In this post, I will touch on common mistakes in network monitoring. For sure, you know that you need a network-monitoring tool for managing your network. A wide variety of tools are available from simple to sophisticated and free to enterprise ones.
If you get and install one monitoring tool, can you say that everything is under control? Will you be aware of what’s happening on your network? I will try to inform you about common mistakes in network monitoring. I got this experience in the Cisco environment, but these mistakes are typical for any kind of network.
1. Monitoring without documentation
If you are monitoring your network without having the proper network documentation, then it will not be clear whether monitoring is complete or not. How can you be sure regarding the reliability of your monitoring system without knowing the exact number of devices, their models, and interconnections?
2. Only network specialists should watch over the network.
Network specialists should install network monitoring systems, but watching over them and taking the first action shouldn’t be their job. If you have network monitoring screens, such screens should be watched over by ;
• A monitoring team – if the network is large enough (e.g., an NOC)
• Help desk team – if available
• End-user support team
Any alert (alerts, events, mails, SMSs) should be directed to the help desk or end-user support team. The receiver must be able to process it immediately. Attentiveness is the key here, and therefore this task should not be given to staff who are involved in projects and moving frequently. Help desk staff should first be notified, and then the information should move upwards according to the hierarchy, finally reach the network admin to sort out the issue.
3. Unhandled alerts
All alerts should be checked and cleared. If some devices require maintenance, they must be excluded from the monitoring system (This is a must-have feature for a network monitoring tool). If some alerts remain in the monitoring system for a long time, it will cause alert blindness in the team. False alarms may also drop your confidence in the monitoring system.
4. Correct probe points & traffic behavior
You should thoroughly understand your routing infrastructure, especially for flow monitoring. Sometimes, you can find troublesome traffic so quickly, but it does not always happen. In case of a huge download, you just have to look at the right spot in the backbone. In case of an antivirus update, traffic is one-to-many, so you have to summarize collected data by source or target upon the direction of traffic. In the case of many to many traffic such as virus infections, you have to know or predict the characteristics of undesired traffic (like TCP port). If you ignore these details, you can look at your Netflow monitor and can swear that all traffic seen is unavoidable.
5. No history
If your monitoring system is ready, but you monitor just some nodes and think that you can add any necessary point when an undesirable incident happened, then you are playing with the fire! You will need to compare the current conditions with the baseline conditions when something happens. It will no longer be possible to obtain this information. Therefore, you should monitor all nodes and interfaces that are in scope from day one. Your monitoring technique is only correct when it is complete.
6. We have a powerful tool – the problem is over
It is about the decision phase of network monitoring. You should define your needs well and choose an appropriate tool for your network. No more, no less. This decision is not just about cost. I can explain this mistake with an example, and a good example is Cisco Works. It is enormous, capable, and a brand that is trusted worldwide. However, if you don’t have a dedicated staff for it, it is tough to install and operate. I have come across situations where Cisco Works was purchased by predicting that it will be beneficial, but ultimately this powerful tool could not be used effectively. It is like buying a truck and trying to park it in your car garage, which is a foolish decision!
7. Network monitoring is not a mission-critical process
How much loss do you incur if your network monitoring system stops working? Will it stop production, sales, or logistics? The answer is no. So, the network monitoring system is not mission-critical. It might be true. However, the network itself is mission-critical. Everything stops when it stops. Network problems should be fixed immediately. You have to find them in a few minutes. Here you need monitoring. Nevertheless, your monitoring system may be down because it is not a mission-critical system. In this case, you should connect each device individually and look for an error. It is similar to a situation where you drive on the highway with broken gauges (fuel, temperature, speed). Good luck!
These are the seven common mistakes in Cisco network monitoring. You are in charge of keeping them away from your network.