Официален блог на WebEKM EKM очаквайте сайта онлайн скоро.

Download Free Templates http://bigtheme.net/ free full Wordpress, Joomla, Mgento - premium themes.

Network Monitoring and protocols : netflow, sflow, ipfix, snmp, nbar, span, rspan

netflow_features_7Every network has to be measurable. It means that you have a view on processes, accidents that take place in the network. You have to be aware what happens and why, in the network that you administer. There is a couple of protocols that helps us to deal with this issue.




NetFlow – protocol is a Cisco proprietary, an administrator gets information about packets flow based on source and destination IP address, source and destination ports, source interface, type of service and ip protocol. NetFlow is more accurate then
sFlow but is more resources (CPU and RAM) consuming. NetFlow conversly to sFlow takes into consideration entire traffic every packet, not only samples what makes him more accurate and precise. Netflow works on layers 2,3 and 4

sFlow – conversly to netFlow uses only sampling what means it takes a probe of the flow so it may happen that you will not get entire information about traffic saturation or threats that you would like to get, but if you deal with a large amount of data that are being send or received continously, sFlow may be better solution then netFlow. Sampling takes place in 2 ways random sampling of packets and time-based sapmling.

IPFIX – protocol that evolved of NetFlow v9 protocol and is very simillar to its, the difference is because it is open standard, so sends additional information to collector about manufacturer what usually does SNMP.

SNMP – All above protocols deal with investigation of the traffic flow. SNMP colects detailed information about network devices resources. Of course thanks to SNMP we may discover traffic congestion on the port, if we set the probe on the interface, but for traffic analysis NetFlow will work much better. So thanks to SNMP we may investigate
CPU or RAM burden, components temperature etc depends on sensor installed on devices in our network.

NBAR – Network-Based Application Recognition. As I mentioned before NetFlow works on layers 2,3 and 4 sometimes it may be not enough but we have NBAR that works on layers 5,6 and 7 as well and does deep packet inspection. Thanks to this we may find out what applications, protocols are being used by users in our network P2P software, Skype, ftp etc. The newest version, NBAR2 namely can recognize 1500 protocols.

So far I talked about protocols that help us investigating the network based on the flow of packets or sensors in devices. All this solutions based on agents and collectors or SNMP managers. But what if we would like to sniff every packet that hit any network interface ? Is there any way to redirect traffic from given interface to another interface ? Or even to different swichport port in different network ?
The solutions are called SPAN and RSPAN

SPAN stands for switch port analyzer and let us redirect traffic from a port or VLAN to different interface. The traffic may be redirected to Wireshark, IDS or IPS. We may intercept workstations, ip phones in both directions.The source interface may be just switchport, trunk port, etherchannel, routed port, access port
The overview of SPAN look in this way

span
 

the configuration is straight forward in case of SPAN
monitor session 1 source interface fa0/0
monitor session 1 destinationa interface fa0/1

The overview of RSPAN look in this way

rspan
 

The configuration of RSPAN

SW1

VLAN 10
remote-span
monitor session 1 source interface fa0/0
monitor session 1 destination remote VLAN 10

SW2
VLAN 10
remote-span
monitor session 1 source remote VLAN 10
monitor session 1 destination interface fa0/0

Onlain bookmaker bet365.com - the best bokie

Menu