61202880L1-29.1E July 2008 Configuration Guide Integrated Traffic Monitoring This configuration guide describes integrated traffic monitoring (ITM) and its use on ADTRAN Operating System (AOS) products. Including an overview of the ITM and Top Traffic processes, applications, and detailed configurations, this guide provides all the necessary information for step-by-step configuration of ITM.
ITM Overview Integrated Traffic Monitoring ITM Overview ITM is a method of tracking traffic flow patterns across interfaces on a network. ITM can monitor traffic flows over both ingress (incoming) and egress (outgoing) interfaces.
Integrated Traffic Monitoring ITM Process The following illustration shows how ITM fits into the network. IP Packet Flow ITM Traffic Flow Observation/ Data Collection IP Packet Flow Internet LAN AOS Product Export collected data User Terminal External Data Collector Display collected data Figure 1.
ITM Process Integrated Traffic Monitoring Traffic Flow Data Collection Information about traffic flows is captured at observation points. Observation points in the ITM application are most often network interfaces. On platforms with RapidRoute enabled, RapidRoute architecture behaves as additional observation points by noticing any IP packets not already classified in a traffic flow. The following illustration depicts the operation of observation points within the ITM architecture.
Integrated Traffic Monitoring ITM Process Traffic Flow Data Metering The AOS product’s flow cache monitors the traffic flow information. It collects IP header information, organizes the packets into traffic flows, and determines when traffic flows have expired and are ready for export. Once the ITM flow cache has been notified by the network interface (observation point), it organizes the traffic flows into flow entries and determines when the entries will be exported to the external data collector.
ITM Process Integrated Traffic Monitoring Table 1. Data Template Information (Continued) Ingress Data Template Egress Data Template Type of Service (ToS) Bits Type of Service (ToS) Bits Packets in a Flow Packets in a Flow Bytes in a Flow Bytes in a Flow Input Interface Input Interface System Up Time of First Packet Output Interface System Up Time of Last Packet Next Hop IP Address Flow Direction System Up Time of First Packet System Up Time of Last Packet Flow Direction Table 2.
Integrated Traffic Monitoring ITM Process Top Traffic Internal Data Collector Using the internal Top Traffic data collection feature of ITM, several of the most important flow cache statistics can be viewed at a glance from within the router itself.
Hardware and Software Requirements and Limitations Integrated Traffic Monitoring Hardware and Software Requirements and Limitations ITM operates on ADTRAN Operating System (AOS) products that also support RapidRoute. The data platforms include NetVanta 340, 344, 3130, 3200 (third generation only), 3305, 3430, 3448, 4305, and 5305. The voice products include the Total Access 900(e) Series, the NetVanta 6355, and the NetVanta 7000 Series.
Integrated Traffic Monitoring Configuring ITM and Top Traffic Using the GUI ITM observes IP packet information in the traffic flow upon ingress or egress; it does not analyze the traffic over its lifetime within the AOS product.
Configuring ITM and Top Traffic Using the GUI Integrated Traffic Monitoring Accessing the GUI To begin configuring ITM through the GUI, follow these steps: 1. Open a new Web page in your Internet browser. 2. Type your AOS product’s IP address in the Internet browser’s address field in the following form: http://. For example: http://60.26.109.200 3. At the prompt, enter your user name and password and select OK. The default user name is admin and the default password is password.
Integrated Traffic Monitoring Configuring ITM and Top Traffic Using the GUI 4. Select Monitoring from the menu on the left. Monitoring Menu 5. Select IP Flow/Top Traffic from the Monitoring menu on the left. 61202880L1-29.1E Copyright © 2008 ADTRAN, Inc.
Configuring ITM and Top Traffic Using the GUI Integrated Traffic Monitoring Enabling ITM Using the GUI After the GUI has been accessed, ITM must be enabled on the interfaces you wish to monitor. Ingress and egress parameters specify which traffic is to be monitored by Top Traffic and/or an external data collector. Ingress, the most commonly used logging feature, specifies that incoming traffic is monitored, and egress specifies that forwarded or outgoing traffic is monitored.
Integrated Traffic Monitoring Configuring ITM and Top Traffic Using the GUI 4. After enabling an interface and applying the desired ACL, select Apply to apply the settings. A message reading Apply Successful! will appear at the bottom of the screen to confirm that ITM is enabled on the chosen interfaces. Configuring Sampling Options To employ system-wide sampling on an interface with ITM enabled, determine the desired sampling rate.
Configuring ITM and Top Traffic Using the GUI Integrated Traffic Monitoring 2. In the Sample One-Out-Of field, enter the number of packets that will flow between data collection. The range of packets is 1 to 255. If 1 is entered, every packet in a flow will be collected. If any number up to 255 is collected, that number of packets will pass before another packet is collected. 3. Select the Sampling Type (random or deterministic).
Integrated Traffic Monitoring Configuring ITM and Top Traffic Using the GUI Setting Traffic Flow Entry Expiration Traffic flow entries are the data collected about traffic flows. Entries are stored in the flow cache and are termed either active or inactive. Active traffic flows refer to the maximum life of a single flow that continues to have packets detected at the observation point; inactive traffic flows refer to idle flows which no longer have packets detected at the observation point.
Configuring ITM and Top Traffic Using the GUI Integrated Traffic Monitoring Traffic flow data can be sent to two different destinations or port configurations. When specifying the destination of traffic flow exports, several parameters can be included. To configure traffic flow export, follow these steps: 1. Select the Export tab from the Traffic Monitoring menu. 2. Enter the IP address of the external data collector in the Destination Address field. 3.
Integrated Traffic Monitoring Configuring ITM and Top Traffic Using the GUI Configuring Top Traffic Using the (GUI) The internal Top Traffic data collector can be configured by either using the CLI or the GUI. To configure Top Traffic, you must complete the following tasks: • • • • • • • Enable ITM on an interface. Enter Top Traffic configuration mode. Determine and specify the minute interval for which data will accumulate.
Configuring ITM and Top Traffic Using the GUI Integrated Traffic Monitoring 5. Determine the minimum number of minutes that Top Talkers and Top Listeners data is accumulated. Specify an interval option of 5, 10, and 15 minutes using the drop-down menu. When viewing Top Traffic data, the current interval displayed will reflect the interval choice at this stage of configuration.
Integrated Traffic Monitoring Configuring ITM and Top Traffic Using the GUI To configure whether Top Traffic is monitoring byte counts or packet counts, select the appropriate option from the drop-down menu. If the statistic to be gathered is changed once Top Traffic is configured, all existing data will be lost. 7. Determine the number of hosts that will be displayed in the Top Traffic listings. The range of host listings is 1 to 20, with the default set at 5.
Configuring ITM and Top Traffic Using the GUI Integrated Traffic Monitoring 8. If an ACL is to be used to filter the traffic for the Top Traffic lists, select an ACL from the drop-down menu titled Match List. By default, no ACL is configured and all traffic is considered. Select the desired ACL from the drop-down menu.
Integrated Traffic Monitoring Configuring ITM and Top Traffic Using the GUI Configuring Custom Port Monitoring By default, well-known TCP and UDP ports are monitored whenever Top Traffic is enabled. An additional 32 custom ports can be added to this list as desired, to help monitor ports used for file-sharing, gaming applications, or common ports used by viruses. To add a custom port to the port monitoring list, follow these steps: 1. Select the Monitor Port tab from the IP Flow/Top Traffic menu. 2.
Configuring ITM and Top Traffic Using the GUI Integrated Traffic Monitoring 3. Select Add at the bottom of the screen to add this port to the port monitoring list. The added port will appear in the listing at the bottom of the tab. Newly Added Port 4. To remove ports from the custom list, check the box next to the desired port and select Remove Selected Monitor Ports. 22 Copyright © 2008 ADTRAN, Inc. 61202880L1-29.
Integrated Traffic Monitoring Viewing ITM and Top Traffic Statistics (GUI) Viewing ITM and Top Traffic Statistics (GUI) Both ITM and Top Traffic statistics can be viewed from the GUI. Viewing ITM Statistics The ITM GUI displays traffic flow export and flow cache statistics in a Web-based format. To view either export or cache statistics, follow these steps: 1. Select IP Flow Statistics from the Monitoring menu on the left. 2.
Viewing ITM and Top Traffic Statistics (GUI) Integrated Traffic Monitoring Viewing Top Traffic Statistics 1. To view the Top Traffic statistics, choose Top Traffic Statistics from the Monitoring menu on the left. Top Traffic statistics can be viewed in hourly, 24-hourly, or daily increments. Each increment lists the ranking of source IP addresses (Top Talkers), destination IP addresses (Top Listeners), and how many bytes or packets were sent or received by each host.
Integrated Traffic Monitoring Viewing ITM and Top Traffic Statistics (GUI) Viewing Top Traffic Graphical Information 1. To view the Top Traffic graphical information, choose Top Traffic Graphs from the Monitoring menu on the left. There are four options of Top Traffic graphs to view. The first graph displayed is the Summary graph, which displays the total traffic in bytes or packets for either the last hour or the last 24-hour period.
Viewing ITM and Top Traffic Statistics (GUI) Integrated Traffic Monitoring 3. To view the traffic by source IP address (Top Talkers), select the Top Talkers tab. 4. To view the traffic by destination IP address (Top Listeners), select the Top Listeners tab. 26 Copyright © 2008 ADTRAN, Inc. 61202880L1-29.
Integrated Traffic Monitoring Configuring ITM and Top Traffic Using the CLI Configuring ITM and Top Traffic Using the CLI Both ITM and Top Traffic can be configured using the CLI. To avoid confusion, it should be noted that the CLI commands configure Top Traffic with “Top Talkers” commands.
Configuring ITM and Top Traffic Using the CLI Integrated Traffic Monitoring Table 3. ITM Default Parameters Command Default Value ip flow export template timeout-rate Template information is re-sent to the export destination every 30 minutes by default. ip flow cache sample one-out-of [random | deterministic] Sampling is disabled and every packet is recorded. When enabled, sampling is set to random.
Integrated Traffic Monitoring Configuring ITM and Top Traffic Using the CLI the observation point after 15 seconds by default. When traffic flow entries expire, they are ready to be exported to the data collector. By default, active traffic flow entries are forcibly expired in 30 minutes. Also by default, traffic flows become inactive and expire after 15 seconds of inactivity.
Configuring ITM and Top Traffic Using the CLI Integrated Traffic Monitoring The export command also includes a no parameter. The no parameter precedes the command and disables the export functionality, or removes an associated destination if multiple entries are specified.
Integrated Traffic Monitoring Configuring ITM and Top Traffic Using the CLI From the Top Traffic configuration mode, Top Traffic functionality can be configured. Configurable parameters include the time interval for which Top Traffic data will accumulate, if data will be gathered by packet or byte observation, how many Top Talkers will be displayed, whether or not an ACL will be used to filter Top Traffic data, and (optionally) adding custom ports to the port monitoring feature.
Viewing Top Traffic Statistics (CLI) Integrated Traffic Monitoring (config-top-talkers)#top Enter the number of listings desired after the top parameter. The default number is 5. Use the no form of this command to return to the default number. Using an ACL with Top Traffic An ACL can be used to filter the traffic monitoring data to be used in the Top Traffic listings. By using an ACL, it is possible to narrow the types of hosts that will be reported by ITM’s Top Traffic function.
Integrated Traffic Monitoring Viewing Top Traffic Statistics (CLI) show ip flow top-talkers The show ip flow top-talkers command displays the list of IP addresses (hosts) that generated the most IP traffic during the current interval being accumulated. If the optional parameters of hour or day are used, data from the currently accumulating hour or 24-hour period is displayed. The detail keyword also displays the previously accumulated intervals.
Viewing Top Traffic Statistics via Email Integrated Traffic Monitoring show ip flow top-talkers port The show ip flow top-talkers port command displays the list of monitored ports and the amount of traffic that has been observed on each port. The optional detail parameter breaks down port activity by the hour. For example, entering the command as follows results in the following sample output: >enable #show ip flow top-talkers port Current Day Top Talkers Port Top Ports Packets 1. (8080) 7167 2.
Integrated Traffic Monitoring Viewing Top Traffic Statistics via Email After configuration of the mail agent and its parameters as outlined in the Mail Agent Configuration Guide, use the following configuration example to initialize email notification of Top Traffic statistics through a named mail client: Parameters in italics indicate examples, and should be replaced by parameters specific to individual needs.
Example ITM Configuration Integrated Traffic Monitoring Example ITM Configuration In the following example, ITM is used to capture network usage information to more accurately determine network availability and possible congestion problems. In this example, ITM, along with Top Traffic, provides information about who is using the network, where the network traffic is going, and the peak time of network usage.
Integrated Traffic Monitoring Example ITM Configuration From the Global configuration mode, the export destination is set to the external data collector at the IP address 208.61.209.5 through the UDP port 1010. (config)#ip flow export destination 208.61.209.5 1010 By default, if no source interface is specified, the router interface at the hop closest to the data collector will be sourced. Most often, a source will only need to be specified for security purposes.
Example ITM Configuration Integrated Traffic Monitoring In order to get a more accurate cross section of network traffic flow patterns, the time-out rates for template export and active flow cache will be changed from their defaults. By changing the time-out rates from the default 30 minutes to 15, a more detailed picture can be achieved in analysis.
Integrated Traffic Monitoring Example ITM Configuration The following GUI entries also set these values: To view the Top Traffic data, use the Top Traffic show ip flow top-talkers commands as detailed on page 45 of this guide, or the GUI Top Talkers Statistics tab as detailed on page 23 of this guide. 61202880L1-29.1E Copyright © 2008 ADTRAN, Inc.
ITM and Top Traffic Command Summaries Integrated Traffic Monitoring ITM and Top Traffic Command Summaries The following table describes each configuration command for using ITM. Table 4. ITM Command Summary Access Prompt Command Command Description (config-interface)# [no] ip flow ingress [] Enables monitoring of all traffic received on an interface with optional ACL filtering.
Integrated Traffic Monitoring Top Traffic Command Summary Top Traffic Command Summary The following table describes each configuration command for using Top Traffic. Table 5. Top Traffic Command Summary Access Prompt Command Command Description (config)# [no] ip flow top-talkers Enables the collection of Top Traffic information and/or switches to Top Traffic configuration mode. (config-top-talkers)# [no] top Specifies the number of Top Talkers included in the Top Traffic report.
Troubleshooting Integrated Traffic Monitoring Troubleshooting There are two methods for troubleshooting ITM. Troubleshooting can be done from either the GUI or the CLI. The GUI method gives you information regarding the entire system, whereas the CLI method gives you information specific to the configuration of ITM and Top Traffic. Both methods are described in the following sections.
Integrated Traffic Monitoring Troubleshooting To access GUI debugging abilities, follow these steps: 1. Select Debug Unit from the Utilities menu. 2. Select the Add Debug Filter button and choose the desired item to debug from the following Category drop-down menu. Select Apply when correct item is chosen. The item you have selected to debug will appear in the Debug Category tab in the middle of the screen. 61202880L1-29.1E Copyright © 2008 ADTRAN, Inc.
Troubleshooting Integrated Traffic Monitoring 3. You can then select Start Debug and begin receiving debug information for the item you selected. CLI Troubleshooting After configuring ITM, several different commands can be issued from Enable mode in the CLI to assist in troubleshooting. These commands are detailed in the following table. Table 6.
Integrated Traffic Monitoring Troubleshooting Show Commands Use the show ip flow commands to display information pertinent to ITM configuration on your AOS product and to reveal possible problems in the configuration. The output of all show commands can be limited by appending a modifier to the end of the command. Appropriate modifiers are: begin , exclude , and include .
Troubleshooting Integrated Traffic Monitoring Use the show ip flow interface command to display configuration parameters for each interface on the AOS product. This command displays which interfaces are configured for ITM, whether they are enabled for ingress or egress monitoring, and whether they are configured for sampling.
Integrated Traffic Monitoring Troubleshooting The following is sample output from the show ip flow top-talkers hour detail command: # show ip flow top-talkers hour detail 0--------1---------2---------3---------4---------5---------6---------7---------8 12345678901234567890123456789012345678901234567890123456789012345678901234567890 Current Hour Top Talkers Details EOI Rank Current 1 2 3 4 5 Top Traffic Sources: SrcIPaddress Bytes 10.10.19.1 503K 172.30.216.196 135K 10.10.18.1 44K 10.162.37.71 25K 10.92.
Troubleshooting Integrated Traffic Monitoring The following is sample output from the show ip flow top-talkers port command: # show ip flow top-talkers port 0--------1---------2---------3---------4---------5---------6---------7---------8 12345678901234567890123456789012345678901234567890123456789012345678901234567890 Current Day Top Talkers by Port: 1. 2. 3. 4. 5. Top Port Sources: SrcPort FTP (20) HTTP (80) UserDef_1 (31337) ICMP (7) NetBIOS (137-139) Bytes 3.4M 1.2M 750K 128K 550K 1. 2. 3. 4. 5.
Integrated Traffic Monitoring Troubleshooting In this debug message, various information is given about each flow as it expires. The message reveals the source IP address and port, the destination IP address and port, the direction of the traffic flow, the interface it crossed, the ToS, and the protocol it uses. Source IP address: Port Destination IP address:Port Interface Direction ToS Protocol (6=TCP) 16:38:37: FLOW.CACHE: Expired 10.23.197.244:23 > 172.22.77.
Troubleshooting Integrated Traffic Monitoring Clear Commands You can easily clear the ITM statistics on your unit by using the clear ip flow stats command. Using this command clears all statistics associated with ITM and allows for new statistics to be configured and observed. To use the clear ip flow stats command, use the following example: #clear ip flow stats You can also easily clear the ITM Top Traffic statistics by using the clear ip flow top-talkers command.
