Today's companies rely on networks to support almost every aspect of their business. From financial powerhouses to manufacturing firms to small consulting agencies, the corporate intranet has become a critical component.
The cost of downtime on corporate networks is measured in tens of thousands of dollars per hour. (See "LAN Downtime," Data Communications, March, 1990.) The causes can be categorized as device failure, link failure, or configuration error. Much of this downtime can be avoided by proper network design and implementation. Device and link failures can be handled through proper redundancy. Configuration errors can be avoided through proper design and implementation methodology.
NETSYS has created a set of tools that evaluates a Cisco router network on a system basis for the purposes of detecting failure modes, improving security, and pinpointing configuration errors. When used as part of the configuration control and evaluation process, the NETSYS tools can highlight configuration errors before they appear in your live network.
Before jumping into what these tools do, let's take a look at network management styles and when you would want to use the NETSYS tools. There are two levels of network management: reactive and proactive. In a reactive network management environment, the network management staff is typically driven by trouble calls. Some time is spent in planning, but the majority of the effort is in keeping the network running day to day. The network is typically viewed and managed on a per-device level.
In contrast, the proactive network management team has a smoothly-running network where changes are carefully planned and the network design is fault-tolerant enough to allow time for the team to react to device and link failures. Device configuration changes are carefully evaluated prior to implementation. Network health reports are generated on a regular basis so the team can plan for change. A proactively-managed network is typically viewed and managed on a system level.
Most of our network management teams fall somewhere between these two levels. Properly used, the NETSYS tools provide us the system-level view we need to analyze our networks, begin to eliminate the sources of trouble calls that lead to reactive network management, and allow us to evaluate proposed configuration changes.
System level analysis starts by checking a large number of static configuration options that must match between connected devices in order for the network to function properly. This step includes ensuring the bandwidth statements match on both ends of a serial link, detecting duplicate node and network addresses, identifying duplicate token ring numbers, and verifying correct routing protocol parameters. Once the static configuration has been verified, a failure mode analysis should be performed to determine what happens when critical devices or links fail. From this analysis, we can add redundancy where it is needed so that when failures occur, we are not forced to react immediately. Note that we still need real-time network management to alert us to failures.
Using the connectivity analysis, we need to be able to evaluate network security as implemented in router access lists. Have we properly limited access where desired and provided access where needed? Are there any "back doors" in our network that we have not identified?
Another analysis requirement is to show the dynamics of the network under load. The best way to do this is to gather real data from the network and use it to analyze the operation of the network as a system. And if we can modify the data ourselves to simulate a change in the network, then we have the ability to do real "what-if" scenarios.
With a set of tools that provide this functionality, we can provide proactive network management. The NETSYS toolkit, in conjuction with CiscoWorks and a network management platform, provides the capabilities we need to achieve the above requirements through its analysis engines: Connectivity Baseliner and Performance Tools.
Static analysis is performed by reading the router configurations,
analyzing the resulting network, and generating a set of reports
detailing any anomalies that it detects. (See Figure 3.) The analysis
tests for over sixty different configuration problems, generating
a report that identifies each problem and its severity level,
from errors to warnings. (A full list of tests may be found on
www.netsystech.com.) A topology map is also generated, providing
visual indication of network connectivity. Besides checking your
existing network, Connectivity Baseliner is also useful in "sanity
checking" new router configurations that are being prepared
for a network rollout or transition. Whether evaluating an existing
network, or preparing new router configurations, Connectivity
Baseliner prevents many problems that may turn into trouble calls.
Once the baseline has been created, any number of connectivity requirements may be evaluated to verify network resiliency when devices or links fail. Are there critical points in our networks where a single failure will have a major impact on the business? Through the "what-if" capability of the tool, we can evaluate the addition of redundancy. The topology map produced by the Baseliner is used by the Connectivity Solver to display routing paths from source to destination and back. We can actually see asymmetric routing caused by incorrect bandwidth statements or by invalid routing metrics.
Security analysis of Cisco access lists is also checked by Connectivity Solver. We need to be able to verify that an access list is filtering out the packets we identified and passing the packets we intended. Since access lists tend to change over time, it is very useful to be able to verify that the required connectivity is maintained after router configuration changes.
Static analysis, while providing very useful information, doesn't actually provide the full picture. NETSYS Performance Tools use RMON, Cisco IP Accounting, or user-generated data to perform a dynamic analysis of the network. Which links are likely to saturate under the given load? What path is the data taking? What happens if we move a server and its traffic to another network segment? These are the kinds of questions that we need to answer when designing for the future.
Another useful and unique feature of Performance Tools is the ability to change router models and simulate the resulting change in network throughput. We can also see the performance effect of implementing some of the router performance features, such as autonomous switching. To accomplish this, NETSYS uses Cisco router modeling information to drive its simulation.
The NETSYS tools help us understand the network layer connectivity issues in our intranets. They help us move from the concept of network design as an art to network design as a science, by allowing us to measure the quality of our designs.
CCCI offers a four-day class that helps you become proficient in the NETSYS tools. (See page14.) NETSYS products and integration services are also available from CCCI.