Identify Traffic On Your Wan

We are in the process of looking deeper into our traffic patterns both on the LAN and on the WAN.  We run a number of tools (Nagios, Cacti, WireShark, etc.) to keep an eye on overall traffic and performance but to get beyond this and dig deeper you need tools like NetFlow and NBAR.  I figured I’d start with our smallest office and get a feel for how things are flowing over the WAN.  We’ve got a Cisco 2821 on site connected to a T1 over our MLPS network.  I figured I’d enable NBAR first and do a simple discovery of what traffic is flowing.  Here are the steps I took:

1. Login to the router.
2. Verify it isn’t overloaded before doing anything. I ran a “show process cpu” to verify all is well.  My router was running an 1% before I began any NBAR processes and I had plenty of free memory so I figured it was safe to enable.
3. Perform a “wr” to make sure the current config is written.  You’ll also want to back up the config if you don’t have an automated way of doing this already. (I use CatTools….highly recommend.)
4. OPTIONAL STEP:  Set your router to reload in 10 minutes. (reload in 10) That way if you enable NBAR and something goes wrong in 10 minutes your router will reboot with the last known good configuration before you enabled NBAR. If everything is ok cancel the reload (reload cancel)
5. Enable NBAR on your serial interface. 
   

Router(config)#interface Serial0/0
Router(config-if)#ip nbar protocol-discovery


6. Again, check out your router performance with “show process cpu”.  If it’s taking a huge hit use the “no” form of the above statement to disable NBAR.
7. To see the results use the command “show ip nbar protocol-discover”.  You’ll see something like:
   
   



8. If the list is long you can just return the Top 10 with: “show ip nbar protocol-discover top-n 10”
   
9. To keep an eye on how many resources are used by NBAR use the command “show ip nbar resources”

That’s pretty much it. You can get a lot of information about what’s happening this way.  To really roll up the numbers you’ll need netflow tools which I’ll discuss in another post.

Enjoy!

LifeSize Videoconference System Troubleshooting

As you can tell by my infrequent posts….I’ve been a little busy. :)  We are nearly done with our videoconferencing system upgrade.  We went from a Tandberg infrastructure to LifeSize HD.  I really like the LifeSize system, but it hasn’t been a smooth road.  We’ve had a number of issues with ISDN, some with the LifeSize Networker and some with our PBX and we still haven’t completely figured them out.  However, I have learned a whole lot about LifeSize and HD Videoconferencing that I didn’t know before.  For one, LifeSize has a few diagnostic screens buried in the interface that do tend to help. The biggest find was https://YourLifeSizeIPAddr/support   This part of the built-in web interface allows you to change a number of settings, pull an IP (tcpdump) trace for analysis and even run some extended logging.  Oh yeah, you’ll be prompted to provide a username and password. The default username is “cli” and password is “lifesize”.  You can change those from default if you ssh into the box and use their command line tools…which unfortunately aren’t regular Linux tools.  They’ve got their own shell running that I haven’t figured my way around yet.   Anyhow, the first tool here on this page is the Coroner page.  That will run the equivalent of a Cisco “show tech support” on a router dumping logs and data to a file you can send to support for analysis.  The file is called coroner.dat and seems to be some type of a tar file but I’ve been unable to uncompress it….but then I haven’t tried very hard. :) The second link you see is for the ISDN troubleshooting page.  This page is great for ISDN troubleshooting.  It gives you a much better picture into what is happening on the LifeSize Networker.  Just like the main support page there are a number of knobs and switches to throw here.  I haven’t seen any documentation on what each of the settings and controls do (the tech notes describing them are pretty thin) but if you’ve been around videoconferencing and networking you can figure out most of the stuff without issue. 

All in all I really like the LifeSize gear.  Once we get our new routers in (we’re planning a WAN upgrade as well) I’m going to implement LLQ/CBWFQ for video and voice traffic.  That should help out immensely with the dropped packets we are seeing now.  It won’t help over the Internet of course, but at least site to site calls will be better.

Oh yeah, when you do run a coroner capture it lists out what it’s grabbing as it works and it sure looks like some flavor of Linux under the hood.   Gotta love it!