# Explain the Use of Network Management Services ## Secure Shell Servers and Terminal Emulators - Terminal emulator - this is a terminal don't get it twisted - Secure shell (SSH/22) - secure terminal emulation over port TCP/22 - Tunnel other traffic over SSH - Symmetric keys - Server authenticated by a host key - Client authentication.. - User name/password (not recommended) - Public key authentication - Kerberos - Ensure secure management of keys ## SSH Commands - `sshd` - start the daemon - `ssh-keygen` - creates a keypair, use `ssh-copy-id` to copy the key to another machine - `ssh-agent` - configure service to store keys used to access multiple hosts. stores the private key for each public key securely - `ssh Host` - connect to the server *Host*. Host can be a FQDN or IP - `ssh usaername@host` - `ssh Host "command or script"` - `scp username@host:remotefile /local/destination` - `sftp` ## Telnet - unsecure CLI terminal emulation over port TCP/23 - Plaintext protocol - no security - typically disabled - replaced by SSH ## Remote Desktop Protocol - GUI remote administration over TCP/3389 - Session can be encryption - Range of clients for different PC and mobile OS ## Network Time Protocol UDP/123 - Time critical services - Authentication, logging, task scheduling/backup, etc... - NTP - stratum 1 servers have direct physical link to accurate time source - such as an atomic clock accessed over GPS - lower stratum servers sample multiple sources - stratum 2 syncs with stratum 1 servers - clients use simple NTP to obtain correct time - Diagnosing errors due to incorrect time - SNTP - simple network time protocol -> workstations obtain correct time from time servers - SNTP cannot act as a time source for other hosts - works over same port as NTP # Use Event Management to Ensure Network Availability ## Performance Metrics, Bottlenecks, and Baselines - Important metrics: - Bandwidth/throughput (bits/sec), CPU and memory resource, storage resource - Bottlenecks - Known as *pinch points* that cause the whole system to underperform - Performance baselines - record metrics as a comparison - update baselines along side upgrades ## Environmental Monitoring - Environmental sensors detect factors that could affect integrity and reliability - Device chassis sensor - Temperature, fan speed, voltage fluctuation, intrusion - Ambient sensors - temperature, humidity, electrical, flooding ## Simple Network Management Protocol (SNMP) - Agents: - Management Information Base (MIB) - Object Identifier (OID) - Community name - Read/only or read/write access - Traps - SNMP monitor (like solarwinds) - Get - queries the agent for a single OID - trap - informs the monitor of a notable even (port failure for existence) - walk - UDP/161 -> queries - UDP/162 -> traps ## Network Device Logs - performance, troubleshooting, and security (auditing) information - metadata + event data - Log types: - System and application logs - audit logs - Performance/traffic logs ## Log Collectors and Syslog - Centralized collection of evens from multiple sources - event viewer (windows) - Syslog protocol for forwarding over UDP/514 - syslog open format for log messages - PRI code - Header - Message ## Event Management - Event categorization - Windows - Informational, warning, critical - audit success or fail - Syslog severity levels - 0 (emergency) down to 7 (debug) - Logging level and alert configuration - Threshold - alert vs notifications and alarms - ticket systems ## Log Reviews - Monitoring vs review/analysis - trends - graphing # User Performance Metrics to Ensure Network Availability ## Network Metrics **Quality of Service (QoS)** protocols and appliances are designed to support Realtime services. Applications such as voice and video that carry real-time data have different network requirements to the sort of data represented by file transfer. With “ordinary” data, it might be beneficial to transfer a file as quickly as possible, but the sequence in which the packets are delivered and the variable intervals between packets arriving do not materially affect the application. This type of data transfer is described as bursty. - bandwidth -> the amount of information that can be transmitted at a given moment - speed, throughput and goodput - Calculating requirements for audio and video - latency and jitter - **Latency** -> time it takes for a transmission to reach destination - signal delay measured in milliseconds (ms) - **Jitter** -> variation in delay (latency) - manifests itself as an inconsistent rate of packet delivery - VoIP mitigates this with buffering of packets with CoS - Measurement tools (pathping and mtr) - One-way vs round trip time (RTT) - not a significant problem when data transfer is bursty ## Bandwidth Management Latency and jitter on the Internet are difficult to control because of the number of different parties that are involved (both caller networks plus any ISP transit networks). On a local network, delay is typically caused by congestion. This means that the network infrastructure is not capable of meeting the demands of peak load. - ### Differentiated Services (DiffServ) - classifies each packet passing thru a device - with router policies the packet is then assigned a classification to prioritize delivery - Layer 3 (IP) service tagging - uses the type of service field in the IPv4 header (traffic class on v6) - 6-byte DiffServe Code Point (DSCP) by either the sending host or by the router DiffServ traffic class are typically grouped into 3 types: 1) Best effort 2) Assured forwarding (broken down into sub-levels) 3) Expedited Forwarding (has the highest priority) **IEE 802.1p** - Can be used at layer 2 - Independently or in conjunction with DiffServ - Classifies and prioritizes traffic passing over a switch or WAN - 3-bit priority field in the 802.1Q VLAN header - Mapping DSCP to 802.1p - network control (highest priority) - Expedited forwarding - Assured forwarding - Best effort (lowest priority - ordinary) ## Traffic Shaping - Quality of service (QoS) vs Class of Service (CoS) - privilege real-time data over bursty data - CoS tags data with **priority** type - QoS allows **control** over network link parameters - Multiprotocol label switching (MPLS) - reserve required bandwidth - QoS network functions: - **Control Plane** -> makes decisions about how traffic should be prioritized and where it should be switched - **Data Plane** -> Handles the actual switching of traffic - **Management plane** -> monitors traffic conditions - Traffic policing enforces bandwidth limits - Traffic shaping - reserve link bandwidth - prioritize traffic - Filter/deprioritize unwanted traffic Protocols, appliances, and software that can apply these three functions can be described as traffic shapers or bandwidth shapers. Traffic shapers delay certain packet types—based on their content—to ensure that other packets have a higher priority. This can help to ensure that latency is reduced for critical applications. ## Traffic Analysis Tools - Throughput testers: - Assess goodput - iperf - Top talkers/listeners - Top talker -> interfaces generating the most outgoing traffic (in bandwidth) - Top listener -> interfaces receiving the most incoming traffic - Identifying these hosts and routes is useful in identifying and eliminating performance bottlenecks - Bandwidth speed testers - Broadband speed checkers -> test how fast the local broadband link to the internet is. Designed for SOHO use. - Test website performance/monitor availability - Query a nominated website to work out how quickly pages load. Can test the site's response time from the perspective of outside users ## Netflow - a packet analyzer that gathers traffic metadata only and report it to a structured database (reduces overhead by just capturing metadata) - NetFlow and IP flow information Export (IPFIX) IETF standard - NetFlow exporters -> configured on network appliances - Traffic flow defined by packets that share the same characteristics - A traffic flow is defined by packets that share the same characteristics, such as IP source and destination addresses and protocol type. These five bits of information are referred to as a 5-tuple - 7-tuple flow adds the input interface and IP type of service data - NetFlow collectors - aggregates flows from multiple exporters. A large network can generate huge volumes of flow traffic and data records, so the collector needs a high bandwidth network link and substantial storage capacity - NetFlow analyzers - reports and interprets information by querying the collector and can be configured to generate alerts and notifications. In practical terms, the collector and analyzer components are often implemented as a single product. ## Interface Monitoring Metrics You can collect data and configure alerts for statistics - **Link State** -> if the interface is up or down. - **Resets** -> Occasional resets should be monitored and investigated. An interface that continually resets is called: Flapping - **Speed** -> - **Duplex** -> send only (half) or send AND receive sametime (FULL) - **Utilization** -> - **Per-protocol utilization** -> - **Error rate** -> should be under 1%. High error rate indicates a driver problem, if media is ruled out - **Discards/drops** -> may be discarded for: checksum error, mismatched MTUs, packets are too small or too large, high load or permissions etc... - **Retransmissions** -> ## Troubleshooting Interface Errors As well as monitoring for traffic bottlenecks and other performance issues, interface errors might indicate a misconfiguration problem at the data link layer or interference at the physical layer. - Cyclic Redundancy Check Errors (CRC) - CRC is calculated by an interface when it sends a frame - calculated from frame contents to derive a 32-bit value - added to header as the frame check sequence - Destination interface uses the same calculation, if a different value is found, the frame is rejected. - CRC errors can be monitored per interface - CRC errors are usually caused by interference - Could be due to.... - Poor quality cable, attenuation, mismatches between optical transceivers or cable types - Encapsulation - Frame format expected on the interface - Errors will prevent transmission and reception - If you check the interface status, the physical link will be UP but the line protocol will be listed as down - This type of error can arise in several circumstances: - **Ethernet Frame type** -> Most commonly used is Ethernet II, but if a host is configured to use a different type such as SNAP, then errors will be reported on the link - **Ethernet Trunks** -> when a trunk link is established between switches it will commonly use Ethernet 802.1Q frame format. These switches linked need to use the same format - **WAN framing** -> Router interfaces to provider networks can use a variety of frame formats. Often these are simple serial protocols, such as High-level Data Link Control (HDLC) or Point-to-Point Protocol (PPP). Alternatively, the interface may use encapsulated Ethernet over Asynchronous Transfer Mode (ATM) or Virtual Private LAN Service (VPLS) or an older protocol, such as Frame Relay. The interface on the Customer Edge (CE) router must be configured for the same framing type as the Provider Edge (PE) router. - Runt Frame Errors - defined as a frame that is smaller then the minimum size (64 bytes for Ethernet) - usually caused by a collision - In a switched environment... - collisions should only happen on an interface connected to a legacy hub device and there is a duplex mismatch on the interface configuration - if runts are generated in other conditions suspect a driver issue on the transmitting host. - Giant frame errors - larger then the max permissible size (1518 bytes for ethernet II). There are 2 likely causes: - **Ethernet Trunks** -> As above, if one switch interface is configured for 802.1Q framing, but the other is not, the frames will appear too large to the receiver, as 802.1Q adds 4 bytes to the header, making the maximum frame size 1522 bytes. - **Jumbo Frames** -> A host might be configured to use jumbo frames, but the switch interface is not configured to receive them. This type of issue often occurs when configuring storage area networks (SANs) or links between SANs and data networks.