Over the past few years I have worked on networks of all shapes and sizes in many parts of the world. My main interest is in finding the optimum way of monitoring network activity, without the need for agents or client software on servers and PC's. Many options exist for monitoring networks but the primary ones are:
- Deep packet inspection (DPI) of network packets
- SNMP monitoring
- Flow statistics from network devices.
All of these monitoring techniques have their positives and negatives. DPI requires a network cable to be plugged into a switch of interest. All modern managed switches will have port mirroring capabilities; you just need to plug a network cable into a switch of interest. Port mirroring in my opinion provides the richest source of network information on your network. With the right tools you can get information at most levels of the OSI model. While on the topic of the OSI model, Josh Stephens has a few interesting posts on the OSI model over at his Ethergeek blog.
Where it is available SNMP requires standardization of community strings and passwords on network devices. There are many applications out there that use SNMP as a method for gathering network usage information. The best ones will include mapping, alerting and reporting features. Most install on Windows, you download; perform a network discovery, do some tuning and you're up and running. However they sometimes lack the detail that's needed to find out what is actually happening on a network.
Flow statistics are normally available from layer 3 type network devices, i.e. anything that makes a decision about routing packets between networks. You can also download applications that can convert port mirroring traffic to flows. This gets around the issue where flow statistics are not available from network switches. You don't need to do any cabling to get the data as it's sent over the network to a collector. Many collectors exist which can process this data and most are based on Windows platforms. However, in most cases the data being sent back is a summary of what is happening.
An analogy I often use when describing flow data is that it's very similar to your phone bill. You get a record of each conversation together with how much they cost and a total at the end. But your phone bill does not go into much detail as to what each conversation was actually about. Similarly, flow data gives you a record of conversations on your network together with byte counts. Even with packet content sampling you will lack visibility as to what is being moved around your network. This is what's required when you have a need for advanced monitoring, intrusion detection, troubleshooting or user forensics.
My preference for an ideal network solution is for DPI at the core backed up with SNMP statistics for alerting and mapping requirements. And this brings me to the title of this article, discovering your network core'. On larger networks the core is easy to define as it will be based around two or more large switches which everything connects back to.
I often hear from network managers who manage small to medium size networks that they don't have a core and run everything from a stack of switches in the computer room. In a lot of cases this stack is the network core, in others one switch from the stack is the real core. If you want to identify what is your network core, or want to pick a good point on your network to setup port mirroring so that you can test DPI solutions, use this simple method. Trace back the internal interface of your firewall or whatever box\device gives your Internet access. The switch which you trace back to is probably your core especially if you find that a number of your main servers also connect back to the same network switch.
I recently constructed a new garage and home office. During the construction phase I got an electrician to run two cat 5 cables from my house under the back garden to the new building. I have a DSL connection terminating within the house and the DSL router connects to a basic Cisco switch. This switch then connects a wireless access point, TV, media player and my two new Ethernet connections to my home office.
The managed switch in my case is my network core as it is the nearest switch to my firewall (DSL router). It also connects all other interesting devices like the wireless access point. I have setup port mirroring on this switch and this data is sent to a traffic analysis system which does DPI. The result is that I can keep an eye on all network activity on my home network.
One other thing that you should be familiar with on your network is the root bridge. For all switches in a network to agree on a loop-free topology, a common frame of reference must exist. This reference point is called the root bridge. The root bridge is chosen by an election process among all connected switches. Each switch has a unique bridge ID that it uses to identify itself to other switches. For most networks the core switch should also be the root bridge. I once had an issue with a network where the root bridge was an access switch. It regularly rebooted and caused the network to lock up while spanning tree sorted itself out. I configured the core switch to be the root bridge and the problem was resolved.
Darragh
Darragh Delaney is head of technical services at NetFort Technologies. As Director of Technical Services and Customer Support, he interacts on a daily basis with NetFort customers and is responsible for the delivery of a high quality technical and customer support service.