Overview
After completing this chapter, you will be able to
-
Identify the rationale for using embedded management functionality in network infrastructure devices
-
Discuss design considerations for NetFlow
-
Discuss design considerations for NBAR
-
Discuss design considerations for IP SLAs
The Cisco IOS Software includes embedded management functionality that enables network engineers to achieve efficient network performance, scalability, and availability. These management tools provide critical data for establishing baselines, capacity planning, and determining network bottlenecks. This chapter discusses the importance, requirements, and considerations for implementing the embedded Cisco IOS Software management tools in an enterprise design.
Cisco IOS Embedded Management Tools
Network management includes a broad range of policies, procedures, and purpose-built hardware and software tools used to manage networks. Network management affects the performance, reliability, and security of the entire network.
Network administrators use network management to verify that the network is working well and behaving in the planned manner. Network management is also used to characterize the performance of the network, to reveal how much traffic is flowing and where it is flowing in the network, and when troubleshooting a network.
Embedded management software subsystems in Cisco IOS Software help manage, monitor, and automate actions within a router or switch, enabling devices to automatically collect data and take action.
Network Management Support in Cisco IOS Software
Managed equipment provides a variety of information such as the equipment type deployed and how it is connected, the version of software it is running, its status, and so forth. Cisco IOS Software provides extensive management capabilities, including the following:
-
A broad range of show commands provide network information for both in-band and out-of-band (OOB) management.
-
Many Simple Network Management Protocol (SNMP) Management Information Bases (MIB) provide access to vast amounts of information.
-
Device management applications such as the Cisco Router and Security Device Manager (SDM) and the Cisco Adaptive Security Device Manager (ASDM) provide web-based tools for managing single devices.
-
The following embedded management software subsystems in Cisco IOS Software help manage, monitor, and automate network management:
Application Optimization and Cisco IOS Technologies
Traditional network management processes focus on managing WAN links because of their scarce bandwidth and susceptibility to issues, including the following:
-
The expense of WAN connections, sometimes resulting in organizations implementing lower-speed, lower-cost links.
-
Speed mismatches between LAN and WAN links, leading to congestion, packet loss, and degraded application performance.
-
Different types of application traffic with different delivery requirements using the same WAN links. Real-time applications such as voice and video are especially sensitive to congestion and suffer from degraded performance due to delay, jitter, and packet loss. (Jitter is the variance of delay.)
However, there is increasing interest in extending network management to support application optimization at the data center and throughout the enterprise. The embedded Cisco IOS technologies provide network management support for application optimization in the network, as illustrated in Figure 12-1.
The phases in the application optimization cycle shown in Figure 12-1 are as follows:
-
Baseline application traffic: In the first phase, a baseline is developed that measures network data so that the network manager can understand the basic traffic and application flows and the default network performance. Cisco IOS software technologies that support this phase include NetFlow, NBAR Protocol Discovery, and IP SLAs.
-
Optimize to meet objectives: After establishing the baseline, the network manager can apply policies and prioritize traffic so that each application has an optimal portion of network resources. Resources are allocated based on their value to the organization. Quality of service (QoS) is used to reduce congestion, prioritize specific traffic, and optimize end-to-end performance of critical applications. Cisco IOS Software technologies that support this phase include QoS, NBAR, Cisco AutoQoS VoIP, and Cisco AutoQoS for the Enterprise.
Note The Cisco AutoQoS features are described later in the “NBAR and Cisco AutoQoS” section of this chapter.
-
Measure, adjust, and verify: In the third phase of the application optimization cycle, the network manager uses ongoing measurements and proactive adjustments to verify that the optimization techniques and QoS provide the network resources needed to meet the service objectives of the applications. This information is also used to resolve network issues that may occur. Several Cisco IOS Software features help measure network performance, including NetFlow, NBAR Protocol Discovery, IP SLAs, and syslog.
-
Deploy new applications: In this phase, network engineers determine the service objectives for new applications, estimate the network resources that will be needed to support these objectives, and allocate resources for new applications. Network management tools and processes enable the network manager to have the confidence to deploy new applications based on an understanding of the existing applications. NBAR and NetFlow are common Cisco IOS technologies used to support this phase.
Figure 12-2 highlights where Cisco IOS technologies are commonly deployed in the enterprise environment. Syslog should be deployed on every device; NetFlow, NBAR, and IP SLAs monitoring are deployed at selected locations in the network.
A recommended practice is to use a predefined template to structure network management configuration and reporting information.
The remainder of this chapter details the four Cisco IOS embedded network management features—syslog, NetFlow, NBAR, and IP SLAs.
Syslog
The Cisco IOS system message logging (syslog) process enables a device to report and save important error and notification messages; the messages can be saved either locally or to a remote logging server. Syslog messages can be sent to local console connections, terminal monitor connections (vty and tty), the system buffer, or to remote syslog servers, as illustrated in Figure 12-3. Syslog sends text messages to a syslog server using UDP port 514.
Syslog provides a comprehensive reporting mechanism that logs system messages in plain English text. The syslog messages include both messages in a standardized format (called system logging messages, system error messages, or simply system messages) and output from debug commands. The messages are generated during network operation to assist with identifying the type and severity of a problem, or to aid users in monitoring device activity such as configuration changes.
The Cisco IOS Embedded Syslog Manager (ESM) feature provides a programmable framework that allows a network manager to filter, escalate, correlate, route, and customize system logging messages before delivery by the Cisco IOS system message logger. ESM is available in Cisco IOS Software Release 12.3(2)T and later versions. ESM also allows system messages to be logged independently as standard messages, Extensible Markup Language (XML)-formatted messages, or ESM-filtered messages. These outputs can be sent to any of the traditional syslog targets. For example, a network manager could enable standard logging to the console connection, XML-formatted message logging to the buffer, and ESM-filtered message logging to a monitor connection. Similarly, each type of output could be sent to different remote hosts. Separate logging processes ensure that even if there is some problem with one of the formats or filtering, messages from the other processes will be unaffected.
Cisco IOS Syslog Message Standard
Note | Some of the information in this section is derived from Authorized Self-Study Guide: Designing for Cisco Internetwork Solutions (DESGN), Second Edition, by Diane Teare, Cisco Press, 2007 (ISBN 1-58705-272-5). |
Syslog messages contain up to 80 characters; a percent sign (%) follows the optional sequence number or timestamp information if configured. Syslog messages are structured as follows:
seq no:timestamp: %facility-severity-MNEMONIC:description
The following parameters are used in the syslog messages:
-
A sequence number appears on the syslog message if the service sequence-numbers global configuration command is configured.
-
The timestamp shows the date and time of the message or event if the service timestamps log [datetime | log] global configuration command is configured. The timestamp can be have one of three formats:
-
mm/dd hh:mm:ss
-
hh:mm:ss (for short uptimes)
-
d h (for long uptimes)
-
-
Facility: A code consisting of two or more uppercase letters that indicate the facility to which the message refers. Syslog facilities are service identifiers used to identify and categorize system state data for error and event message reporting. A facility can be a hardware device, a protocol, or a module of the system software. Cisco IOS Software has more than 500 different facilities. The following are some common facilities:
-
IP
-
OSPF (Open Shortest Path First Protocol)
-
SYS (operating system)
-
IPsec (IP Security)
-
RSP (route switch processor)
-
IF (interface)
-
LINK (data link messages)
Other facilities include Cisco Discovery Protocol (CDP), QoS, RADIUS, multicast (MCAST), multilayer switching (MLS), Transmission Control Protocol (TCP), virtual local-area network (VLAN) trunking protocol (VTP), Telnet, and Trivial File Transfer Protocol (TFTP).
-
-
Severity: A single-digit code (from 0 to 7) that reflects the severity of the condition; the lower the number, the more serious the situation. Syslog defines the following severity levels:
-
Emergency (level 0, which is the highest level)
-
Alert (level 1)
-
Critical (level 2)
-
Error (level 3)
-
Warning (level 4)
-
Notice (level 5)
-
Informational (level 6)
-
Debugging (level 7)
-
-
Mnemonic: A code that uniquely identifies the error message.
-
Description: A text string that describes the condition. This portion of the message sometimes contains detailed information about the event, including port numbers, network addresses, or addresses that correspond to locations in the system memory address space.
Note | For more syslog information, refer to http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124sup/124sms/index.htm. |
Example 12-1 shows a typical message that indicates that the operating system (facility = SYS) is providing a notification (severity = 5) that it has been configured (mnemonic = CONFIG). The message text indicates that a user on vty 0 at address 192.168.64.25 performed this configuration.
%SYS-5- CONFIG I: Configured from console by cwr2000 on vty0 (192.168.64.25)
Note | The documentation for each Cisco IOS Software release, such as the “Cisco IOS Release 12.4T System Message Guide,” found at http://www.cisco.com/en/US/products/ps6441/products_system_message_guide_book09186a00806f9890.html, explains the meaning of these messages. |
Syslog Issues
This section describes some of the issues with syslog.
The syslog message severity is not used consistently across the different Cisco platforms and Cisco IOS versions. For example, the environmental monitor shutdown event is level 0 in Cisco IOS Release 12.0 and level 1 in Cisco IOS Release 11.2. Therefore, documentation for each Cisco IOS Software release must be read to understand the meaning of the syslog messages. This inconsistency can be problematic if different software releases are running on devices and you want to filter syslog messages to extract information at specific levels of severity.
Another issue with syslog is that it can be verbose and may provide a mixture of many informational messages interspersed with messages that are useful for analyzing a specific problem or condition. Network managers can use filters or scripts to isolate important messages. Third-party tools, including syslog-ng and Kiwi Syslog Daemon, can also be used to help manage syslog messages.
The syslog delivery communication mechanism is based on UDP and is therefore not sent over a reliable mechanism. However, this is typically not a problem for a monitoring and alerting tool. RFC 3195, Reliable Delivery for Syslog, is a specification for a reliable delivery mechanism for syslog. Cisco IOS Software Release 12.4(11)T provides support for the Reliable Delivery for Syslog over Blocks Extensible Exchange Protocol (BEEP) feature that enables reliable and secure syslog message delivery. BEEP also allows multiple sessions to a single logging host, independent of the underlying transport method, and provides a filtering mechanism called a message discriminator.
Syslog is not a secure mechanism. Therefore, secure practices, such as establishing access control lists (ACL), to allow receipt of syslog packets only from internal resources, should be used.
No comments:
Post a Comment