Guest post by Lokesh Chenta, Software Developer for the HP NMC portfolio
Network traffic classification is an important requirement for network management administrators who want to understand the network traffic generated by applications. This classification identifies the protocols in use and enables administrators to assess network performance in the context of applications. They can then allocate resources in a way that ensures sufficient bandwidth for business critical applications.
Consider the following pie charts. The infrastructure view on the left shows the network traffic for specific hosts but does not give any detail about the types of traffic that the network is seeing. The application view on the right shows the protocols in use. The application mapping feature of the HP Network Node Manager i Software Smart Plug-in Performance for Traffic (NNM iSPI Performance for Traffic) enables network administrators to achieve this traffic classification.
Application mapping in the NNM iSPI Performance for Traffic
The application mapping feature of the NNM iSPI Performance for Traffic provides for associating network traffic flow with a specific application. This association helps with correlating data in the network to the applications producing the data.
The NNM iSPI Performance for Traffic ships with 302 default application mappings. These mappings are based on industry standards and the well-known destination ports reserved for use by various applications (for example, port 80 for HTTP and port 161 for SNMP). The NNM iSPI Performance for Traffic also provides extensive flexibility for defining custom mappings specific to your environment and monitoring requirements.
An application mapping definition in the NNM iSPI Performance for Traffic can be simple, consisting of a single condition (for example, DstPort = 161), or complicated, containing an expression of conditions (for example, DstIP equals 192.168.0.0 AND DstPort = 80). Each condition involves comparing an attribute of the incoming flow (DstIP, DstPort, IPToS …) against a value using one or more operators (=, !=, like, in, equals, …). The NNM iSPI Performance for Traffic supports the use of ranges and wildcards for comparing the values of IP address attributes.
Best practices for defining application mappings
The configuration flexibility of the NNM iSPI Performance for Traffic enables creation of very complex custom application mappings. The processing required by the NNM iSPI Performance for Traffic to apply such complicated mappings to the flows exported from the network is a non-trivial activity. In an environment that contains many complex custom mappings with millions of flow records per minute, the process of evaluating these custom mappings might impact the scalability of the traffic monitoring solution.
To address this problem, we have identified widely used patterns of application mappings and optimized the NNM iSPI Performance for Traffic application mapping feature for these patterns. This optimization provides improved performance at scale, even with a large number of such custom mappings. This approach addresses the mapping requirements of the majority of our customers.
The following application mapping patterns deliver the best NNM iSPI Performance for Traffic performance:
Applications based on a specific destination port, similar to the default application mappings shipped with the NNM iSPI Performance for Traffic. For example:
DstPort = 80
Applications based on a specific IP address AND a specific destination port. For example:
DstIP equals 192.168.0.1 AND DstPort = 80
Applications based on a specific IP address AND a range of destination ports. For example:
(DstIP equals 192.168.0.1) AND (DstPort >= 10000 AND DstPort <= 10100)
Applications based on a range of IP addresses AND a specific destination port. For example:
DstIP like 192.168.0.* AND DstPort = 80
Applications based on a range of IP addresses AND a range of destination ports. For example:
(DstIP equals 192.168.0.*) AND (DstPort >= 10000 AND DstPort <= 10100)
Modifying complex application mappings for optimal performance
For custom application mappings that are not optimized, it is recommended to rearrange and split the conditions into smaller expressions that fit the optimized mapping patterns. For example, consider the following application mapping:
((DstIP equals 184.108.40.206 OR DstIP equals 220.127.116.11) AND DstPort = 1000), App=TestData
The NNM iSPI Performance for Traffic is not optimized for this mapping. For better performance, convert this complex mapping into the following independent mappings with the same application name:
(DstIP equals 18.104.22.168 AND DstPort = 1000), App=TestData
(DstIP equals 22.214.171.124 AND DstPort = 1000), App=TestData
In some cases, there might be a need to create custom mappings that do not meet the optimal patterns. In such scenarios, it is recommended to create only a few such application mappings and to restrict each mapping to only a few conditions.
By following the best practices described here, the NNM iSPI Performance for Traffic application mapping functionality can be effectively used to visualize application traffic even for very large networks carrying a huge traffic volume.
If you're new to monitoring network traffic flow, you might be interested in HP Network Flow Analytics, a free standalone tool for NetFlow versions 5 and 9 that includes some standard application mappings. The provided reports will whet your appetite for the full solution described in this post. This tool is available in the Free Tools and Utilities section of the download page, under Performance Management.
Lokesh is a Software Developer in HP with over 8 years of experience in developing various products in the NMC portfolio. He is part of the R&D team that delivered multiple releases of the NNMi SPI Performance for Traffic that included major features and scalability improvements in the product.