Network management software with high detailed traffic report

Does any one know the NMS (network management software) which can do the
fallowing:

1. Monitor on Cisco Routers/Switches interface utilization every 5-10
seconds and send e-mail alarm when utilization low or high of predefined
thresholds.
2. Collect net-flow statistics (at least src/dst) with granularity of 5-10-
seconds.

The main idea is to have detailed monitoring of the external links and to be
able to know why (by what traffic type) and when link was highly utilized.

Existing flow-collector can store netflow reports only with 1 minute
granularity but we need 5-10 second.

As about e-mail alarms - now I do it by embedded event manager on the
router. But I think it would be better to use external SNMP software for
that.
As about detailed to 5-10 second netflow statistics there are 2 ways.
1st - Use port mirror and use some software which can analyze captured
traffic and made a good reports. Do you know such software?
2nd - Use SNMP or telnet/ssh for access to the router/switch every 5-10
seconds and catch netflow counters. Do you now such software?

thanks in advance for you help.

Does any one know the NMS (network management software) which can do the
fallowing:

1. Monitor on Cisco Routers/Switches interface utilization every 5-10
seconds and send e-mail alarm when utilization low or high of predefined
thresholds.
2. Collect net-flow statistics (at least src/dst) with granularity of 5-10-
seconds.

The main idea is to have detailed monitoring of the external links and to be
able to know why (by what traffic type) and when link was highly utilized.

Your requirements are somewhat unrealistic. Even if your NMS can fetch
SNMP counters / Netflow info every 5-10 seconds, you have no guarantee
that the router *updates* the counters / Netflow info this often.

Talk to your router vendor first.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no

Steinar,

I'm sure that router updates its counter more often than 5 seconds.

IT depends on the manufacturer. Cisco can updates OIDs even on 1 second time
basis (maybe less?).

A long time ago I've made an "real time monitor" to troubleshooting problems
at the WAN. IT was not a NMS, only visual graphs using PHP and RRDtool in
one page showing IfOctests, IfDiscards, IfErrors, IfNUnicast and, in some
cases, BECN and FECN for frame relay.

some do, some don't. For example, sup720 snmp counters are updated every 9 seconds, while the "show interface" counters are updated every 30 seconds.

Nick

Good to know. It such a dificult information to find in documentation.

I should have wrapped up that statement with a ymmv. Because probably, your mileage will vary.

Nick

That is most certainly NOT true. The 'show interface' counters update at least once a second. Perhaps you are thinking about the rate counters that are often _configured_ to use the last 30 seconds of data to compute the average but also update much more often than every 30 seconds (and default to a 5 minute average).

You're correct that I'm mistaken. It's 9 second updates for both snmp and the interface (packets / bytes) counters, at least on 6700 cards / SXI. Are you getting different measurements?

Nick

No, I have no evidence that it updates more frequently than 9 seconds.

Well, on the RSP720, the "show interface" byte counters are definitely not
every second, though I can't say it's been as long as 9 seconds. I
typically look at them while making changes and they definitely stand still
for a few seconds.

Frank

I didn't think it was true either...but after reading Nick's message I checked a X6408A interface on one of our sup720's running "relatively" recent code (SXI1), and there definitely is some time between updates both the packet counters and the time averaged rates.

Just repeating the command and looking at my watch, I'd say Nick is right. It's easy to test yourself. Pick an int, and repeat "sh int <int name> | inc packets. The numbers really don't change but every 9 seconds or so. Same goes for the avg numbers...mine are set to 30 sec load interval, and they only change every ~9 seconds.

This does vary by platform. 3550 swiches and 7200 routers both seem to update the counters about 1/s. Maybe the delayed updates are just a 6500 thing.

Does "service counters max age" help in any way?*
*According to Cisco, setting it too low might upset the snmp counters.*

The "Usage Guidelines" are instructive. :slight_smile:

Although the update interval defaults to 5 seconds, it still appears to update every 9 seconds on my boxes.

Nick

There is also CSCsg23226 which might be related.

Distributed platforms take longer to update counters by default. The old 7500 was really fun in how it handled counters between VIP and RSP. I've always seen it around 15s, not 30, though. You will also see this on any of the virtual chassis switches when referencing any interface that is not the current master switch. The 6500 is uniform with all interfaces (and roughly looked like 10s update with current code level).

Jack

Take a look at <a
href="http://www.andrisoft.com/software/netflow-traffic-monitoring">WANGuard
Flow</a>. It builds traffic graphs with a configured granularity of 5
seconds and emails alarms when traffic thresholds are reached. It only
needs Netflow.

Show interface rate counters, are not even truly average computed
using the last 30 seconds of data.
It is indicated as an exponential time-weighted (moving), where data
is gathered every 5 seconds.
Meaning every update time, a new value is calculated, by using
three datapoints, the previous value
of the average, and a calculation based on the change over the past 5
seconds (Current - Previous value).

Avg(N) = exp(1/W) * (CurrentOctets - PreviousOctets) + (1 -
exp(1/W) * Avg(N-1))
Where 'W' is computed based on the "time interval" averaged over

Routers or sniffers can aggregate that data, but a NMS that gathered
every 5s using
SNMP would not scale very well, and TELNET/CLI would not work for
that either; for that,
you would need to use a different protocol, probably would need to be
a new one designed
for 5 second accurate timestamped readings.

SNMP ifMib readings are not accurately timestamped, and you would
encounter measurement errors.

Asking a device about one particular statistic about
one interface every 5 seconds isn't much trouble. If you have a
router with 100 interfaces,
and your NMS needs to query each interface every 5 seconds, you have
100 / 5 = 20
interfaces to query per second. Imagine how many packets you have
to send if you
have 100 devices with 5 interfaces, and you want to track 4
statistics for every interface
12 times per minute.

2000 queries every 5 seconds. You need some serious hardware to
handle that on your routers
and your NMS, which has 400 values to save per second, assuming your
NMS perfectly distributes query load,
and responses are never delayed (not likely).