Category Archives: Systems Administration

Book review: Zabbix 1.8 Network Monitoring

Posted on by Pier Carlo Chiodi
2 Comments

Zabbix is a good Network Monitoring System, recently grown up to version 1.8. The book I was pleased to review is an easy guide to go deep into its mechanisms and to discover its many features.

The book covers every aspect of Zabbix, from the installation process to distributed monitoring, with a in-depth coverage of hosts monitoring techniques and user notification system. Many practical examples and screenshots help the reader to configure the system and have a fully working setup in a few minutes.

A whole chapter is dedicated to the SNMP integration, with a good explaination of the protocol and very practical tips about the use of Net-SNMP suite and MIBs. The author also included a good tutorial about the setup of a traps handling procedure with hosts binding.

Two more noteworthy chapters are about the use of templates and macros to simplify the configuration of Zabbix, and advanced monitoring, such as using external scripts or data already gathered by other systems.

If you plan to use Zabbix and you are starting from scratch, or even if you already use it but you want to deepen some aspects, I really suggest you to have a look at this book! In the meantime, here you can find a sample chapter: Getting your first Notification (PDF).

My two pennies worth 😉

Details

Title: Zabbix 1.8 Network Monitoring
Language: English
Paperback: 428 pages [ 235mm x 191mm ]
Release Date: March 2010
ISBN: 184719768X
ISBN 13: 978-1-847197-68-9
Author(s): Rihards Olups
More info: Packt Publishing web site

Categories: Systems Administration | Tags: , , ,

NetFlow: installation and configuration of NFDUMP and NfSen on Debian

Posted on by Pier Carlo Chiodi
16 Comments

After the brief overview about the installation of flow-tools and FlowViewer, in this post I’d like to share my experience about the setup of a basic solution based on another pair of tools: NFDUMP and NfSen. As always on my posts, the starting point is a fresh Debian 5.0 setup.

UPDATE: you may be interested in FlowGraph too, a tool that allows to dynamically build graphs based on previously collected netflow data and to use them in a web-based front-end, adding details about Autonomous System Number holders, IPv4 and IPv6 prefixes, inet(6)num objects, netnames from RIPE Stat.

Read more …

Categories: Networking, Security, Systems Administration | Tags: , , , , , , , , ,

NetFlow: weird TCP flags in FlowViewer and flow-print?

Posted on by Pier Carlo Chiodi
3 Comments

Working with FlowViewer and flow-print (from the flow-tools suite), if you filter some NetFlow data by TCP flags you may notice a weird behaviour, like the one in the following picture:

FlowViewer - TCP Flags

Here I applied a filter on TCP Flags = 27, but on the output I had the “Fl” (Flag) column reporting 3! What’s up? Is 3 a kind of alias for 27? Is this a math puzzle? None of this!

Read more …

Categories: Networking, Security, Systems Administration | Tags: , , , , , , ,

NetFlow: how to install and configure flow-tools and FlowViewer on a fresh Debian setup

Posted on by Pier Carlo Chiodi
25 Comments

NetFlow is a very useful tool/protocol to monitor network traffic’s patterns. Many tools have been developed to collect and analyze NetFlow data, here I chose flow-tools and FlowViewer packages, and I would like to show how to get them work on a fresh Debian 5.0 (Lenny) setup.

Read more …

Categories: Networking, Security, Systems Administration | Tags: , , , , , , , , ,

Cisco CEF monitoring with SNMP and CISCO-CEF-MIB

Posted on by Pier Carlo Chiodi
1 Comment

Here I am, back from summer vacation, ready to update my little blog again! 🙂
I would like to talk about another Cisco SNMP MIB…

Starting from release 12.4(20)T IOS offers a powerful tool to manage and monitor enterprise class products performances: SNMP CEF MIB.
CISCO-CEF-MIB is available for large scale Service Provider releases too, such as 12.2(33)SB, but 12.4(20)T is the first release to make it available on low and mid-range products.

The CEF-MIB is quite big and covers a lot of topics about CEF configuration, monitoring and managing; in this topic I will talk about a little, specific branch of this MIB, about stats collection, and how to use it for routers performances monitoring.

MIB structure

As you can see from the Cisco SNMP Object Navigator there are many tables describing CEF: FIB, prefixes, Adjacencies and stats.

In this post I focus on the switching stats table: cefSwitchingStatsTable.

Switching stats table

This table offers statistics related to packets dropping and punting. The CLI command show ip cef switching statistics gives the same view about these stats.

As you know, while packets dropping is not a resource intensive process, packets punting may lead to a huge CPU load, because punted packets need to be switched with a less fast switching method, such as process switching.

cefSwitchingStatsTable
----------------------

# snmpwalk -v 2c -c public -m ALL 192.168.0.8 .1.3.6.1.4.1.9.9.492.1.8.2

CISCO-CEF-MIB::cefSwitchingPath.9.1.1 = STRING: RP RIB
CISCO-CEF-MIB::cefSwitchingPath.9.1.2 = STRING: RP LES
CISCO-CEF-MIB::cefSwitchingPath.9.1.3 = STRING: RP PAS
CISCO-CEF-MIB::cefSwitchingPath.9.2.1 = STRING: RP LES
CISCO-CEF-MIB::cefSwitchingDrop.9.1.1 = Counter32: 0 packets
CISCO-CEF-MIB::cefSwitchingDrop.9.1.2 = Counter32: 0 packets
CISCO-CEF-MIB::cefSwitchingDrop.9.1.3 = Counter32: 3265 packets
CISCO-CEF-MIB::cefSwitchingDrop.9.2.1 = Counter32: 0 packets
CISCO-CEF-MIB::cefSwitchingPunt.9.1.1 = Counter32: 0 packets
CISCO-CEF-MIB::cefSwitchingPunt.9.1.2 = Counter32: 3505 packets
CISCO-CEF-MIB::cefSwitchingPunt.9.1.3 = Counter32: 3506 packets
CISCO-CEF-MIB::cefSwitchingPunt.9.2.1 = Counter32: 0 packets
CISCO-CEF-MIB::cefSwitchingPunt2Host.9.1.1 = Counter32: 0 packets
CISCO-CEF-MIB::cefSwitchingPunt2Host.9.1.2 = Counter32: 0 packets
CISCO-CEF-MIB::cefSwitchingPunt2Host.9.1.3 = Counter32: 8 packets
CISCO-CEF-MIB::cefSwitchingPunt2Host.9.2.1 = Counter32: 0 packets

The table presents an index composed by three elements: entPhysicalIndex, cefFIBIpVersion and cefSwitchingIndex.

The first, entPhysicalIndex, is the value of the entPhysicalTable‘s index (.iso.org.dod.internet.mgmt.mib-2.entityMIB.entityMIBObjects.entityPhysical.entPhysicalTable); it describes the CEF-enabled hardware module the stats refer to.

[...].entPhysicalTable.entPhysicalEntry.entPhysicalDescr.9 = Cisco 7200VXR Network Processing Engine NPE-400
[...].entPhysicalTable.entPhysicalEntry.entPhysicalClass.9 = module
[...].entPhysicalTable.entPhysicalEntry.entPhysicalName.9 = NPE400 0

The second element, cefFIBIpVersion, of type CefIpVersion (see CISCO-CEF-TC MIB), describes the IP protocol: IPv4 (1) or IPv6 (2).

The third, cefSwitchingIndex, is the local identifier: indeed, you may have more switching paths for each module/IP-version.
Switching paths are platform dependent and may be RIB (process switching with CEF assistance), LES (low-end switching CEF), PAS (CEF turbo switch path)… you can find a more comprehensive list on the Cisco Command Lookup Tool, looking for show ip cef switching statistics command.

Why to use CEF monitoring?

To monitor punted packets value, for example by using a SNMP-enabled NMS, may be useful to get an overview about routers and network performances and health, and to lower response time and MTTR in case of degradation. A fast increase on punted packets may be a sign of DOS attacks against routers, or if you have a total packets over punted packets disproportion maybe you have to revise your network design, offloading some work to other routers.

References

Cisco.com: Cisco Express Forwarding SNMP CEF-MIB Support

Cisco.com: Cisco Express Forwarding (CEF)

Cisco.com: CISCO-CEF-MIB

Categories: Networking, Systems Administration | Tags: , , , ,