CA ehealth. Traffic Accountant and NetFlow Administration Guide. r6.1

118 

Loading....

Loading....

Loading....

Loading....

Loading....

Full text

(1)

CA

eHealth

®

Traffic Accountant and NetFlow Administration

Guide

(2)

This documentation and any related computer software help programs (hereinafter referred to as the

“Documentation”) is for the end user’s informational purposes only and is subject to change or withdrawal by CA at any time.

This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and protected by the copyright laws of the United States and international treaties.

Notwithstanding the foregoing, licensed users may print a reasonable number of copies of the Documentation for their own internal use, and may make one copy of the related software as reasonably required for back-up and disaster recovery purposes, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the provisions of the license for the Product are permitted to have access to such copies.

The right to print copies of the Documentation and to make a copy of the related software is limited to the period during which the applicable license for the Product remains in full force and effect. Should the license terminate for any reason, it shall be the user’s responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.

EXCEPT AS OTHERWISE STATED IN THE APPLICABLE LICENSE AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED OF SUCH LOSS OR DAMAGE.

The use of any product referenced in the Documentation is governed by the end user’s applicable license agreement.

The manufacturer of this Documentation is CA.

Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors.

All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. Copyright © 2008 CA. All rights reserved.

(3)

CA Product References

This document may reference the following CA products: „ CA eHealth® AdvantEDGE View

„ CA eHealth® Application Response

„ CA eHealth® Business Service Console (eHealth BSC) „ CA eHealth® Distributed eHealth

„ CA eHealth® Fault Manager

„ CA eHealth® Live Health® Application „ CA eHealth® Response

„ CA eHealth® Service Availability „ CA eHealth® SystemEDGE „ CA eHealth® TrapEXPLODER

„ CA eHealth® Voice Quality Monitor (VQM) „ CA eHealth® AIM for Apache

„ CA eHealth® AIM for Microsoft Exchange „ CA eHealth® AIM for Microsoft IIS

„ CA eHealth® AIM for Microsoft SQL Server „ CA eHealth® AIM for Oracle

„ CA Insight AIM for CA eHealth®

„ CA Insight™ Database Performance Monitor for Distributed Databases (CA Insight DPM for Distributed Databases)

„ CA eHealth® Integration for Alcatel (eHealth - Alcatel)

„ CA eHealth® Integration for Cisco IP Solution Center (eHealth - Cisco ISC) „ CA eHealth® Integration for Cisco WAN Manager (eHealth - Cisco WAN

Manager)

„ CA eHealth® Integration for HP OpenView (eHealth - OpenView) „ CA eHealth® Integration for Lucent (eHealth - Lucent)

„ CA eHealth® Integration for Netcool (eHealth - Netcool)

„ CA eHealth® Integration for Nortel Preside (eHealth - Nortel Preside) „ CA eHealth® Integration for Nortel Shasta SCS GGSN (eHealth - Nortel

GGSN)

(4)

„ CA eHealth® Integration for Starent PDSN (eHealth - Starent PDSN)

„ CA SPECTRUM®

„ CA Unicenter® Network and Systems Management (Unicenter NSM)

„ CA eTrust® Identity and Access Management (eTrust IAM)

„ CA Embedded Entitlements Manager (CA EEM)

Note: CA Embedded Entitlements Manager (CA EEM) is the new name for eTrust IAM. This product will be rebranded throughout the documentation in a future release.

„ CA XOsoft™ Replication

Contact CA

Contact Technical Support

For online technical assistance and a complete list of locations, primary service hours, and telephone numbers, contact Technical Support at

http://ca.com/support.

Provide Feedback

If you have comments or questions about CA product documentation, you can send a message to techpubs@ca.com (mailto:techpubs@ca.com).

If you would like to provide feedback about CA product documentation, please complete our short customer survey, which is also available on the CA Support website.

(5)

Contents

Chapter 1: Using eHealth to Monitor Traffic in Your Infrastructure

9

The Value of Traffic Data... 9

eHealth Traffic Data Collection Methods... 9

How eHealth Collects Traffic Data from Cisco-Enabled Devices...10

How eHealth Collects Traffic from Cisco NetFlow Collectors ...11

How eHealth Collects Traffic Data from RMON2 Probes...12

The Value of Traffic Accountant Reports...14

How eHealth Identifies the Top Conversations ...15

Chapter 2: Installing and Configuring Traffic Accountant Components

17

Meet System Requirements ...17

Traffic Accountant Installation Considerations ...18

License Your Traffic Accountant System...18

How to Configure the eHealth NetFlow Collector to Collect Data...19

How eHealth Imports Conversation Data from the eHealth NetFlow Collector...20

How to Configure the eHealth Import Poller to Collect NetFlow Data...21

How eHealth Imports Conversation Data from Cisco NetFlow Collectors...27

How to Configure the eHealth Conversations Poller to Collect RMON2 Data in Your Network ...28

How eHealth Collects Conversation Data from the RMON2 Conversations Poller...29

How to Migrate RMON2 Configuration Data from an NPO System to eHealth...32

Chapter 3: Managing Traffic Accountant

33

How to Import NetFlow Elements Automatically...33

How to Terminate Polling of NetFlow Elements...34

How to Terminate Polling of Probe Elements...35

How to Assess the Status of the eHealth Database...35

How to Prevent Traffic Accountant Resource Overutilization ...36

How to Manage the Growth of Your Traffic Accountant Database...38

How to Reduce the Number of Hours That eHealth Retains Conversation Data ...38

How to Remove Unwanted Node or Node-Address Pairs from the Database...39

How to Manage the Poller Message Files...40

How to Manage the Conversations Rollup Scheduled Job...40

How to Modify Configuration Information for Cisco NetFlow Collectors...42

How to Switch the Data Collection Mode for the Import Poller...43

How to Collect Bi-Directional Data with the Standard Import Poller...44

How to Troubleshoot Problems with Your Cisco NetFlow Collector...45

(6)

How to Troubleshoot Problems with Polled NetFlow Devices ...46

Chapter 4: Using Views and Groups

49

How to Organize Nodes and Autonomous Systems...49

View Planning...51

Organizational Views...51

Probe Views...52

Geographic Views...52

Functional or System-Type Views...53

Unassigned Nodes Group...53

Create a Traffic Accountant View ...54

How eHealth Creates a Probe View...55

Copy a Traffic Accountant View...58

Import a Traffic Accountant View ...59

Export a Traffic Accountant View...60

Rename a Traffic Accountant View...60

Delete a Traffic Accountant View...61

Create a Traffic Accountant Group...61

Modify a Traffic Accountant Group ...64

Delete a Group...64

Update Views...65

Chapter 5: Traffic Accounting Reporting

67

Types of Traffic Accountant Reports...67

Pie Charts...68

Bar Charts...69

Trend Charts ...70

Tabular Charts...71

Report Center Traffic Accountant Reports ...72

Default Traffic Accountant Reports...72

Aggregation Reports...74

Run a Traffic Accountant Report through Report Center ...78

Schedule a Traffic Accountant Report Job through Report Center...79

Quick Start Traffic Accountant Reports...80

Run a Quick Start Report from the eHealth Console...82

Run a Quick Start Report from the Web User Interface...84

Standard Traffic Accountant Reports...86

Run a Traffic Accountant Report from the eHealth Console...92

Schedule a Traffic Accountant Report Job through the eHealth Console...94

How to Customize a Standard Traffic Accountant Report ...96

Modify a Copy of a Standard Report...97

(7)

Contents 7

Rename a Report...99

How to Configure the Node Name Display in Reports...103

Automate the Process of Changing the Name Node Display in Reports...105

How to Add Custom Applications to Traffic Accountant Reports ...107

How to Maintain eHealth Report Files ...108

Appendix A: Subnet Masks

111

IP Addresses, Subnets, and Subnet Masks...111

Calculate the Subnet Mask ...111

Appendix B: Running a Dedicated Traffic Accountant eHealth System

113

Guidelines for Disabling Extraneous Processes...113

Edit the Startup.cfg File...113

Index

115

(8)
(9)

Chapter 1:

Using eHealth to Monitor

Traffic in Your Infrastructure

This section contains the following topics: The Value of Traffic Data (see page 9)

eHealth Traffic Data Collection Methods (see page 9) The Value of Traffic Accountant Reports (see page 14)

The Value of Traffic Data

Traffic data is any data that is sent from one node to another node within a network. A node is a device in your network that has a network address. When one node sends data to another node, the data transfer is called a conversation. Each conversation has a node pair (that is, a sending node and a receiving node). A conversation can be a request to determine whether a system is active (known as a ping), or it can be a file transfer operation, an e-mail message, or a request to a web server. Traffic data can also be data that is sent from one autonomous system to another autonomous system within a network. An autonomous system (AS) is a collection of networks under a common administration sharing a common routing strategy.

Traffic data can be useful for planning and implementing network security, reconfiguration, growth, partnering, and provisioning. This type of data can help you to correlate network costs to the devices, subnetworks, external customers, internal users, and organizations or departments that use your network.

eHealth Traffic Data Collection Methods

eHealth Traffic Accountant includes the following product components that you can use to collect traffic data that is generated in your network:

„ eHealth NetFlow Collector „ eHealth Import Poller

„ Traffic Accountant RMON2 Conversations Poller

(10)

eHealth Traffic Data Collection Methods

The eHealth NetFlow Collector collects node-to-node and AS-to-AS NetFlow traffic data directly from Cisco routers and switches in the network via a user-defined port. NetFlow is an open but proprietary network protocol developed by Cisco Systems to run on Cisco IOS-enabled equipment for collecting IP traffic information. The enhanced eHealth Import Poller collects NetFlow data by extracting data files from Cisco NetFlow Collectors that are installed

throughout your infrastructure. To use either of these data collection methods, you must install Traffic Accountant on a dedicated, standalone eHealth system. To analyze the data, you can generate reports through the Report Center user interface. (You cannot generate reports on this data through the eHealth console or the Run Reports page of the eHealth Web user interface.) As an alternative method for monitoring NetFlow traffic, you can use the standard eHealth Import Poller to collect either node-to-node or AS-to-AS data from Cisco NetFlow Collectors in your network. If you have installed RMON2 probes throughout your infrastructure, you can use the Traffic Accountant RMON2 Conversations Poller to collect RMON2 traffic data from the probes. To use either of these data collection methods, you should install Traffic

Accountant on a dedicated, standalone eHealth system. To analyze the data, you can generate reports through the eHealth console or the Run Reports page of the eHealth Web user interface. (You cannot generate reports on this data through the eHealth Report Center user interface.)

How eHealth Collects Traffic Data from Cisco-Enabled Devices

If you install the eHealth NetFlow Collector (ENFC) in your network, you can use it to capture end-to-end conversation data directly from Cisco NetFlow-enabled devices in your network. This data provides details about the protocols and ports used, and the end nodes that are exchanging data. In addition, it can also include information on Multi-Protocol Label Switching (MPLS), Border Gateway Protocol (BGP), multicast, and AS-to-AS traffic. If you use the ENFC, you do not need to install a Cisco NetFlow Collector.

The ENFC is a passive collector; it does not poll NetFlow devices at regular intervals to collect traffic data. Instead, it resides on the Traffic Accountant system and listens for UDP NetFlow data packets in a port. It waits until NetFlow interfaces send data, and then processes it. You can configure the ENFC to listen to specific ports and aggregate the data in a specific way. When you use the eHealth NetFlow Collector to collect conversation data, eHealth does the following:

1. Stores the raw NetFlow data in a database table.

2. Processes the data to obtain conversation data observed by NetFlow-enabled devices in your network.

(11)

eHealth Traffic Data Collection Methods

3. Discovers each Cisco NetFlow interface that is sending data to the ENFC. 4. Creates a probe element for each NetFlow interface and stores it in the

eHealth database.

5. Adds the conversation data for each device to the eHealth database. 6. Automatically receives more traffic data from each device at each interval. For instructions on configuring the ENFC to collect NetFlow data, see How to Configure the eHealth NetFlow Collector to Collect Data (see page 19).

How eHealth Collects Traffic from Cisco NetFlow Collectors

If you have installed one or more Cisco NetFlow Collectors in your network, you can install the eHealth Import Poller to import NetFlow traffic data from the collectors. Cisco NetFlow Collectors are workstations that collect and process the conversation data sent from Cisco routers and switches that exist in your network.

By default, the enhanced eHealth Import Poller collects node-to-node and AS-to-AS data simultaneously. However, if you configure the Import Poller to use standard data collection, you can collect only one type of data at one time. To collect both types of data using the standard eHealth Import Poller, you must install Traffic Accountant on two separate eHealth systems.

When you use the eHealth Import Poller to retrieve conversation data, the following occurs:

1. Each Cisco NetFlow Collector filters and aggregates the conversation data that it collects from each device.

2. The collectors save the data as flat files in a directory on the NetFlow Collector workstation.

3. The eHealth Import Poller retrieves the data files from the Cisco NetFlow Collectors via File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP), or Tectia SSH FTP.

4. The poller stores this data in the eHealth database.

Important! If you run the poller in standard mode, you cannot collect node-to-node and AS-to-AS data simultaneously. To do so, you must install eHealth Traffic Accountant on two separate eHealth systems.

(12)

eHealth Traffic Data Collection Methods

To use the eHealth Import Poller, you need to configure it by running the setup program. As part of the configuration, you discover the NetFlow interfaces, and then eHealth saves them as NetFlow probe elements in the database. (If you have not already created a NetFlow scheduled job, you must discover the devices to enable eHealth to poll them.)

Note: For instructions on using the eHealth Import Poller, see How to Configure the eHealth Import Poller to Collect NetFlow Data (see page 21).

How eHealth Collects Traffic Data from RMON2 Probes

If you install remote monitoring version 2 (RMON2) dialog probes in your network, you can use eHealth Traffic Accountant software to collect RMON2 traffic data. A probe is a device that contains RMON2 software that records information about network traffic conversations occurring between nodes on the network (as specified in the latest version of the management information base (MIB) specification, RMON, version). Although the information collected by each probe can vary, a probe typically identifies the address of the sending node, the address of the receiving node, the number of packets and bytes transmitted, and the protocol or application type of the data.

(13)

eHealth Traffic Data Collection Methods

Using Simple Network Management Protocol (SNMP) agents, eHealth searches particular ports for the IP addresses of the probes that you specify. After eHealth discovers each probe, it adds it the database as a probe element. A probe element is a single interface on a probe which behaves as a virtual probe. Some probes can have many interfaces, but a useful limit can only be determined by the amount of data that a probe sees. Traffic Accountant discovers probe interfaces, not probes. A probe element learns about the nodes around it by observing the conversations and reading the addresses of the node pairs. If a node does not send or receive any traffic, a probe element does not know that the node exists. The following illustration shows an

example of two network segments, each with its own nodes and probe element.

The darker lines represent conversations that occur between these nodes: „ NodeA and Node2

„ NodeC and NodeB „ Node1 and Node2

Probe elements see only the conversations that take place on the network segment where the probe element resides. Either one or both of the nodes must reside on or send data on the segment where the probe element resides.

(14)

The Value of Traffic Accountant Reports

For example, Probe1 sees the conversations between NodeA and Node2, and NodeC and NodeB. Probe1 does not see the conversation between Node1 and Node2 because both of those nodes are on a different segment. Similarly, Probe2 sees the conversations between NodeA and Node2, and between Node1 and Node2. Probe2 does not see the conversation between NodeC and NodeB because those nodes are on a different segment.

When eHealth retrieves conversation data from RMON2 probes, it follows this process:

1. Poll the probe elements to obtain the probe elements’ conversation data. 2. Filter out any conversation data that is below a defined minimum size or

older than a user-defined date.

3. Save the conversations and top conversations in the database.

The Value of Traffic Accountant Reports

If you install eHealth Report Center, you can use the Report Center user interface to generate reports on the data that you collect using the eHealth NetFlow Collector or the enhanced eHealth Import Poller. To analyze the data that you collect using the standard eHealth Import Poller or the RMON2

Conversations Poller, however, you must generate reports through the eHealth console or the Run Reports page of the eHealth Web user interface.

Traffic Accountant reports identify how nodes, autonomous systems, and applications use your network. You can use this information to analyze the network and address traffic problems. These reports can help you determine the following:

„ The nodes or autonomous systems that use the network the most

„ The nodes or autonomous systems that use specific nodes or autonomous systems

„ Whether any unassigned nodes are accessing certain network resources „ The volume trends for a node or autonomous system, group of nodes or

autonomous systems, or a network segment

„ The applications that are used the most on the network by a certain node or autonomous system, or on a network segment

„ Traffic usage patterns for cost-effective partnering

(15)

The Value of Traffic Accountant Reports

Using eHealth to Monitor Traffic in Your Infrastructure 15

How eHealth Identifies the Top Conversations

When you run a standard Traffic Accountant report from the eHealth console or the Run Reports page of the eHealth Web user interface, eHealth analyzes the data to determine which conversation records are the most accurate. The most accurate record of a conversation is the top conversation. eHealth uses the top conversations when you run Traffic Accountant reports from the eHealth console or the Web user interface for all probe elements or all

NetFlow-enabled interfaces. Since different elements might have observed the same conversations, eHealth only analyzes the top conversations to avoid including redundant information in the reports.

eHealth calculates the top conversations by comparing the data for each node or autonomous system pair as recorded by any probe or NetFlow element. If only one element observes the conversations between a node or autonomous system pair, eHealth automatically considers those records to be the top conversation records.

When more than one element observes conversations between the same node or autonomous system pair, eHealth compares the total amount of

conversation data for the node pair as observed by each element. eHealth chooses the element that has the largest amount of conversation data for the node or autonomous system pair. It considers all conversation records observed by that element for that node or autonomous system pair to be the top conversations.

When you run a report for a specific element, eHealth uses the information returned by the element, regardless of whether the records are top

(16)
(17)

Chapter 2:

Installing and Configuring

Traffic Accountant Components

This section contains the following topics: Meet System Requirements (see page 17)

Traffic Accountant Installation Considerations (see page 18) License Your Traffic Accountant System (see page 18)

How to Configure the eHealth NetFlow Collector to Collect Data (see page 19) How to Configure the eHealth Import Poller to Collect NetFlow Data (see page 21) How to Configure the eHealth Conversations Poller to Collect RMON2 Data in Your Network (see page 28)

Meet System Requirements

The standard eHealth installation program allows you to install Traffic Accountant as an optional component. CA does not support the collection of statistics data and conversations data on a single system. Because the volume of Traffic Accountant data can become quite large and consumes a large amount of data storage capacity, you should install it on a separate system that is dedicated to eHealth Traffic Accountant. To use eHealth’s NetFlow data collection capabilities, you must install Traffic Accountant on a dedicated, standalone eHealth system, and the eHealth system platform must meet the system requirements for eHealth.

Prior to installing Traffic Accountant, follow these steps to meet system requirements:

1. Review the Traffic Accountant Resource Requirements Document located on the Support web site to estimate the amount of memory and disk space required for a Traffic Accountant installation.

2. Access the eHealth Sizing Wizard on the eHealth product web site. Respond to the series of questions, wait for eHealth to calculate the system resources required to support your eHealth implementation, and note the requirements.

3. See the Cisco user documentation to confirm that your NetFlow Collectors, switches, and routers meet system requirements.

Note: Most eHealth Import Poller performance impacts relate to the size of the files; that is, larger files take longer to process than smaller files that eHealth imports from the Cisco NetFlow Collectors.

(18)

Traffic Accountant Installation Considerations

Traffic Accountant Installation Considerations

Review the following considerations before you install or upgrade eHealth Traffic Accountant:

„ Upgrading any eHealth system that is not a pristine Traffic Accountant system will cause installation problems.

„ Report Center is required to generate reports about data collected by eHealth Netflow Collector and by the NetFlow import poller running in enhanced mode.

„ You must run the Traffic Accountant-specific installation with the Traffic Accountant-specific LCF file.

License Your Traffic Accountant System

Before you can use any Traffic Accountant components to collect RMON2 or NetFlow conversation data, you must obtain authorized poller license keys for each device that you want to poll and also obtain a license for Traffic

Accountant.

Important! By default, the eHealth Import Poller runs in enhanced mode and collects AS-to-AS data and node-to-node data simultaneously from the Cisco NetFlow Collectors in your network. If you configure the eHealth Import Poller in standard mode and you want to collect node-to-node and AS-to-AS traffic statistics simultaneously, you must install two eHealth Traffic Accountant licenses on two separate eHealth systems.

To add one or more eHealth licenses to your Traffic Accountant system

1. Log in to http://support.concord.com. The Technical Support page appears. 2. Select the licensing tab.

The Licensing page appears.

3. Click on the eHealth Network License Request Form, complete the fields, and click Submit.

The Licensing department sends you a set of authorized product license keys for the designated eHealth system.

4. Create a backup copy of your license.dat file in the eHealth/lmgr directory. 5. Do the following:

a. Open the license.dat file that resides in the eHealth/lmgr directory. b. Open the e-mail message that Licensing sent to you.

(19)

How to Configure the eHealth NetFlow Collector to Collect Data

6. Copy and paste the keys from the message into the file to overwrite the existing entries with the contents from the e-mail message.

Important! Be sure to copy only the license.dat portion of the message. If you inadvertently include the e-mail header information, the license will not function correctly.

7. Save the file and close it. 8. Do one of the following:

„ On a Windows system, select Start, Control Panel, Administrative

Tools, Services. On the Services page, select the FlexLM and eHealth server processes, right-click, and select Stop. After the processes stop, select the FlexLM and eHealth server processes again, right-click, and select Start. eHealth restarts the processes and enables your licenses.

„ On a UNIX system, enter the following:

cd eHealth/bin nhLmgr stop nhLmgr start

eHealth restarts the license manager and enables your licenses.

How to Configure the eHealth NetFlow Collector to Collect

Data

If you install Traffic Accountant and configure the eHealth NetFlow Collector (ENFC), you can collect data directly from Cisco routers and switches that are in your network. The ENFC supports Cisco routers up to version 9.0 and imports both node-to-node and AS -to-AS data simultaneously. You can install one ENFC on each eHealth system that you have, and configure each one by running an interactive script from the eHealth console. If you install an ENFC, you do not need to install a Cisco NetFlow Collector in your network.

To configure the ENFC

1. If you have not already done so, do the following:

a. Install Traffic Accountant on each workstation that you designate as an eHealth system. For instructions, see the eHealth Installation Guide for your platform.

b. Confirm that your eHealth system and Cisco devices meets system requirements. For instructions, see Meet System Requirements. (see page 17)

c. Obtain license keys for Traffic Accountant and each probe element that you want to poll. For instructions, see License Your Traffic Accountant System (see page 18).

(20)

How to Configure the eHealth NetFlow Collector to Collect Data

2. Log in to the eHealth system as the eHealth administrator.

3. In a terminal window, change to the eHealth installation directory. 4. If eHealth is installed on a UNIX system, use one of the following

commands to source the appropriate eHealth resource file to set your environment:

Shell Command

Bourne . nethealthrc.sh

C source nethealthrc.csh

Korn . nethealthrc.ksh

5. Start eHealth by entering the following command:

ehealth

6. In the eHealth console, select Setup, Configure, NetFlow to display the nhNetflowSetup window.

7. Select 1 to install the ENFC.

8. Specify the collection port (9991 is the default), and then press Enter. eHealth lists all predefined aggregators.

9. Select an aggregator by name or by index. 10.Select Y to activate it.

11.Enter 4 to save the aggregator setting to the eHealth database. 12.Configure additional aggregator by repeating Steps 8 through 11.

How eHealth Imports Conversation Data from the eHealth NetFlow Collector

The ENFC listens for UDP NetFlow data packets in the port that you specified during the installation. When NetFlow interfaces send data, the ENFC

processes it and stores it in the database. After eHealth discovers the Cisco NetFlow interfaces and creates probe elements for them, it adds the conversation data for each device to the eHealth database. At each poll, eHealth automatically retrieves more traffic data from each device.

The NetFlow Collection window in the OneClick for eHealth console displays the time of the next poll. Green bars indicate the number of eHealth elements that were polled successfully. The Errors bar graph displays red bars to indicate the number of elements that eHealth did not poll successfully. The NetFlow

Collection window updates with each new poll.

(21)

How to Configure the eHealth Import Poller to Collect NetFlow Data

Each data file processed by the ENFC contains one interval. This interval is set within the ENFC and refers to the period within which it usually matches the NetFlow Collection interval value (the default is 15 minutes). A poll bar

indicates the number of Cisco NetFlow-enabled router interfaces that had data for a given polling cycle. A separate poll bar represents each interval. To view error messages related to NetFlow-enabled devices, check the ehealth/log directory.

How to Configure the eHealth Import Poller to Collect

NetFlow Data

If you install Traffic Accountant and have one or more Cisco NetFlow Collectors installed in your infrastructure, you can configure the eHealth Import Poller to collect NetFlow data from Cisco routers and switches that exist in your

network. By default, the enhanced eHealth Import Poller collects node-to-node and AS-to-AS data simultaneously. The standard Import Poller allows you to collect only one type of data at one time. To collect both types of data using the standard Import Poller, you must install Traffic Accountant on two separate eHealth systems.

Cisco NetFlow Collectors filter and process NetFlow data according to specific aggregation schemes. Since the standard eHealth Import Poller supports a subset of the available aggregation schemes, you must ensure that you configure your NetFlow Collectors with one of the following supported active aggregation schemes:

„ DetailASMatrix or HostMatrixInterface if you are running eHealth Traffic Accountant in node-to-node mode

„ ASMatrix if you are running eHealth Traffic Accountant in AS-to-AS mode

Note: If you use a non-supported aggregation scheme, eHealth cannot provide conversation data. For information on setting an aggregation scheme on a NetFlow Collector, see the Cisco documentation on the Cisco Web site at www.cisco.com.

The eHealth Import Poller ignores aggregations that contain unsupported fields. The following table lists all fields that are currently supported.

Aggregation Field Value

PROCESS_TIME NOT NULL NUMBER(11)

ROUTER_ADDR VARCHAR2(45 CHAR)

ELEMENT_ID NUMBER(11) MACHINE_ID NUMBER(11)

(22)

How to Configure the eHealth Import Poller to Collect NetFlow Data

22 Traffic Accountant and NetFlow Administration Guide

Aggregation Field Value

SOURCE_ID NUMBER(11) UNIX_NSECS NUMBER(11) VERSION NUMBER(2) AGGREGATION_ID NUMBER(11)

SRC_IP_ADDR VARCHAR2(45 CHAR)

SRC_IP_ADDR NUMBER(11)

DST_IP_ADDR VARCHAR2(45 CHAR)

DST_PORT NUMBER(11) PROTOCOL NUMBER(3) TOS NUMBER(5) INPUT_IF_IDX NUMBER(11) OUTPUT_IF_IDX NUMBER(11) SRC_MASK NUMBER(3) DST_MASK NUMBER(3) FLOW_BYTES NUMBER(38) FLOW_PACKETS NUMBER(38)

IP_NEXT_HOP VARCHAR2(45 CHAR)

SRC_AS NUMBER(11) DST_AS NUMBER(11)

BGP_IP_NEXT_HOP VARCHAR2(45 CHAR)

IPV6_FLOW_LABEL NUMBER(8) PACKET_TYPE NUMBER(11) MPLS_TOP_LABEL_TYPE NUMBER(5)

MPLS_TOP_LABEL_IP VARCHAR2(45 CHAR)

SRC_MAC NUMBER(15) DST_MAC NUMBER(15) SRC_VLAN NUMBER(5) DST_VLAN NUMBER(5) IP_VERSION NUMBER(1) DIRECTION NUMBER(1)

(23)

How to Configure the eHealth Import Poller to Collect NetFlow Data

Installing and Configuring Traffic Accountant Components 23

Aggregation Field Value

MPLS_LABEL1 NUMBER(11) MPLS_LABEL2 NUMBER(11) MPLS_LABEL3 NUMBER(11) MPLS_LABEL4 NUMBER(11) MPLS_LABEL5 NUMBER(11) MPLS_LABEL6 NUMBER(11) MPLS_LABEL7 NUMBER(11) MPLS_LABEL8 NUMBER(11) MPLS_LABEL9 NUMBER(11) MPLS_LABEL10 NUMBER(11) SAMPLE_INTERVAL NUMBER(11) SAMPLEALG NUMBER(5) FLOW_SAMPLER_ID NUMBER(5) FLOW_SAMPLER_MODE NUMBER(5) RANDOM_INTERVAL NUMBER(11)

IF_NAME VARCHAR2(32 CHAR)

IF_DESC VARCHAR2(255 CHAR)

SAMPLER_NAME VARCHAR2(255 CHAR)

FRAGMENT_OFFSET NUMBER(5) FORWARDING_STATUS NUMBER(3) TCP_FLAG NUMBER(3) FLOW_END NUMBER(11) FLOW_START NUMBER(11) MIN_PKT_LEN NUMBER(5) MAX_PKT_LEN NUMBER(5) MIN_TTL NUMBER(3) MAX_TTL NUMBER(3) FLOWS NUMBER(38) IPV4_IDENT NUMBER(5)

(24)

How to Configure the eHealth Import Poller to Collect NetFlow Data

You can use the NetFlow Collector User Interface (NFUI) to display runtime configuration parameters, resource definitions, and statistics, as well as modify existing configuration parameters and define new configuration parameters. For detailed instructions, see your Cisco NetFlow user documentation for the NFUI.

To configure the eHealth Import Poller to collect NetFlow data

1. If you have not already done so, do the following:

a. Install one or more Cisco NetFlow Collectors within your network by following the instructions provided in your Cisco NetFlow installation documentation.If you have installed the eHealth NetFlow Collector already, you do not need to install a Cisco NetFlow Collector. For instructions, see How to Configure the eHealth NetFlow Collector to Collect Data (see page 19).

Note: To collect NetFlow data on the network using the eHealth Import Poller, you must install one or more NetFlow Collectors within your infrastructure. You cannot use this poller unless you install these collectors.

b. Install eHealth on each workstation that you designate as an eHealth system. For instructions, see the eHealth Installation Guide for your platform.

c. Confirm that your Cisco NetFlow Collectors, eHealth system, and Cisco routers and switches all meet system requirements. For instructions, see Meet System Requirements (see page 17).

d. Obtain license keys for Traffic Accountant and each probe element that you want to poll. For instructions, see License Your Traffic Accountant System (see page 18).

2. Collect the following configuration information regarding your Cisco NetFlow Collector:

a. Hostname of the NetFlow Collector system.

b. IP address of the NetFlow Collector system (the setup procedure attempts to derive the IP address from the hostname of the NetFlow Collector system, so you may be able to accept the default).

c. User name that eHealth can use to log in to the NetFlow Collector system (default is nhuser).

d. Password for this user on the NetFlow Collector system.

e. Full pathname of a directory on the NetFlow Collector system on which the NetFlow Collector software is installed (default is /opt/CSCOnfc). 3. Log in to the eHealth system as the eHealth administrator.

4. In a terminal window, change to the eHealth installation directory.

(25)

How to Configure the eHealth Import Poller to Collect NetFlow Data

5. If eHealth is installed on a UNIX system, use one of the following commands to source the appropriate eHealth resource file to set your environment: Shell Command Bourne . nethealthrc.sh C source nethealthrc.csh Korn . nethealthrc.ksh

6. Start eHealth by entering the following command:

ehealth

7. In the eHealth console, select Setup, Configure, NetFlow to display the nhNetflowSetup window.

8. At the first prompt, enter 2 to install the eHealth Cisco NetFlow Import Poller.

9. At the next prompt, enter 1 to set up a new NetFlow Collector; then enter 1 to add a new collector.

10.At the next prompt, enter the hostname of the Cisco NetFlow Collector workstation to enable eHealth to locate this workstation on the network. One of the following occurs:

„ If it locates the hostname, it obtains the workstation’s IP address. „ If it cannot locate the workstation, it displays an error message

indicating that the hostname does not respond to ping. Although the system cannot locate this workstation, you can still use the

workstation name. Enter y at the prompt. If you enter n, the system prompts you again for the name of the host.

11.At the next prompt, enter the IP address of the NetFlow Collector and specify the type of FTP that you would like eHealth to use to access the NetFlow system. Do one of the following:

„ If you select SFTP, create a login without a password on which you

have configured the NetFlow Collector. Enter the following:

$ ssh-keygen –t rsa

(26)

How to Configure the eHealth Import Poller to Collect NetFlow Data

Enter file in which to save the key (/ehealth/user/.ssh/id_rsa); then enter the same passphrase again. eHealth saves the login information in /ehealth/user/.ssh/id_rsa, and it saves your public key in

/ehealth/user/.ssh/id_rsa.pub. Copy the public key to the Cisco NetFlow system by doing the following:

$ ssh-copy-id –i ~/.ssh/id_rsa.pub username@netflowMachine

„ If you select FTP, specify a user name and password that eHealth can

use to access the NetFlow Collector. If the nhNetflowSetup script cannot establish an FTP session with the NetFlow Collector

workstation, you cannot import data from the NetFlow Collector. Check the user name and password for this NetFlow Collector, and enter the correct information when prompted. If this information is correct, you may have a network connectivity problem.

Note: As an alternative, eHealth also supports Tectia SSH FTP.

12.Enter the pathname of the directory on the NetFlow Collector workstation in which NetFlow is installed.

eHealth saves the settings.

13.Specify the type of data collection to use. By default, the Import Poller runs in enhanced mode and collect AS-to-AS data and node-to-node data simultaneously from the Cisco NetFlow Collectors in your network.

Note: When you use enhanced data collection, you can generate Traffic Accountant reports through the Report Center user interface.

14.Enter the polling interval to specify how often (in minutes) eHealth collects information from the NetFlow Collectors. The default is 15 minutes.

eHealth time-aligns the NetFlow data to the interval of the Conversations Poller. For example, if the Conversations Poller is 30 minutes, eHealth time aligns the data to the half hour. If the data is less than the conversations polling interval, eHealth stores the data to its internal cache for at least 30 minutes and then writes the data to the database.

15.Enter the maximum amount of time (in minutes) to allow a data extraction to finish before timing out. The default is 15 minutes.

16.Press Return.

The nhNetflowSetup script saves all of the NetFlow Collector information. 17.To configure the Import Poller to import data from another NetFlow

Collector, repeat Steps 9 through 17.

(27)

How to Configure the eHealth Import Poller to Collect NetFlow Data

18.Use eHealth to discover probe elements for each NetFlow-enabled device interface that reports data to the NetFlow Collectors:

a. Log in to the eHealth console.

b. Select Setup, Import Elements, NetFlow. The NetFlow Import Elements dialog appears.

c. Optionally, specify a Database Configuration Information (DCI) exclusion rules file to filter the eHealth probe elements prior to adding them to the eHealth database. Click Browse; then select the files. For instructions on creating a rules file, see the eHealth Administration Guide.

d. In the NetFlow Import Elements dialog, click Discover.

e. The Discovering dialog displays status messages under Discovery Results in the Discovering dialog.

f. If polling does not begin, the circle in the Import Polling window (in the OneClickEH console) may be blue and the message “Waiting for asynch import” may appear. If this happens, stop and restart the eHealth server by selecting Tasks and Information, Setup, Server Controls in the left pane of the OneClickEH console.

Note: You can stop the discover process at any time by clicking Stop Discovery. eHealth discards all elements listed under Discovery Results and closes the Discovering dialog.

Once eHealth completes the discover process, the eHealth Import Poller should begin polling the probe elements at the next poll.

How eHealth Imports Conversation Data from Cisco NetFlow Collectors

After you configure the Import Poller to extract data files from each NetFlow Collector, you need to use eHealth to discover probe elements for each NetFlow-enabled device interface that has reported data to the NetFlow Collectors, and then save the probe elements in the eHealth database.

After the eHealth Import Poller retrieves data files from the NetFlow Collectors in your network and imports them to the eHealth system, it aligns the data to the interval of the Conversations Poller. If the Conversations Poller is 30 minutes, eHealth time-aligns the data to the half hour. If the Cisco NetFlow samples are less than the conversation polling interval, it stores the data to its internal cache until it can be stored to the database.

(28)

How to Configure the eHealth Conversations Poller to Collect RMON2 Data in Your Network

Each data file imported from the NetFlow Collector contains one interval. This interval is set within the NetFlow Collector and refers to the period within which the NetFlow Collector wrote the data to the file. For best performance, this interval value should usually match the Import Poller interval value (the default is 15 minutes). In the Import Polling window on the eHealth Status Summary page of the OneClick for eHealth console, green bars show the number of Cisco NetFlow-enabled router interfaces that had data for a given import polling cycle. A separate poll bar represents each interval. To view error messages related to NetFlow-enabled devices, check the ehealth/log directory. When the eHealth Import Poller begins polling for the first time (or after a long hiatus), it reads a backlog of data of up to eight hours. This creates an initial configuration that can be up to eight hours old. eHealth aggregates this data and saves it in the database.

How to Configure the eHealth Conversations Poller to

Collect RMON2 Data in Your Network

If you install eHealth Traffic Accountant software and install probes within your network, you can use the RMON2 Conversations Poller to collect traffic data from the probe elements. Traffic Accountant discovers probe interfaces, not probes. A probe element is a single interface on a probe which behaves as a virtual probe. eHealth polls probe elements, collects information about the conversations that each probe element observed, and then stores this information in its database.

To configure the eHealth Conversations Poller to collect RMON2 data

1. If you have not already done so, do the following:

a. Install Traffic Accountant on each workstation that you designate as an eHealth system. For instructions, see the eHealth Installation Guide for your platform.

b. Confirm that your eHealth system meets system requirements. For instructions, see Meet System Requirements (see page 17).

c. Obtain license keys for Traffic Accountant and each probe element that you want to poll. For instructions, see License Your Traffic Accountant System (see page 18).

2. Install one or more probes within your network in areas that maximize the traffic coverage:

„ Internal LANs „ Interfaces to WANs

„ Subnets on which servers or other important systems reside

(29)

How to Configure the eHealth Conversations Poller to Collect RMON2 Data in Your Network

3. Use the eHealth discover process to add each probe interface to the eHealth database.

How eHealth Collects Conversation Data from the RMON2 Conversations Poller

After you have discovered your probes and added them to your database, the eHealth Conversations Poller begins to poll them to collect information about the conversations that they observed, and then stores this data in its database.

The Conversations Polling window in the OneClick for eHealth console displays information about the Conversations Poller, which uses Simple Network Management Protocol (SNMP) and SNMPv2 to poll discovered RMON2 probe elements for Traffic Accountant data. The window shows the time of the next poll, the number of Good Polls, and the number of Bad Polls. Like the Statistics Polling window, the bars change color to indicate the polling status. eHealth filters the data that it receives from a probe element and ignores information about conversations that are less than a defined minimum size. By default, eHealth does not save information for conversations that are less than 500 bytes per minute for the duration of the polling interval. Thus, if your polling interval is 30 minutes, eHealth does not save information for conversations that are 15,000 (500 x 30) bytes or less.

The NH_POLL_DLG_BPM environment variable defines the minimum traffic filter size. To change the default setting of 500 bytes per minute, follow this general procedure. For specific instructions on adding environment variables to your system, see the eHealth Commands and Environment Variables

Reference Guide.

Important! If you lower or disable the filter size, you could cause a significant increase in your database disk space requirements.

To change the default setting of NH_POLL_DLG_BPM, follow these steps

1. Stop the eHealth server.

2. Add this environment variable to your system.

3. Specify a value. If you set it to 0, the filter is disabled and eHealth saves all conversations in the database.

4. Restart the eHealth server.

(30)

How to Configure the eHealth Conversations Poller to Collect RMON2 Data in Your Network

Each time that eHealth polls a probe element, it retrieves the data stored within it. A probe element captures information only for the conversations that occur on the network segment, ring, switch port, or interface where the probe is installed. If you have multiple probes in your network, more than one probe element could observe the same conversation.

eHealth uses the conversation data to determine which probe element is the best source of information for a node or autonomous system. It totals the byte count for each conversation for each node or autonomous system and

compares the totals as recorded by each probe element. eHealth chooses the probe element with the largest byte count for a node or autonomous system as the best source of information for the node.

Note: eHealth follows this process when it analyzes RMON2 conversation data that is collected by probes. It does not do so when analyzing data that is collected by the eHealth NetFlow Collector or the enhanced eHealth Import Poller.

Change the Polling Interval

eHealth polls each probe element to collect data on every conversation that the probe element detected and stored, which can result in a tremendous amount of data being collected at each poll. Consequently, the polling interval for conversation data is longer than that for statistics. Probes vary in the amount of memory that they have, and thus the amount of conversation data that they can store. Use a polling interval that enables you to collect the data from the probes before data is lost due to device memory limitations, counters within the probe reset, or the probe’s timeout being reached.

(31)

How to Configure the eHealth Conversations Poller to Collect RMON2 Data in Your Network

You should also use a polling interval that allows you to retrieve data from the probe element before it resets counters or discards data. This polling interval value determines the rate at which eHealth stores data in the database. In addition, the number of elements in your database and the amount of disk space available for the database might require you to use a polling interval other than the default. The default polling interval for conversation data is 30 minutes, but you can change it to 15, 30, 45, or 60 minutes.

Note: If you discover that some probes do not behave at an optimum level with eHealth, consult with your probe vendor to resolve RMON2 configuration issues. For detailed instructions on the discover and polling processes, see the eHealth Administration Guide.

To change the polling interval for conversation data

1. Log in to the OneClick for eHealth console.

a. Enter the following in a web browser, where eHealthSystem is the specific name of the system on which eHealth is installed. If your eHealth system is configured to run in a High Availability environment, specify the shared hostname or shared IP address for your system rather than the specific eHealth system name.

eHealthSystem/OneClickEH

The Connect to eHealthSystemName window appears.

b. Specify the user name and password of an administrator who has permission to access OneClickEH; then click OK.

The OneClick for eHealth page appears. c. Click Launch OneClick for eHealth.

The File Download window appears. d. Click Run.

The OneClickEH login window appears.

2. Log in to the eHealth server as an administrator who has permission to manage the pollers.

The eHealth Status Summary window appears.

3. In the left pane of the console, click Tasks and Information, Setup, Poller Controls.

The Poller Controls window appears.

4. From the Conversations list, select a different poll rate and click Apply. eHealth resets the poll interval and begins polling at that rate.

(32)

How to Configure the eHealth Conversations Poller to Collect RMON2 Data in Your Network

32 Traffic Accountant and NetFlow Administration Guide

How to Migrate RMON2 Configuration Data from an NPO System to eHealth

If you use the Unicenter Network Systems Management (NSM) Network Performance Option (NPO) to collect RMON2 data from probes and other network devices that have been installed throughout your network, you can migrate the configuration data to your eHealth system to enable eHealth Traffic Accountant to report on it. For Traffic Accountant to be able to report on your NPO data, you need to run a command to migrate the configuration data from the NPO system (the system on which you are currently running the NPO collection server) to eHealth, and then run an eHealth discover based on that file.

To migrate configuration data from an NPO system to eHealth

1. Generate a seed file that contains the current NPO configuration:

a. Copy the Create_eHealth_seed.exe file from the ehealth/modules/npo directory on the eHealth system to the bin directory on the NPO system.

b. On the NPO system, run the Create_eHealth_seed.exe command to create the ehealthseed.txt file.

2. Copy the ehealthseed.txt file from the NPO_DIR/log directory on your NPO system to the eHealth system.

3. Perform an interactive discovery based on the file, and then save the discover results to the eHealth database.

4. Allow eHealth to poll the resources, and then save the collected data to the eHealth database.

For detailed instructions on discovering polling your resources, see the eHealth Administration Guide.

(33)

Chapter 3:

Managing Traffic Accountant

This section contains the following topics:

How to Import NetFlow Elements Automatically (see page 33) How to Terminate Polling of NetFlow Elements (see page 34) How to Terminate Polling of Probe Elements (see page 35) How to Assess the Status of the eHealth Database (see page 35)

How to Prevent Traffic Accountant Resource Overutilization (see page 36) How to Manage the Growth of Your Traffic Accountant Database (see page 38) How to Modify Configuration Information for Cisco NetFlow Collectors (see page 42) How to Switch the Data Collection Mode for the Import Poller (see page 43)

How to Collect Bi-Directional Data with the Standard Import Poller (see page 44) How to Troubleshoot Problems with Your Cisco NetFlow Collector (see page 45) How to Troubleshoot Problems with Polled NetFlow Devices (see page 46)

How to Import NetFlow Elements Automatically

To import NetFlow elements on a regular basis, you can use the job scheduler in the eHealth console to automate the process.

To add a scheduled job to import elements

1. From the console, select Setup, Schedule Jobs. The Schedule Jobs dialog appears.

2. Select Add NetFlow from the torpedoing list next to the list of jobs. The Add Scheduled NetFlow Import Element dialog appears. 3. Schedule the process by specifying the day, date, and/or time.

4. (Optional) Exclude certain NetFlow elements from the discover search by specifying a DCI rules file. The file must be stored in the following directory: ehealth/modules/netflow/config.

Important! If the file is not stored in that directory, the scheduled discovery will fail.

5. Click Schedule.

The Add Scheduled NetFlow Import Element dialog closes, and the scheduled job appears in the job list in the Schedule Jobs dialog.

(34)

How to Terminate Polling of NetFlow Elements

How to Terminate Polling of NetFlow Elements

You can prevent the eHealth Import Poller from importing data from all NetFlow-enabled devices in your network at one time, or you can turn off polling for selected devices.

To stop importing all data

1. Log in to the OneClick for eHealth console. The OneClickEH login window appears.

2. Log in to the eHealth server as an administrator who has permission to manage the poller.

The eHealth Status Summary window appears.

3. In the left pane, click Tasks and Information, Setup, Poller Controls. The Poller Controls window appears.

4. Select Polling Off and click Apply. eHealth turns off the pollers.

To stop importing data for specific probe elements

1. Log in to the OneClick for eHealth console. The OneClickEH login window appears.

2. Log in to the eHealth server as an administrator who has permission to manage elements.

The eHealth Status Summary window appears. 3. In the left pane, click Managed Resources, Elements.

The Element table appears.

4. Select one or more probe elements, right-click, and select Edit Element. The Edit Elements window appears.

5. Select the Polling tab. The Polling window appears.

6. Select Mass Modify, select No next to Polling Enabled, and then click Apply. eHealth disables polling for the selected probe elements.

(35)

How to Terminate Polling of Probe Elements

How to Terminate Polling of Probe Elements

By default, eHealth stops polling an RMON2 probe element after 1200 seconds (20 minutes) if it has not received a response. If this occurs, eHealth displays a message in the Conversations Polling window and saves any partial data it has received. If polling is continuously terminated early for the same probe element, eHealth may not update information about that probe element. You may want to determine why polls are not finishing for this probe.

The NH_POLL_PROBE_TIME_LIMIT environment variable defines the number of seconds that eHealth waits before terminating polling. To change the default setting of 20 minutes, follow this general procedure. For specific instructions on adding environment variables to your system, see the eHealth Commands and Environment Variables Reference Guide.

To change the default setting of NH_POLL_PROBE_TIME_LIMIT, follow these steps:

1. Stop the eHealth server.

2. Add this environment variable to your system.

3. Specify a value. If you set it to a value that is below 5 minutes, eHealth may stop polling probes that are slow but responding.

4. Restart the eHealth server.

How to Assess the Status of the eHealth Database

Near the end of each poll, eHealth stores data gathered by probe elements as conversation data. Over time, the database consumes more space. To ensure that eHealth can continue collecting data and generating reports, you must maintain sufficient disk space. eHealth provides summary information about the status of the entire database and specific information about conversation data.

Resources become available when nodes, node address pairs, and

conversations age out; processes that are consuming resources terminate; or the poller stops and restarts. To increase your resources so that eHealth can continue to process conversation data immediately, you could add more memory to the eHealth Traffic Accountant system, or move it to a system that has more memory.

Note: Because the volume of Traffic Accountant data can become quite large and consumes a large amount of data storage capacity, you must install it on a separate system that is dedicated to eHealth Traffic Accountant. CA does not support the collection of statistics data and conversations data on a single system.

(36)

How to Prevent Traffic Accountant Resource Overutilization

To view the current status of the database

1. Log in to the OneClick for eHealth console.

2. Log in to the eHealth server as an administrator who has permission to view the System Information folder.

The eHealth Status Summary window appears.

3. In the left pane, select Tasks and Information, System Information, Database Status.

The Database Status window appears.

4. Review the Conversations section to determine the following:

„ Number of probe elements in the eHealth database

„ Number of nodes or autonomous systems observed by probe elements „ Size of the database for each type of conversation data

„ Dates of the most recent database entries, and the first entries „ Date and time of the last Conversations Rollup scheduled job

Note: If a poll occurs while the window is open, click Refresh to update the fields when the poll finishes.

To obtain database status information, you can also run the nhDbStatus command. For instructions, see the eHealth Commands and Environment Variables Reference Guide. For detailed information about managing the database, see the eHealth Administration Guide.

How to Prevent Traffic Accountant Resource Overutilization

If you use eHealth Traffic Accountant to monitor unlimited numbers of nodes (for example, public Internet access points), you could encounter situations in which a large volume of conversation or NetFlow data is returned to the Traffic Accountant system during polling. This large volume can impact system performance by consuming the available resources.

To guard against these performance impacts, you can prevent Traffic Accountant from becoming overloaded by enabling it to monitor the conversations and import polling times in conjunction with node and node-address-pair lookup (that is, how long it takes Traffic Accountant to find a node within its cache memory). If it detects when polling times are slowing down due to insufficient resources, it can prevent new conversation data from being saved to the database, and will not create new nodes and node address pairs until resources become available or the poll duration falls below the threshold.

(37)

How to Prevent Traffic Accountant Resource Overutilization

To prevent Traffic Accountant resource overutilization, you can set threshold values for these two environment variables:

„ NH_DLG_POLL_TIME_FIRST_WARNING_THRESHOLD – Specify a value of 1% to 99%. The default is 90%, the point at which the Conversations Poller or Import Poller has polled 90% of your elements. The value of this variable must be less than the value of

NH_DLG_POLL_TIME_SECOND_WARNING_ THRESHOLD.

„ NH_DLG_POLL_TIME_SECOND_WARNING_THRESHOLD – Specify a value of 1% to 99%. The default is 95%, the point at which the Conversations Poller or Import Poller has polled 95% of your elements. The value of this variable must be more than the value of

NH_DLG_POLL_TIME_FIRST_WARNING_ THRESHOLD.

Note: To disable the variables, set both values to 0.

When you set these environment variables, eHealth follows this process: 1. During a poll, eHealth accumulates node and node address pair lookup

times.

2. When the Conversations Poller or Import poller has reached 90% of the poll interval, the eHealth console displays a warning indicating that the poll may not finish in the interval specified.

3. When the poller has reached 95% of the poll interval, Traffic Accountant calculates the average node and node address pair lookup times and then compares them to those of the previous poll. For example, if the system is performing a 15-minute poll, and it has completed 90% of the poll (13.5 minutes), Traffic Accountant displays the first warning in the console.

„ If the average lookup times increased, Traffic Accountant compares

them to the averages of the five previous polls.

„ If it detects a sharp increase in the average lookup time, it displays an

error message in the OneClickEH console indicating that new conversation data will not be saved to the database until resources become available or the poll duration falls below the threshold.

4. During this time, Traffic Accountant cannot create nodes and node address pairs. It saves a record of the number of conversations that it discards during each conversation or import poll in a log file named

trafficDropped.date.time.log within the ehealth/log directory.

(38)

How to Manage the Growth of Your Traffic Accountant Database

How to Manage the Growth of Your Traffic Accountant

Database

To control the growth of Traffic Accountant, eHealth automatically performs several maintenance tasks:

„ Reviews all conversations to determine the last time that it observed a conversation. If a conversation is not seen in 24 hours, eHealth frees memory that is associated with the conversation, but it retains the data already stored in the database.

„ Hides nodes or autonomous systems and node address pairs or

autonomous system pairs that have not been referenced for a specified time period, and then removes them once it rolls data out of the database. (When nodes or autonomous systems are hidden, you can run reports on the data.)

„ Controls the size of the conversations message log file. „ Rolls up conversation data every four hours.

To proactively control the growth of Traffic Accountant data in your eHealth database, you can do the following

1. Reduce the number of hours that eHealth retains information on a conversation in memory by modifying the setting of the

NH_DLG_TIME2KEEP environment variable. By default, eHealth ages out conversation data that is older than four hours.

2. Remove unused nodes or autonomous systems on a regular basis by managing the Cleanup Nodes scheduled system job.

3. Manage the size of the Conversations Poller message file. 4. Manage the Conversations Rollup scheduled job.

How to Reduce the Number of Hours That eHealth Retains Conversation Data

By default, eHealth ages out conversation data that is older than four hours. To control the size of the database, you can reduce the number of hours that eHealth retains information on a conversation in memory.

To reduce the number of hours that eHealth retains information on a conversation in memory

1. Log in to the eHealth console as an administrator. 2. Stop the eHealth server.

(39)

How to Manage the Growth of Your Traffic Accountant Database

3. Modify the setting of the NH_DLG_TIME2KEEP environment variable to a value that is less than 4 hours.

Note: If you set this variable to 0 hours, the poller no longer ages out conversations from the poller cache.

4. Restart your eHealth server.

For detailed instructions on setting environment variables, see the eHealth Commands and Environment Variables Reference Guide.

How to Remove Unwanted Node or Node-Address Pairs from the Database

By default, eHealth provides the Cleanup Nodes system job to remove node pairs and node-address pairs that are no longer needed, but it does not enable it. You can specify the frequency and the time, as well as whether eHealth should hide or remove the nodes or autonomous systems that have not been seen within a designated timespan.

Once eHealth removes nodes or autonomous systems and node or autonomous system address pairs, you cannot access any conversations related to them in reports.

To remove unwanted and unused node or node-address pairs from the database

1. Log in to the OneClick for eHealth console.

2. Log in to the eHealth server as an administrator who has permission to manage scheduled jobs.

The eHealth Status Summary window appears.

3. In the left pane, select Tasks and Information, Job Scheduler, Scheduled Jobs.

The Scheduled Jobs window appears. 4. Select the All tab.

The console displays the list of jobs that are scheduled to run on your eHealth system.

5. Scroll through the list to locate Cleanup Nodes and double-click the name. The Edit Cleanup Nodes window appears.

6. Select the Schedule tab and do the following:

a. Change the frequency with which the job runs. If you specify 31 as the day of the month, the job will only run on months that have 31 days. b. Change the time of day at which the job runs.

(40)

How to Manage the Growth of Your Traffic Accountant Database

7. Select the Properties tab and do any of the following:

a. Specify the number of hours that eHealth must not have seen the nodes or autonomous systems.

b. Specify that eHealth should hide or remove the nodes or autonomous systems that have not been seen within a designated timespan (the default is 0). If you have set the NH_DLG_TIME2KEEP environment variable, specify the same value in this field.

8. Click OK.

The Edit Cleanup Nodes window closes, and eHealth updates the parameters for the scheduled job.

How to Manage the Poller Message Files

By default, eHealth saves messages that the RMON2 Conversations Poller, the NetFlow Collector, and the Import Poller generate about polled conversations. the data is stored as ASCII files in the ehealth/log directory. If the Recent System Messages window on the Status Summary page does not display any messages concerning a poller, eHealth does not create the message file for it. By default, each file can reach a maximum size of 1 MB. Once a log file reaches the maximum size, eHealth moves it to a backup log file named fileName.bak and overwrites the existing backup log file, if one exists. eHealth starts a new log file using the default filename.

You can set the following environment variables to change the message filename, directory, and maximum file size:

„ NH_POLL_LOG_FILE – Specifies the location and/or name of the message log files.

„ NH_POLL_LOG_SIZE – Specifies the maximum size of the log files and backup files in bytes.

For instructions on setting environment variables, see the eHealth Commands and Environment Variables Reference Guide.

How to Manage the Conversations Rollup Scheduled Job

The Conversations Rollup scheduled job logs information in the

Conversations_Rollup.jobId.log file located in the log directory of your eHealth installation. eHealth rolls up two sets of conversation data: all conversations and top conversations.

Figure

Updating...

Related subjects :