IT Operations Management (ITOM)

NNMi Traffic Smart Plug In - maximizing Network efficiency

NNMi Traffic Smart Plug In - maximizing Network efficiency


Network Node Manager i is a powerful tool that enables Network Operators to maximize the capability of their networks and ensure that investment dollars are placed in areas of the network that result in the best ROI.  In this segment, Joe Reves, Product Manager for NNMi, discusses the value of analyzing Network Traffic Meta-Data and some of the powerful use cases that data has for network capacity planning and optimization.

Traffic Flow Analysis

Traffic flow analysis is an examination of the network traffic conversation meta-data – the header information – for traffic flows in a managed domain. Traffic flows can provide broad insights into the relationships between clients and services, application workload affinity, seasonality of traffic, volumes and directionality of conversations, and utilization of physical and virtual network fabrics. Flow analysis helps us to understand how application traffic uses the network, what path it takes, and how network element performance and availability can impact our application user’s experience.

Traffic flow information doesn’t provide access to the traffic payload, as a deep packet inspection solution offers. Traffic flows expose only the information required to forward network traffic to a destination. Flows are inherently unidirectional; they have a source, and a destination. While an increasing volume of enterprise traffic carries an encrypted payload, traffic meta-data is readily available for inspection and analysis. As traffic volumes and interface speeds continue to increase, the effort and cost required to collect and store flow meta-data is significantly less than required for promiscuous monitoring across a data center environment.

Application Awareness

Application-aware networks are able to distinguish different types of application traffic and adapt to prioritize or forward specific traffic based on rules expressed at the control plane. To manage this capability in a network fabric requires pervasive visibility of the traffic, its association with application service end-points, and the path that it takes through the network. With this visibility, it becomes possible to make intelligent policy decisions about how to program the network to handle applications appropriately. The final required capability is to measure and characterize the network performance over the path that application traffic is traversing.

Identifying applications

To associate network flows with applications, the application service endpoints – which are the destinations of the flows – must be identified. In most cases, applications are provisioned on well-known ports and protocols. In cases where applications are presented on non-standard ports, the network administrator must identify those destinations by application name or grouping.

While it’s relatively trivial to associate flows with application by destination, the traffic that returns from these mapped application service endpoints to clients must also be categorized correctly with the application. Clients generally source traffic from random, high range ports – so identifying those sources, or return traffic destined to those ephemeral ports is not critical to characterize application traffic.

HPE NNMi Performance iSPI for Traffic

NNMi includes a number of intelligent smart plug-ins, or iSPIs. The Performance iSPI for Traffic collects, aggregates, presents, and reports on traffic flow data within NNMi. The collectors accept a variety of different industry-standard flow export and flow sampling formats through an infrastructure of dedicated flow collectors. The collectors receive samples or flow exports, aggregate and normalize different vendor formats into a common flow record, and pass that into a master traffic module that organizes and stores the flow records, provisions them into a database, and makes them available for either reporting, or to view in a dashboard.

The Traffic iSPI characterizes application traffic by service endpoint, for traffic that is both destined and sourced from the endpoint. Interactive dashboards can show top sources and destinations, top applications, and top traffic classes. Traffic can be organized and displayed by sites, as well.

Traffic Instrumentation

There are currently several approaches to instrumenting the collection of traffic flow data. The most common approaches are flow export technologies, and traffic sampling.

Flow export technologies include Cisco NetFlow, Juniper JFlow, Huawei NetStream, and the IETF IPFIX standard. Flow export works by creating a table of observed flows in the memory of the network device, and then periodically exporting that table of flows to a collector. The flow data is generally promiscuous and comprehensive for the observed flows, although each of these can be configured to construct flow tables from sampled flows. Flow export is resource-intensive for both the network device, and for the network as exports occur. Flow table export can be triggered by time, flow termination, or resource considerations.

Traffic sampling is available in modern switch implementations through sFlow. The sFlow protocol is supported by over 60 equipment vendors, and is generally implemented in merchant silicon chipsets used by most switch vendors. The protocol is maintained and evolved through the industry consortium.  sFlow instrumentation generates both sampled packets, and interface counter samples. Packets are sampled randomly, and include the packet and frame headers in addition to a portion of the payload. Interface counters are sampled on a configurable time interval. Samples are delivered to a collector continuously as sFlow datagrams.  Random sampling supports accurate characterization of the traffic with a quantifiable confidence interval, and sampling is extremely robust under higher loads. The use of sFlow is significantly less resource intense for both the network device and in terms of load on the network itself.

Most traffic tools on the market today collect and present flow data visible from the perspective of a single observation point or a collection of observation points (an observation domain). Flow export data is usually aggregated into an observation domain that represents multiple interfaces in a discrete network device, while sFlow data is usually sourced directly from each interface on a device. Most flow technologies also preserve a notion of directionality; whether the flow was observed ingress or egress from the interface. Most flow analyzers then present the flows which are visible from a specific interface or from an individual device.

Troubleshooting with Traffic

Traffic flow data is often used in a troubleshooting workflow to determine the source of high interface utilization, and the associated application generating the traffic.

Traffic troubleshooting workflows often begin with an indication of high utilization on a particular interface. Drilling down to the node or interface level offers a breakdown of top conversations traversing the interface. Aside from conversations, Top talkers and Top destinations offer a further drill-down to the source or destination node level and an application protocol drill-down.

Traffic Dashboard image 1.png

An operator is typically tasked to discover the nature of the traffic that is creating excessive utilization on an interface, or investigate the root cause of an exceeded QA performance threshold. In either case, the context to investigate the observed flows is provided through either the specific interface or the path of the QA measurement. A Traffic Map can provide the basis for investigating visible flows around a node experiencing high utilization.

Traffic Analysis Window image.png


Drilling into an application provides a summary of the sources and destinations generating traffic flows. Here’s an example of SNMP management traffic visible traversing a router:

 Traffic Dashboard image 3.png

Once the source of suspect traffic is identified, drilling into the node dashboard can provide some insight in the role of this source node, the owner, the location, and the timing or volume of the traffic in question:

Traffic Dashboard image 4.png




Traffic flow data provides valuable insight to understand and manage sources of application traffic driving utilization throughout the network infrastructure, and resolving threshold exceeded incidents.

Traffic data can also be useful for capacity planning, as new applications are released to the production network and application clients come online. Traffic thresholds can provide triggers for the growth of infrastructure, or the introduction of new classes of service. Traffic can provide critical context for traffic engineering and class of service design, to assist in characterizing the composition of differentiated traffic classes. In future blogs, we’ll explore additional use cases for traffic analysis.

  • infrastructure management
About the Author