Network Failure and Tools

Week 3, Chapter 3, Troubleshooting Device Performance

Week 3 Discussion: “Network Failure and Tools” Please respond to the following:

According to the text, a key element of a proactive network management strategy is fault notification. As a network engineer, determine the key individuals whom you should notify in the occurrence of a network event. Next, analyze the manner in which syslog and Simple Network Management Protocol (SNMP) can assist in the notification process. Determine when you would suggest using one protocol over the other. Include one (1) example or scenario that demonstrates the use of such protocol to support your response.

Analyze the tools used to conduct a baseline assessment (e.g., SNMP, RMON, NBAR, and the IP SLA). Select the tool that you believe is the most useful in creating a baseline assessment. Provide one (1) example of using the tool that you selected to support your response.

Week 3 Discussion Response:

“Network Failure and Tools”: As a network engineer, who understands a key element of a proactive network management strategy is fault notification, the key individuals whom you should notify in the occurrence of a network event are the support group, but not through user reports or complaints. Since syslog is a simple protocol used by an IP device (syslog client) to send text-based log messages to another IP device (syslog server), syslog assists in the notification process by allowing messages to be forwarded across the network to a central log server that collects and stores the message from all the devices. Since, Simple Network Management Protocol (SNMP) allows an agent running on a network device to be queried by an SNMP manager for various matters, including configuration settings, counters, and statistics, SNMP assists in the notification process by configuring the agent to send messages to the SNMP manager based on the occurrence of events, such as an interface going down or device configuration change. Syslog is a simple protocol with a basic form of event notification and collection that forces the network support team to be notified of significant events although advanced mechanisms are available to notify network support of significant events. Syslog messages can be seen when logged into a switch interface (console) and an event occurs, for example.

*Apr 12 08:45:55.278: %LINK-5-CHANGED: Interface FastEthernet1/0/1, changed state to administratively down

SNMP messages (traps) must always be processed by a network management system that can interpret the information contained in the trap and therefore are a reactive process most often used to monitor specific statuses such as verifying the status of fastethernet1/0/0. Both syslog messages and SNMP traps use predefined messages that are in Cisco IOS software that allow most organizations fault-notification needs to be fulfilled. When an organizations fault-notification needs fall outside the standard Cisco IOS message capabilities of syslog or SNMP, Embedded Event Manager (EEM) can be utilized to define custom events.

By setting a network performance baseline, network administrators can define what is normal for enterprise networks and identify patterns that indicate signs of trouble down the road. Network performance baselines also enable network managers to plan for growth. SNMP uses a pull model to collect device statistics. NetFlow uses a push model to collect detailed information about traffic flows (statistics). RMON (Remote Network Monitoring) is an extension of SNMP. The current version, RMON2, was developed to monitor all OSI layers and has more data collection responsibilities, reduced SNMP traffic load, and information is only transmitted to the management application instead of continuous polling. RMON was designed for flow-based monitoring, where SNMP is device-based, making RMON traffic statistics based like NetFlow and SFlow. SFlow can be configured at the global level or for specific ports and VLANs and is designed to enable the precise monitoring of interfaces at higher speeds. One disadvantage of RMON is it requires more resources because it handles more management responsibilities. NBAR (Network Based Application Recognition) performs deep packet inspection. NBARis useful dealing with malicious software by dedicating known ports as fake; therefore, it is often used for quality of service and security. IP SLA (Service Level Agreements) is an active monitoring method that reports network performance in real time. IP SLA will generate and actively monitor traffic continuously across the network and provide the ability to monitor a traffic path to a destination while also confirming that a particular web server is accepting connections, but you need an SNMP agent to poll the IP SLA router to perform the function. Since the purpose of a baseline assessment is to identify patterns that indicate signs of network trouble, I do not believe one of these tools is more useful than another in creating a baseline assessment. Each tool has a specific purpose that makes it more or less useful in squiring specific information.

Principal component analysis (PCA) is a statistical procedure that uses an orthogonal transformation to convert a set of observations of possibly correlated variables into a set of values of linearly uncorrelated variables called principal components (or sometimes, principal modes of variation). PCA is mostly used as a tool in exploratory data analysis and for making predictive models. It’s often used to visualize genetic distance and relatedness between populations. PCA can be done by eigenvalue decomposition of a data covariance (or correlation) matrix or singular value decomposition of a data matrix, usually after mean centering (and normalizing or using Z-scores) the data matrix for each attribute.[4] The results of a PCA are usually discussed in terms of component scores, sometimes called factor scores (the transformed variable values corresponding to a particular data point), and loadings (the weight by which each standardized original variable should be multiplied to get the component score).[5]

PCA is the simplest of the true eigenvector-based multivariate analyses. Often, its operation can be thought of as revealing the internal structure of the data in a way that best explains the variance in the data. If a multivariate dataset is visualised as a set of coordinates in a high-dimensional data space (1 axis per variable), PCA can supply the user with a lower-dimensional picture, a projection of this object when viewed from its most informative viewpoint. This is done by using only the first few principal components so that the dimensionality of the transformed data is reduced.

PCA is closely related to factor analysis. Factor analysis typically incorporates more domain specific assumptions about the underlying structure and solves eigenvectors of a slightly different matrix.

PCA is also related to canonical correlation analysis (CCA). CCA defines coordinate systems that optimally describe the cross-covariance between two datasets while PCA defines a new orthogonal coordinate system that optimally describes variance in a single dataset

A key element of proactive network management strategy is fault notification. When a significant event such as a failure or intrusion happens on a network, the support group should not be notified of it through use reports or complaints. It is best if network devices report that event to a central system and the support group becomes aware of the issue before problems associated with the event are noticed and reported by users. In addition to learning about the event earlier, the support group will also have the advantage of getting a report of the underlying event rather than a mere description of symptoms. Two popular protocols that are used for this purpose are syslog and SNMP. In addition, the EEM feature in Cisco IOS provides an advanced method to create custom events and define actions to be taken in response to those events.

Syslog is a simple protocol used by an IP device (syslog client) to send text-based log messages to another IP device (syslog server). The syslog protocol allows these messages to be forwarded across the network to a central log server that collects and stores the message from all the devices. By itself, this constitutes only a very basic form of event notification and collection, but the network support team must be notified of significant events. Fortunately, syslog capabilities are included as a component of many network management systems, and these systems often include advanced mechanisms to notify network support engineers of significant events.

SNMP allows an agent running on a network device to be queried by an SNMP manager for various matters, including configuration settings, counters, and statistics. In addition to responding to polling, the agent can be configured to send messages to the SNMP manager based on the occurrence of events, such as an interface going down or device configuration change. The messages, called traps, do not contain user-readable text, but instead include SNMP MIB objects and the associated variables; therefore, traps must always be processed by an SNMP-based network management system that can interupt and process the MIB object information contained in the trap.