Products

Application Monitor: Frequently Asked Questions

What is the Application Monitor?

The Application Monitor is a fully integrated network performance management appliance. When installed, it collects statistical information about who and what is generating traffic on the network and stores this in a database for historical analysis.

Network performance information is useful for two reasons. Firstly, the short term data provides a very granular view on what is happening on the network over the last few days allowing network operators to respond to problems that exist in the network; and secondly, long term data provides indication of the performance or trends of network and applications over long periods of time.

Aren´t there already a lot of network management tools on the market?

Yes, there are many network management tools available from a host of sources ranging from freeware to very expensive and complex commercial systems. Even with such a wide range of available solutions, it was clear that many organisations still did not have any network performance management tools to help run the network. The freeware style tools were too limited or not supported whilst the commercial solutions were either very expensive or very complex (or both). Many organisations clearly could not justify the expense in both financial and training terms to deploy such products and are essentially running blind when it comes to network performance.

There was a real need for a tool that simply reported what applications and which users were using the bandwidth. The rationale behind the development of the Application Monitor was to produce a low cost, easy to use, integrated network performance management appliance.

How does the Application Monitor work?

The Application Monitor is installed in the network and collects and stores statistical information about all flows (or conversations between machines) traversing the network. This flow information is collected either by the Application Monitor´s inbuilt flow meter, or alternatively from flow agents on existing routers such as Cisco NetFlow.

Each Application Monitor maintains it´s own data store allowing for data pertaining to a site to remain at the site. This alleviates many of the traditional issues with transferring network performance data across low speed WAN links. Access to each Application Monitor database is via HTTP ensuring minimal disruption to network bandwidth. The distributed data approach also negates the requirement for a large centralised database and associated high end hardware costs.

Do I need a separate server to run the Application Monitor?

No, all information is stored in a SQL database on the local hard drive installed within the appliance. All reports are generated from this database. It is also possible to query the database remotely via SQL if a central data repository or analysis by external hosts is required.

Why an appliance?

As an appliance, the Application Monitor can typically be installed within an hour. The appliance model significant reduces the complexity of installation and ensures and reduces overall cost by negating the need for a dedicated server.

How many different models are there?

The are three different Application Monitor types designed for deployment in different scenarios:

• Application Monitor 3000, designed for small or branch sites is a small form factor appliance capable of monitoring up to 4 subnets. The 3000 comes with 3 x 10/100 Ethernet connections and is typically installed on links running up to 10Mbps. 
• Application Monitor 6000, designed for medium sized enterprises is a rack mount appliance capable of monitoring up to 50 subnets. The 6000 comes with 6 x 10/100 Ethernet connections and is typically installed on on links running up to 100 Mbps. 
• Application Monitor 9000, designed for large site or core network monitoring. The 9000 comes with 6 x Gigabit Ethernet connections (2 x fibre, 4 x copper) and is typically installed in the core of the network to monitor the entire enterprise.

Each Application Monitor model uses the same software.

What sampling interval does the Application Monitor use?

There is much debate as to how granular network performance data needs to be. The sampling interval needs to be short enough to identify short term problems, but long enough not to overload the management device with too much data.

The Application Monitor uses a five minute sample period which is sufficient to identify sustained short term performance issues, as well as produce long term trends in network performance. By storing data locally, the Application Monitor is able to collect and store a wide range of information on applications and users for each five minute sample period.

What client software is required on the desktop to access the Application Monitor?

The Application Monitor user interface is entirely web based. All that is required on the client side is a standard web browser.

Why use flow based accounting and statistics collection?

Flow based accounting collects statistical information about network usage by examining individual flows (or conversations) between devices. By collecting only statistical information about each flow, as opposed to every single packet, flow based accounting systems are more efficient and hence more scalable for high speed networks.

Unlike SNMP based solutions, flow based accounting solutions provide much richer information by identifying who and what is generating network traffic.

Many routers already support the collection and export of flow information. Flow based accounting products such as the Application Monitor can leverage the investment already deployed in these network devices. Most routers are specifically designed for high speed network processing and are as such perfect for the collection of flow based statistics.

Along with cost, it is for this reason that there is a general shift away from dedicated probe type management solutions toward flow based accounting solutions. this trend will continue as network speeds increase to 1 Gigabit and above.

What is a flow?

A flow is a communication between two devices on the network. A flow can be uniquely identified by a number of different attributes such as source address, destination address, protocol type, port number, logical interface and so on. packets traversing the network are inspected and associated with a specific flow for which statistical counters are maintained. Flow statistics such as total byte counts, packet counts, flow start time can then be written to a database for later analysis.

There is some confusion in the industry as to the precise definition of a flow with different vendors using slightly different meanings for the same term. nMetrics use the following definitions for flows: 

• Unidirectional Flow. A connection in one direction between 2 devices. In this context, a TCP connection is made up of two unidirectional flows, one representing the forward connection from client to server, the other representing the return path from server to client. When Cisco use the term flow they are referring to a unidirectional flow. 
• Bidirectional Flow. A bidirectional flow comprises 2 unidirectional flows. A bidirectional flow is typically used to represent both the forward and return components of a TCP connection.
• Application Flow. An application flow is a concept developed by nMetrics. An application flow is a grouping of multiple like bidirectional flows. For example, a series of connections between a client and server on a specific port number would constitute a single application flow.

By using the application flow as the fundamental component for network statistics collection, significant savings can be achieved in both database size and appliance performance without sacrificing reporting functionality.

What flow based agents are supported?

Currently the Application Monitor supports: 

• NetFlow Version 5 
• NetFlow Version 9 
• IPFIX 
• Lightweight Flow Accounting Protocol (LFAP) 
• Real Time Flow Meter (RTFM)

What is NetFlow?

Netflow is a Cisco IOS software feature and also the name of an open (but proprietary) Cisco protocol for collecting IP traffic information. Cisco routers with netflow enabled generate netflow records, which are exported from the router in UDP packets and collected using a netflow collector such as the Application Monitor.

How does NetFlow work on the router?

NetFlow operates by creating a NetFlow cache entry within the router that contains the information for all active flows. A Flow record is maintained within the NetFlow cache for all active flows. Each flow record in the NetFlow cache contains key fields that can be later used for exporting data to the Application Monitor. The flow details or cache information is exported to the Application Monitor periodically based upon flow timers.

The routing device checks the NetFlow cache once per second and causes the flow to expire, and hence exported, in the following instances: 

• Flow transport is completed (TCP connections that have reached the end of the byte stream [FIN] or which have been reset [RST] are expired). 
• The flow cache has become full. 
• A flow becomes inactive. By default, a flow unaltered in the last 15 seconds is classified as inactive. 
• An active flow has been monitored for a specified number of minutes. By default, active flows are flushed from the cache when they have been monitored for 30 minutes.

Note that this style of cache management is relevant only to routing devices, Cisco Catalyst switches use a slightly different cache management system.

How do I configure NetFlow on my router?

Configuring NetFlow on a Cisco router is a relatively simple process. The required configuration for interoperability with the Application Monitor requires only one change to the default values.

The Application Monitor uses a five minute sample period. That is, it collects and caches network performance information and writes to the database every five minutes. By default, Cisco use an active flow timeout value of 30 minutes which means that information for long lived active flows will be sent to the Application Monitor every 30 minutes. This results in a mismatch and incorrect data as the Application Monitor expects to get an update on all flows every five minutes.

To ensure that the Application Monitor correctly reports flow usage the active flow timeout value of the router must be set to five minutes.

In order to set the active timer value to five minutes on the router follow the following steps on the Cisco router: 

1. enable 
2. configure terminal 
3. ip flow-export version 5 
4. ip flow-export destination ip-address udp-port (where ip-address is the management address of the Application Monitor; and udp-port is the NetFlow UDP Port number defined on the Application Monitor) 
5. ip flow-cache timeout active 5 
6. end

What is IPFIX?

The IETF has been working to standardize NetFlow. The effort is named IPFIX, which stands for IP Flow Information eXport. The IETF considered working implementations as a starting point, and elected to work from Cisco NetFlow version 9. Version 9 extends classic NetFlow by using templates to describe the flow records. This provides extensibility. The charter for the working group also lead them to allow securing the flow information -- SCTP secure stream transport can be used instead of TCP or UDP for transport. IPsec or TLS can also be used.

The IPFIX standard also allows for sampled data, which alleviates the burden on devices of classifying and reporting on each and every packet. Cisco is recommending random sampling (probabilistic sampling) to ensure you don't miss flows, for example when there are recurrent (periodic) data patterns.

What is the meaning of ´short´ and ´long´ term data?

The Application Monitor writes information about all application flows every five minutes. That is, it uses a five minute sample period on which to calculate average utilisation for each flow, host, application or subnet. Once application flows are written to the application flow table, the Application Monitor then calculates the five minute average utilisation for all configured subnets. The application flow table and subnet utilisation table are referred to as the short term data.

Every 30 minutes, the Application Monitor queries all application flows from the short term application flow table to calculate 30 minute averages for subnet utilisation, host and application usage. These 30 minute averages are referred to as long term data. The long term data provides better indication of long term trends over weeks and months.

The Application Monitor will automatically select which data to use when generating a report. If there is enough short term data in the database to service the report then short term data will be used, otherwise long term data tables will be used.

Reports will look slightly different depending on whether short term or long term data is used.

The Application Monitor is subnet based, what does this mean?

Many network performance tools, particularly those that are SNMP based, are interface based. That is, they collect statistics on a per interface basis either from network equipment such as switches or routers or from dedicated probe devices.

Many networks are configured in such a way that multiple subnets traverse a single interface. For example an organisation may have a head office connected to a private IP network via a 10 Mbps link with all remote sites may connect to head office on this single link. This scenario results in multiple subnets (pertaining to each remote site) running over the single interface connecting head office.

Many traditional network performance management tools have difficulty in identifying these multiple subnets traversing a single interface. The Application Monitor was designed specifically for this scenario. All application flows on an interface are collected, from which usage information per subnet can be calculated.

The Application Monitor user interface allows for specific subnets to be configured. Specific usage information is calculated for these subnets, however, even if an entry for a specific subnet has not been configured, the application flows will still be collected and reported in the Default subnet.

Is it possible to configure overlapping subnets?

Yes, there are many situations where it is desirable to configure overlapping subnets. An example of an overlapping subnet would be to have an entry, Subnet A, configured with network address 10.0.0.0/8, and 2 other entries, Subnet B and C with network addresses 10.1.1.0/24 and 10.2.2.0/24. Subnet B and C are wholly contained (or subsets) of Subnet A – that is they are overlapping subnets (nMetrics also refer to this as nested subnets).

Can I add a single host rather than a whole subnet?

A single host or server can be configured in the same fashion as a subnet by specifying the IP address and using a 32 bit subnet mask. For example, a server with address 192.168.1.10 could be added using 192.168.1.10 and mask 255.255.255.255.

What is the ¨Default¨ subnet and why are the To and From volume values always the same?

The Default subnet is specified with an address on 0.0.0.0/0. As such, all application flows are contained within the Default subnet.

When subnets utilisation is calculated the source and destination address of each application flow is examined to determine whether it is inside or outside a particular subnet. The bytes to and bytes from fields can then be used to calculate how many bytes are directed to and how many bytes are directed from the particular subnet.

In the case of the Default subnet, the source and destination address are both always contained inside the Default subnet. Having no reference point means that there is no concept of direction for the Default subnet, that is, there is no way to calculate bytes to or bytes from. As such the Default subnet values are calculated as the sum of bytes to and bytes from.

The Default subnet may be deleted from the Application Monitor.

What type of database does the Application Monitor use?

The Application Monitor uses a PostgreSQL database. All reports use standard SQL to extract data from the database. By default, it is not possible to execute SQL queries to the database from external hosts, however, nMetrics will, in some circumstances, open database access and provide a copy of the database schema to allow external SQL access.

Connecting using switch mirror or SPAN ports

A switch mirror port is a port that is configured to mirror or copy all traffic to or from another port. Most layer 3 switches at the very least provide the ability to configure a one-to-one mirror port, that is, mirror all traffic on one port to another port for analysis.

Some vendors, such as Cisco, allow for more sophisticated mirroring to be configured. Cisco allow for multiple source ports to be mirrored to a single destination port and refer to this as a SPAN session (Switch Port Analysis).
In addition, Cisco also provide the ability to configure a VLAN based SPAN session (VSPAN). This allows for all ports in a particular VLAN to be mirrored to the destination port. This feature is particularly useful to allow for the Application Monitor to report on VLAN environments.

The Application Monitor can accept connections from multiple mirror or SPAN ports. Each connected mirror or SPAN port must be configured as a Monitor port on the Application Monitor. The Application Monitor can then use the internal flow meter to collect network performance statistics.

When connecting multiple mirror or SPAN ports, care must be taken to ensure the Application Monitor does not receive duplicate flows.

Connecting using network taps?

Ethernet taps provide a similar function to switch mirror ports but have the additional benefit of not requiring any additional configuration in the switching environment, as well as ensuring no performance issues are introduced into the network.

The preferred solution for connecting an Application Monitor is to use a Port Aggregation tap installed inline on the specific Ethernet segment being monitored (typically in-line between the switch and man egress router).
A Port Aggregation tap allows for both sides of the full duplex Ethernet connection to be sent to the Application Monitor using a single physical port.

Most taps also provide the ability to failover in the event of a power outage. This allows for communication between the switch and router to continue even if the tap loses power. By using taps in this fashion it is possible to provide the Application Monitor full visibility of network traffic whilst not being installed inline in the network.

The Application Monitor can accept connections from multiple taps. Each connected tap port must be configured as a Monitor port on the Application Monitor. The Application Monitor can then use the internal flow meter to collect network performance statistics.

Can I add a 'Read Only' user?

Yes, read only users can be configured to have exactly the same visibility as the associated administrative user.