. In this case the Los Angeles Branch1-B1 router is connected to the same MPLS network over the tunnel interface Tu101. By correlating the information from various observation points, we are able to provide the visual display that it is representative in the connections to the MPLS network.
2) Correlating Wireless & Wired, Basic and Advanced NetFlow Information
In this example, we receive flexible NetFlow information from the Cisco 3850 Wireless LAN controller.
From the device view of the Cisco3850APN-215 wireless switch, we can see flows from John Doe. John Doe is connected to the wireless network SSID L3-ROUTED-5. He is accessing a number of applications including Citrix, YouTube, MS-WBT, HTTP, etc.
We can apply this particular user into the search and use it in the other part such as the wired network.
Applying John Doe’s IP Address in the search, we are only viewing John Doe’s flows from the wireless network to the wired network exiting the intelligent WAN edge router into the Internet.
You can also see the basic flexible NetFlow data by going to the table view. Here is a list of flows related to John Doe are shown.
By simply double clicking on one of these flows, we will show you the hop-by-hop view of where the flow traverses the network along with information such as CPU utilization, ingress and egress interface, policies being applied along with DSCP marking information. Click on “Show Path”, you can gain hop-by-hop visibility through the network using basic flexible NetFlow information.
Overlaying basic flexible NetFlow information allows you to perform path analysis.
With advanced NetFlow capabilities turned on, you can drive further workflow to identify performance characteristics. For example, Performance Monitoring is enabled on one of the network elements, we can derive additional metrics about John Doe’s real-time voice experience.
Here is a list of RTP voice flows associated to John Doe. You can see additional metrics such as packet loss and jitter information. We also highlight flows that exceed the thresholds to draw your attention. Double clicking on the flow with high packet loss, we can gather further information.
Additional information is gathered hop-by-hop to help you pinpoint the trouble spot. It is important to note that it is not necessary to have advanced NetFLow enabled across the network. Even though Performance Monitoring is not enabled on every device, we are able to correlate the flexible NetFlow data from devices that do not support Performance Monitoring and devices with Performance Monitoring enabled to get additional performance metrics.
The two grey arrows show devices that do not support Performance Monitoring whereas the last red arrow indicates that Performance Monitoring is enabled and that there is a threshold crossing alert detected.
Similarly, we can use Cisco AVC to get additional response time metrics about John Doe’s Citrix experience.
Once again, we are showing how we correlate basic flexible NetFlow metrics with Cisco AVC metrics.
NetFlow on routers is a powerful tool for observation of network-wide traffic providing you valuable insight into what is happening in your network. It is not necessary to enable NetFlow or advanced NetFlow like Cisco AVC and Performance Monitoring across the network. Although, the more places you have advanced NetFlow capabilities enabled, the more granular the data. LiveAction can correlate information from disparate parts of the network to provide you with the big picture.