Network + Lesson 12
Quality of Service (QoS)
Quality of Service (QoS) protocols and appliances are designed to support real-time services. Applications such as voice and video that carry real-time data have different network requirements to the sort of data represented by file transfer. With "ordinary" data, it might be beneficial to transfer a file as quickly as possible, but the sequence in which the packets are delivered and the variable intervals between packets arriving do not materially affect the application.
Latency
. Latency is the time it takes for a transmission to reach the recipient, measured in milliseconds (ms).
Cyclic Redundancy Check Errors
A cyclic redundancy check (CRC) is calculated by an interface when it sends a frame. A CRC value is calculated from the frame contents to derive a 32-bit value. This is added to the header as the frame check sequence. The receiving interface uses the same calculation. If it derives a different value, the frame is rejected. The number of CRC errors can be monitored per interface. CRC errors are usually caused by interference. This interference might be due to poor quality cable or termination, attenuation, mismatches between optical transceivers or cable types, or due to some external factor.
performance baseline
A performance baseline establishes the resource utilization metrics at a pointin time, such as when the system was first installed. This provides a comparison to measure system responsiveness later. For example, if a company is expanding a remote office that is connected to the corporate office with an ISP's basic tier package, the baseline can help determine if there is enough reserve bandwidth to handle the extra user load, or if the basic package needs to be upgraded to support higher bandwidths.
Bandwidth
Bandwidth is the amount of information that can be transmitted, measured in bits per second (bps), or some multiple thereof. When monitoring, you need to distinguish between the nominal data link/Ethernet bit rate, the throughput of a link at Layer 3, and the goodput available to an application.
traffic shaping
In terms of QoS, network functions are commonly divided into three planes: Control plane—makes decisions about how traffic should be prioritized and where it should be switched. Data plane—handles the actual switching of traffic. Management plane—monitors traffic conditions.
jitter
Jitter is defined as being a variation in the delay. Jitter manifests itself as an inconsistent rate of packet delivery. Jitter is also measured in milliseconds, using an algorithm to calculate the value from a sample of transit times.
network device logs
Network device logs are one of the most valuable sources of performance, troubleshooting, and security auditing information. A single logged event consists of metadata, such as the date and time, category, and event ID, plus a description and contents of error or informational output. System and application logs. Audit logs. Performance / traffic logs.
Remote Desktop Protocol (RDP)
Remote Desktop Protocol (RDP) is Microsoft's protocol for operating remote GUI connections to a Windows machine. RDP uses TCP port 3389. The administrator can specify permissions to connect to the server via RDP and can configure encryption on the connection.
Syslog
Syslog is an example of a protocol and supporting software that facilitates log collection. It has become a de facto standard for logging events from distributed systems. For example, syslog messages can be generated by Cisco® routers and switches, as well as UNIX or Linux servers and workstations. A syslog collector usually listens on UDP port 514.
Environmental Monitoring
The following environmental factors need monitoring: Temperature—High temperature will make it difficult for device and rack cooling systems to dissipate heat effectively. This increases the riskof overheating of components within device chassis and consequent faults. Humidity—More water vapor in the air risks condensation forming within a device chassis, leading to corrosion and short circuit faults. Conversely, very low humidity increases risks of static charges building up and damaging components. Electrical—Computer systems need stable power supply, free from outages (blackouts), voltage dips (brownouts), and voltage spikes and surges. Sensors built into power distribution systems and backup battery systems can report deviations from a normal power supply. Flooding—There may be natural or person-made flood risks from nearby water courses and reservoirs or risks from leaking plumbing or fire suppression systems. Electrical systems need to be shut down immediately in the presence of any significant amount of water.
Logging Levels
Threshold for storing or forwarding an event message based on its severity index or value. The logging level configured on each host determines the maximum level at which events are recorded or forwarded. For example, if the logging level for remote forwarding is set to 4, events that are level 5, 6, or 7 are not forwarded.
SSH Client Authentication
Username/password—The client submits credentials that are verified by the SSH server either against a local user database or using a network authentication server. Public key authentication—Each remote user's public key is added to a list of keys authorized for each local account on the SSH server. Kerberos—The client submits the Kerberos credentials (a Ticket Granting Ticket) obtained when the user logged onto the workstation to the server using the Generic Security Services Application Program Interface (GSSAPI). The SSH server contacts the Ticket Granting Service (in a Windows environment, this will be a domain controller) to validate the credential.
Performance Metrics
When you are monitoring a network host or intermediate system, several performance metrics can tell you whether the host is operating normally: Bandwidth/throughput—This is the rated speed of all the interfaces available to the device, measured in Mbps or Gbps. For wired Ethernet links, this will not usually vary, but the bandwidth of WAN and wireless links can change over time. CPU and memory—Devices such as switches and routers perform a lot of processing. If CPU and/or system memory utilization (measured as a percentage) is very high, an upgrade might be required. High CPU utilization can also indicate a problem with network traffic. Storage—Some network devices require persistent storage (typically, one or more flash drives) to keep configuration information and logs. Storage is measured in MB or GB. If the device runs out of storage space, it could cause serious errors. Servers also depend on fast input/output (I/O) to run applications efficiently.
IEEE 802.1p
While DiffServ works at layer 3, IEEE 802.1p can be used at Layer 2 (independently or in conjunction with DiffServ) to classify and prioritize traffic passing over a switch or wireless access point. 802.1p defines a tagging mechanism within the 802.1Q VLAN field (it also often referred to as 802.1Q/p). The 3-bit priority field is set to a value between 0 and 7.
INTERFACE MONITORING METRICS
You can collect data and configure alerts for interface statistics, whether on a network adapter or switch or router port. Link state—Measures whether an interface is working (up) or not (down). You would configure an alert if an interface goes down so that it can be investigated immediately. You may also want to track the uptime or downtime percentage so that you can assess a link's reliability over time. Resets—The number of times an interface has restarted over the counter period. Interfaces may be reset manually or could restart automatically if traffic volume is very high, or a large number of errors are experienced. Anything but occasional resets should be closely monitored and investigated. An interface that continually resets is described as flapping. Speed—This is the rated speed of the interface, measured in Mbps or Gbps. For wired Ethernet links this will not usually vary, but the bandwidth of WAN and wireless links may change over time. For Ethernet links, the interface speed should be the same on both the host and switch ports. Duplex—Most Ethernet interfaces operate in full duplex mode. If an interface is operating in half duplex mode, there is likely to be some sort of problem, unless you are supporting a legacy device. Utilization—The data transferred over a period. This can either be measured as the amount of data traffic both sent and received (measured in bits or bytes per second or a multiple thereof) or calculated as a percentage of the available bandwidth. Per-protocol utilization—Packet or byte counts for a specific protocol. It is often useful to monitor both packet counts and bandwidth consumption. High packet counts will incur processing load on the CPU and system memory resources of the appliance, even if the size of each packet is quite small. Error rate—The number of packets per second that cause errors. Errors may occur as a result of interference or poor link quality causing data corruption in frames. In general terms, error rates should be under 1 percent; high error rates may indicate a driver problem, if a network media problem can be ruled out. Discards/drops—An interface may discard incoming and/or outgoing frames for several reasons, including checksum errors, mismatched M
Network Time Protocol (NTP)
application protocol allowing machines to synchronize to the same time clock that runs over UDP port 123. The Network Time Protocol (NTP) enables the synchronization of these time-dependent applications. NTP works over UDP on port 123.
Secure Shell (SSH)
application protocol supporting secure tunneling and remote terminal emulation and file copy. SSH runs over TCP port 22. Secure Shell (SSH) is the principal means of obtaining secure remote access to UNIX and Linux servers and to most types of network appliances (switches, routers, and firewalls). As well as terminal emulation, SSH can be used as the secure file transfer protocol (SFTP). There are numerous commercial and open source SSH servers and terminal emulation clients available for all the major NOS platforms (UNIX®, Linux®, Windows®, and macOS®). The most widely used is OpenSSH (openssh.com). An SSH server listens on TCP port 22 by default.
Telnet
application protocol supporting unsecure terminal emulation for remote host management. Telnet runs over TCP port 23. Telnet is both a protocol and a terminal emulation software tool that transmits shell commands and output between a client and the remote host. In order to support Telnet access, the remote computer must run a service known as the Telnet Daemon. The Telnet Daemon listens on TCP port 23 by default.
Simple Network Management Protocol (SNMP)
application protocol used for monitoring and managing network devices. SNMP works over UDP ports 161 and 162 by default. The Simple Network Management Protocol (SNMP) is a widely used framework for remote management and monitoring of servers and network appliances. SNMP consists of agents and a monitoring system.
Differentiated Services (DiffServ)
header field used to indicate a priority value for a layer 3 (IP) packet to facilitate QoS or Class of Service (CoS) scheduling. The Differentiated Services (DiffServ) framework classifies each packet passing through a device. Router policies can then be defined to use the packet classification to prioritize delivery. DiffServ is an IP (Layer 3) service tagging mechanism. It uses the Type of Service field in the IPv4 header (Traffic Class in IPv6). The field is populated with a 6-byte DiffServ Code Point (DSCP) by either the sending host or by the router. Packets with the same DSCP and destination are referred to as Behavior Aggregates and allocated the same Per Hop Behavior (PHB) at each DiffServ-compatible router. DiffServ traffic classes are typically grouped into three types: Best Effort. Assured Forwarding (which is broken down into sub-levels). Expedited Forwarding (which has the highest priority).
terminal emulator
software that reproduces text input and output for a given command shell or OS. A terminal emulator is any kind of software that replicates this TTY input/output function. A given terminal emulator application might support connections to multiple types of shell. A remote terminal emulator allows you to connect to the shell of a different host over the network.
Bottleneck
troubleshooting issue where performance for a whole network or system is constrained by the performance of a single link, device, or subsystem. A bottleneck is a point of poor performance that reduces the productivity of the whole network. A bottleneck may occur because a device is underpowered or faulty. It may also occur because of user or application behavior. To identify the cause of a bottleneck, you need to identify where and when on the network overutilization or excessive errors occur. If the problem is continual, it is likely to be device-related; if the problem only occurs at certain times, it is more likely to be user- or application-related.