Topology mapping for SDN OpenFlow networks with Nectus

Nectus can monitor OpenFlow capable devices in the same way as the non-OpenFlow devices.
In this article we will show how Nectus can discover and monitor switches that are SDN OpenFlow ready.
We will use following sample topology  for demonstration with Floodlight OpenFlow controller and three OpenFlow switches: Read more

Network Engineer Toolset in Nectus NMS

Under the Tools menu, there are quite a few tools that can help the operator to understand better the network, to perform troubleshooting and to gather information from devices.
These are the options: Read more

Syslog server functionality in Nectus NMS

This post will cover the SysLog server functionality of  Nectus network monitoring software.
As with any modern network monitoring software Nectus has the ability to receive and store the syslog messages from routers, switches or servers.
Syslog messages can be accessed from Top menu “Logs”: Read more

Meltdown and Spectre bugs in simple words.

Meltdown and Spectre bugs in simple words.

All modern processors have very important feature called “Speculative Execution” where CPU tries to predict all possible operations that might be required to be executed next and actually executing those without knowing for sure which one will be the next.

Those guesses are called Speculative Branches. By the time when next operation is determined CPU already executed it as part of “Speculative Execution” but it also executed all other branches that no longer needed. Not only it executed unneeded operations it also kept the data for those branches. Data that was processed during unneeded Speculative Execution branches remains accessible for some time before it is completely discarded.

But data protection is only enforced for main execution branch, but not for Speculative Execution branches making it possible to access sensitive data that normally should not be accessible. Good intentions causes harm..

View routing tables in Nectus GUI

One of the latest features that was added this week is “Routing Table” view in device context menu. Read more

Will SDN kill CLI?

Trust me. CLI is not going anywhere. CLI is the only way to troubleshoot SDN.
There will be plenty of new CLI commands to “show” flow tables logic, operation
and debug communications between data plane and controller.

I would say importance of CLI is even greater in SDN as you now has
to observe operation between Control plane and Data plane which previously “just worked”.

CLI is here to stay, it just going to be used mostly for monitoring rather than configuration.

 

Monitoring of OpenFlow SDN networks

So.. you upgraded your network from legacy dedicated hardware to OpenFlow based SDN, laid off all of your network engineers who know CLI and ask yourself a question: How do I monitor my SDN now?

How do I pull a power supply status or CPU temperature? How to read TCAM utilization level? How to see an SFP status or number of CRC errors?

If we look into OpenFlow specifications, it defines communication protocol between OpenFlow controller (control plane) and OpenFlow switch (data plane) it goes into details of flow creation and management but there is nothing that tells how hardware monitoring has to be implemented on OpenFlow SDN switch.

Access to operational monitoring features that we love so much is not a part of OpenFlow specifications and will not be a part of SDN controller functionality. Old and proven SNMP-based monitoring is likely to continue to be a primary way to monitor your Data plane operation as it was with legacy dedicated hardware unless OpenFlow specs get expanded with new monitoring specifications.

 

Download the best SDN monitoring tool

Building Dynamic Interactive Network Diagrams

This post will cover how Nectus can dynamically build topologies and how you can check various performance statistics.
Nectus gives the possibility to build automatically L2 and L3 topologies based on the discovered devices.
Additionally, it allows the administrator to create custom topologies by dragging on the map the devices that are required to be on the topology. Read more

Configuration Backup and Change Tracking in Nectus

This post will cover the configuration backup and change tracking features available in Nectus.
Nectus provides the ability to back up the configuration of the devices discovered, on a scheduled basis and manually.
Nectus comes with some default settings regarding the configuration backup and for others administrator input is required.
This is the configuration backup settings menu:

Multiple tabs on the menu allows you to specify some parameters like what to be backed up and for how long to keep a configuration backup:

Or how often and when the automatic backup should happen:

The next two tabs are for telnet protocol configuration:

And ssh protocol configuration:

The remaining two tabs allows the administrator to use custom specific scripts for backup (in case you would like to perform partial backup for instance).
Nectus must connect to the device using a valid username/password combination on that device.
If the username/password exist on the device, then it must be fed to Nectus.
This is where you set this up:

And these are the input values required

Once this is done, you can backup configuration per device, per group of devices (vendor, platform, model) or for all devices.
This is how you can backup a group of devices, which in this case is the same as all the devices are backed up (this is because there are only Cisco devices in the topology):

From the inventory menu, you can see the successful backups and the failed backups.
If the backup failed, then you would see like this:

You can see the reason it failed, which in this is because Nectus could not establish a telnet or SSH connection to the device:

If the backup is successful, the device configuration should show up:

Clicking on any of the files, you will see the configuration of the device at the time configuration backup was triggered:

Each device context menu has a configuration backup section where you can perform various actions:

You can backup the configuration, view the running configuration:

Or you can view the archive of all the device backups:

Further on, you can compare two backup files to see what has changed.
They do not need to be consecutive backups. Here, “auto-cost reference-bandwidth” was configured on the device:

Another useful feature is the tracking change feature which shows the changes between two consecutive backups.
You select the newer backup and Nectus will show what has changed since the previous backup was taken:

In case there are backups that were taken before Nectus was deployed and you would like to see what are the changes between those configurations and the ones taken by Nectus,
you have the possibility to compare the Nectus backups with the external files. You can even compare two external configuration backups with the help of Nectus.
Another useful feature that is related to configuration backup, is the report that tracks the devices whose configuration was not saved after the last change.

You can trigger this report like this:

You can specify if you want to send the report to an email address and if you also want to keep this report for auditing purposes:

And the report looks like this:

Keep in mind that the time you see in the report is the uptime of the router. For instance, in the above example,
the device configuration was saved last time when the router had an uptime of 1h47m
and the last configuration change was done when the router had an uptime of 1h50m.
And this would pretty much all about configuration backup and change tracking in Nectus and how it can help you to save your configurations and see
what has changes from one backup to the next one or any other backup.

NetFlow Reports Supported by Nectus

Here is the list of NetFlow reports currently supported by Nectus

Top Applications
Top Protocols
Top Source IP
Top Destination IP
Top Source + Destination IP pairs
Top Source BGP AS
Top Destination BGP AS
Top Source + Destination BGP Pairs

 

 

 

Call things what they are or First rule of good software tool

I am obsessed with names and naming conventions.
I may spend 10 min just thinking what is the good name for BGP route policy taking into account all possible variations, alphabetic sorting rules, future possible changes, readabilty..etc.

I also never trust developes to come with names for GUI elements simply because they don’t know the networking lingo.
Sometimes I force them to rename GUI elements 2-3 times until I feel that title selected describes it the best.

I try to find names for SQL columns that are most intuitive for people that will be using it 3-5 years from now.

If someone sees the SQL column with name “timestamp” will it be easy to understand? What kid of Timestamp is this? For what?

So I go and rename it to something like “flow start timestamp” to make it more human friendly.

It may take a bit more space in source code but it makes source code and GUI elements more human.
It makes source code more like a story that you can read and not having to decode. That is my universe and I stand on it.

I do it because I know the first hand that most frustation with Software caused by developers that design tools from developer prospective and not from end user.

But one day I met Agile and my universe was shattered in pieces. Scrum, Sprint, Story, Epic…

They even had to release a Vocabulary to translate those terms to plain English.

Am I the only person that hates it? I sweared that we will never use Agile in our company.

We value our developers the same as we value Nectus users and will never make them to use bad software tools.

Download best Network Monitoring tool that is Agile free

 

3-Click Rule

Nectus beats Solarwinds in pretty much any aspect: Speed, Usability, Size, Installation Time, Support.

We optimize every little function or procedure to perfection and re-write it with Assembler language if it is not good enough.

We develop custom stress-testing tools  (such as Netflow Generator ) so we can push the Nectus KPI limits higher.

Our product is designed by CCIEs for CCIEs and every single UI page is designed by active network engineer that knows exactly how information should be presented because they use Nectus themselves every day.

We also have a three-click rule: Any information that user wants must be available in no more than 3 clicks.
Also Nectus doesn’t have a User Manual. Because it does not need any.

Download your 60-day trial

SNMP v2 Loopholes

On every Nectus installation that we conducted I noticed that on average each company has around 10% of network devices that are configured with well-known snmp v2 community strings: public/private.

This is as bad as using “cisco/cisco” as your SSH credentials. That is major security loophole as even read-only string “public” gives possible attacker complete view of the devices’ routing table, interface descriptions, interface IPs, device S/N, list of CDP neighbors with their IPs.

It is fairly easy to discover these devices by adding secondary SNMP profile to your favorite NMS and checking if there is a sudden spike in number of discovered devices.

Problem is so wide-spread that we added discovery of these devices to be a part of standard Nectus network discovery routine.

SNMP v3 does not have this issue as it has way more parameters that has to be configured, plus it gives  access to strong encryption, but for some reason adoption rates for SNMP v3 is low comparing to SNMP v2.

Nectus offer new way to see your network in real time

To keep a good track of your network it is necessary to have a network diagram of your topology so you can know for sure where each device is located, where it is connected and in case there is a failure in your network it is easier to find the devices affected.

You can create your own topology and add each device manually even though that may take a lot of time depending on the size of your network and every time a new device is added to the network, you must add it to your topology manually. Sounds like a lot of work.

Luckily with Nectus this process can be avoided! Nectus can generate Layer 2 and Layer 3 topologies in just one click and if a new device is added to your network, it is added automatically to your topology.

This is how your topology would look like:

And once your topology is ready you can perform various actions to get live stats of your network’s performance and usage such as:

  • Show graphs of all basic metrics for each interface: utilization, errors, dropped packets, availably and traffic volume.

 

Here is an example of an Interface Utilization Graph:

 

  • Show interface and device availability status. If an interface or device goes down, it will generate and alarm sound and show red blinking color directly on Topology screen.

 

Here is how it would look like if a device went down:

 

  • User can interact with topology via device and links context menus and generate reports directly from Topology GUI.

 

With just one click users can generate graphs to monitor a link’s performance and show link info as pictured below:

 

Users can see real-time performance graphs from each device on the network, show device basic info, ping device from browser, start an SSH session and generate Cisco SmartNet reports directly from the topology by just right clicking on any device.

 

This is an example of latency graph for single device:

Nectus offers new way to create and keep up to date your network topology, making your network topology live and interactive.

It keeps track of all performance metric and displays is directly on topology with all its real-time stats, making it easier and faster to detect a failure and correct it.

 

Download your 60-day evaluation

Proactive vs Reactive network monitoring with Nectus

Most of the enterprise grade monitoring tools allow predefined thresholds to be set for specific monitoring parameters such as interface utilization,

RAM utilization or percentage of free TCAM available on switches. When a specific metric exceeds a predefined threshold you will receive an email alert, text message, or…

a phone call from your manager.  Likely those thresholds are tuned to a higher side to prevent false positives or filter out the events with a short duration.

But in any case alerts will be sent after critical conditions have already occurred and damage has already been done. This approach is called reactive network monitoring

and it has its value. But what if you can get an alert before critical conditions actually happen?  Nectus NMS is a pioneer of next-gen proactive monitoring and in selected

case-studies it demonstrated an ability to forecast critical operational conditions up to 1 week in advance with 95% accuracy.

Nectus analyses historical daily, weekly  and monthly fluctuations of network operational metrics such as traffic volumes, interface utilization and extrapolates it

based on polynomial curves for next 7 days. This advanced mathematical approach demonstrated 95% accuracy in prediction of critical operational

conditions for next 7 days and 80% accuracy for next 30 days.

The more time you have before operational conditions actually reach critical thresholds, the more options you  have to fix it before it impacts production.

Download your 60-day evaluation copy of Nectus

Best practices for router interface description format

Implementing company-wide standards for interface description strings in routers or switches should be a top priority for all network engineers.

Well defined and structured description strings helps with automation for the most tedious and boring manual steps associated with deployment, configuration,

monitoring and decommission of any network connections. Network interface descriptions should include some of the following information elements encoded with special characters

that allow easy parsing by scripts, network management tools and makes easy for human eye to spot any problems during troubleshooting sessions.

Here is the sample naming format and structure that we normally recommend  and that is easily integrated with Nectus NMS parsing scripts.

  1. Link Type.  Example of 3 characters link type encoding  can be: BBN – Backbone, TRL – Internet Transit,  OOB- Out of Band, UPL – Uplink, DCI – DC Interconnect…
  2. Connected Device name. Name of the remote device connected to this link.
  3. Status. T – Testing, D – Decommed, P – In Production
  4. Telco provider’s name : LVL3 , ATT, VRZ, ABN, TELIA, XO.. etc
  5. Telco Circuit ID
  6. Phone number to call in case of the outage.

Usage example:

interface TenGigabitEthernet 1/5

description DCI#P#ATT#T4/HCGS/831899/SC#1-800-456-5672

 

Manage all Telco circuits and circuit contracts with Nectus CircuitDB

,

We are proud to announce that our next Nectus release will include the most powerful and feature rich telco circuit management platform available on the market today.

Nectus CircuitDB provides a central repository of all of your circuit contracts and provide reminders well before contract expiration times so you can renegotiate better prices with your telco provider.

Circuit DB is fully integrated with Nectus Network Discovery and Monitoring module which allows you to map Circuit ID directly to specific router interface and get real time visibility of  circuit UP/DOWN status.

Nectus can send email alerts directly to telco support in case of specific circuit is Down or automatically open support cases on telco portals ( with selected number of telco providers).

Nectus CircuitDB can calculate circuit UP time based on Monitoring statistics provided by core Nectus NMS to verify contracted SLAs.

Combined with automatic Network Topology generation that shows where specific circuit is located Nectus CircuitDB is a core tool for all network engineers and procurement experts.

CircuitDB functionality added to Nectus NMS

, ,

CircuitDB gives ability to track of all the telco circuits (Internet, MPLS, T1 etc), carrier contracts, cabinet/rack/patch panel information.

Support for configurable email alerts on approaching circuit contract renewal dates, integration with real time circuit monitoring.

Never pay for circuits that not being used and  many more cool features.

 

 

Nectus Feature List ( Build 1.2.16)

,

Here is the most complete list of features available for Nectus customers

FeatureComments
Network Monitoring ICMP, SNMP v2c and v3
Network Discovery1200+ platforms
Netflow CollectorSupport for v5, v9, IPFIX Netflow
Command ScriptingAutomate Config changes to routers and switches
Configuration BackupConfiguration backup for routers and switches
Basic Server MonitoringSNMP and WMI
SQL Server Monitorng50+ SQL related metrics
Network Topology VisualizationAutomatic L2 and L3 topology generation
Syslog Server Store unlimited number of Syslog messages
SNMP TrapsProcess incoming SNMP traps
GSM based alertingReceive Alert notifications directly to your cell phone
Email based alertingReceive Alert notifications directly to email
URL MonitoringMonitor UP/DOWN and latency for any URL
Configuration DiffsEasily find differences in configs before and after the change
L3 Traffic Path VisualizationSee how packet travels from A to B
MAC Address searchEasily find MAC address in your network
Web based SNMP Walk Utility
Web based Ping plotter Up to 10 IP Addresses
Web based SSH clientSSH to any device from your browser
LDAP Integration
Custom Dashboards
SmartNet verification for any device
Multiple SNMP profilesSupport for different SNMP parameters

 

 

Challenges with deploying SNMP v3 based monitoring tools in diverse environments

One of the biggest challenges with SNMP v3 deployments in diverse environments is a lack of consensus

among hardware manufactures on what set of Privacy Ciphers has to be supported/included in standard SNMP v3 stack.

Even Cisco was unable to unify list of supported v3 Ciphers in different product lines (ASA vs NX-OS vs IOS-XR).

Partially this was caused by the lack of RFC that defined AES-192 and AES-256 implementations  for SNMP v3 but this didn’t stop top-tier hardware

vendors from implementing  those Ciphers internally and partially it was  caused by slow v3 adoption rate that put very low pressure on hardware vendors.

In any case it is very unlikely that you will be able to pick single set of  SNMP v3 Authentication/Encryption parameters that will be supported on all of the devices

in a good sized enterprise network. This results in having to use and support different encryption ciphers in different devices and what most important this

will require your Network monitoring tool to support multiple SNMP profiles based on device type. Your monitoring tool has to discover what SNMP profile

is compatible with each device, “remember” it and only use compatible SNMP parameters when communicating with specific device.

Nectus is the only tool that was built from ground up with support for device specific SNMP profiles and it deploys patented discovery logic that allows it to match

compatible SNMP profile to each device in sub-seconds. Nectus supports up to 1000 SNMP profiles and used by multiple customers with 10K+ routers.

60 days Nectus Trial