I am going to touch on common mistakes in network monitoring in this post. You know for sure that you need a network-monitoring tool for managing your network. There are wide varieties of tools available that range from simple to complex and free to enterprise ones.
If you get one monitoring tool and install it, can you say that everything is under control? Are you going to be aware of what happened in your network? I will try to warn you about common mistakes in network monitoring. Actually, these mistakes are common for any kind of network however my experience in the Cisco environment.
1. Monitoring without documentation
If you are monitoring your network while you don’t have the proper network documentation, then it will not be clear whether monitoring is complete or not. How can you be sure about the reliability of your monitoring system without knowing the exact number of devices, their models and their interconnections?
2. Only network specialists should watch over the network.
Network specialists must setup network monitoring systems, but watching over them and taking the first action should not be their task. If you have network monitoring screens, then such screens should be watched over by –
• A monitoring team – if the network is big enough (e.g. a NOC)
• Help desk – if you have
• End-user support team
Any alert (alerts, events, mails, SMSs) should be directed to the help desk or end-user support team. The receiver must be able to handle it immediately. Alertness is the key here and therefore this task should not be assigned to staff who is involved in projects and moving often. Help desk staff should be intimated first and then the information should move upwards based on the hierarchy, finally reaching the network admin to sort out the issue.
3. Unhandled alerts
All alerts should be checked and cleared. If there is expected maintenance on some devices, then they have to be excluded from the monitoring system (This is a must-have for a network monitoring tool). If some alerts stay on the monitoring system for a long time, then it will cause alert blindness on the team. False alerts may also drop your confidence in the monitoring system.
4. Correct probe points & traffic behavior
You have to understand your routing infrastructure very well, especially for flow monitoring. Sometimes, you can find undesirable traffic so easily, but it does not happen always. In case of a huge download, you just have to look at the right point in the backbone. In case of an antivirus update, traffic is one to many, you have to summarize collected data by source or target upon the direction of traffic and in the case of many to many traffic like virus infections, you have to know or guess characteristics of undesired traffic (like TCP port). If you ignore these details, you can look at your Netflow monitor and can swear that all seen traffic is necessary.
5. No history
If you have your monitoring system ready, but you monitor just some nodes and think that you can monitor any necessary point if something untoward incident happens (I mean SNMP monitoring), then you are playing with the fire! When something happens, to analyze it you will have to compare this condition with the normal conditions but you will be too late for that. It won’t be possible to acquire this information anymore. Therefore, you must monitor all ports and the interfaces that have to be monitored from the first day. Your monitoring technique is correct only when it is complete.
6. We have a huge tool – the problem is over
This is about the decision phase of network monitoring. You should define your needs well and choose a fitting tool for your network. No more, no less. This decision is not just about cost. The concept will be clear with an example and a good example is Cisco Works. It is huge, capable and a brand that is trusted all over the world. However, if you don’t have a dedicated staff for this, then it is really hard to install and use it. I have come across many people who purchased Cisco in anticipation that it will be very beneficial to them but did not make use of this powerful tool completely. It is like buying a truck and trying to park it in your car garage, which is a foolish decision!
7. Network monitoring is not a mission-critical process
How much loss do you incur if your network monitoring system stops working? Is it going to stop production, sales or logistics? The answer is no. So, the network monitoring system is not a mission-critical system. This could be true. The network itself is mission-critical. Everything stops when it stops. Network problems should be fixed immediately. You have to find the problem (here you need monitoring) in minutes. Nevertheless, your monitoring system can be down because it is not a mission-critical system. If this is the case, you should connect each device separately and look for errors. It is similar to a situation in which you are driving on the highway with broken gauges (fuel, temperature, speed). Good luck!
These are the seven common mistakes in Cisco network monitoring. You are in charge of keeping them away from your network.