CS5440 Networks Management

NETCONF, SYSLOG & NETFLOW

Instructor: Mphatsi L.A.

Office: SCN202
Email: la.mphatsi@gmail.com
 Outline

• SYSLOG

• NETCONF

• NETFLOW (From Cisco's IOS)

 SYSLOG intro

• As the name indicates, the purpose of syslog is to write system messages

to a log—that is, to a file where a system administrator can analyze them
as needed. Each syslog message is essentially intended to result in an
entry in that log.
• However, by posing as a logging host, management applications can often
receive messages directly as they occur, without needing to take the detour
of retrieving log entries from a log file.
• The syslog messages can include everything from critical alarm conditions
to mundane debugging statements that are issued when processing passes
a certain line in the code.
• The resulting log entries provide a general trail of the activity of the device.
As such, many syslog messages that are generated might never be of any
practical use. However, under certain circumstances, the capability to
retrace much of the device’s activity trail using those logs can be invaluable.
SYSLOG intro
SYSLOG operation
 SYSLOG message format

• In many cases, syslog messages constitute little more than a “print”

statement in the code, which is intended to be used and interpreted by
administrator looking at the messages in a log file.
• syslog messages have two parts, a message header and the message
body.
• The message body contains the content of the message itself. It is the
“informal” part of a syslog message.
• The message header contains minimal but essential information about
the message itself in a very structured manner.
• This information includes the time when the message was emitted, the
name of the host that emitted the message, the severity of the message
(anything from alert to debug), the subsystem that emitted the message,
and a so-called mnemonic (a name for the type of message).
SYSLOG message format
 Example

00:00:46: %LINK-3-UPDOWN: Interface Port-channel1,

changed state to up

Here the facility is LINK and the severity level is 3, with

a MNEMONIC of UPDOWN
 The SYSLOG server

• The syslog server provides a relatively user-friendly interface for

viewing syslog output.
• The server parses the output and places the messages into pre-
defined columns for easy interpretation. If timestamps are
configured on the networking device sourcing the syslog messages,
then the date and time of each message displays in the syslog
server output.
• Network administrators can easily navigate the large amount of data
compiled on a syslog server.
 NETCONF

• Netconf is a newer management protocol, geared specifically toward

managing the configuration of data-networking devices.
• Currently, it is not targeted at monitoring functions and managing state
information - the assumption is that another protocol such as SNMP will
be around to handle those aspects.
• This simply means that the scope is a little more limited and focused,
compared to more general-purpose protocols.
• The fact that Netconf is designed for device configuration does not
mean that it cannot be used or expanded for other purposes.
• In fact, it already allows for the retrieval of state information, although
this does not constitute a central capability.
• Netconf however, is best positioned in the configuration management
space, where it can fill the void left by SNMP.
 NETCONF datastores

• In Netconf, a configuration datastore corresponds to a device’s config

file - the set of configuration statements that need to be executed to
bring the device into its desired configuration state.
• As a protocol, Netconf provides the operations that are necessary to
manage those datastores.
• For example, Netconf offers operations that allow a manager to
change the contents of what a particular datastore contains (that is,
edit the configuration).
• It can also retrieve the contents of a datastore from or deliver them to
the device. The datastore, of course, resembles an MIB.
• Netconf allows management data inside a configuration datastore to
be organized in a hierarchical, treelike fashion that defines different
scopes, as illustrated in the next slide.
NETCONF datastores
 NETCONF Architecture

• Netconf is built around an architecture that acknowledges the fact that

management communication involves multiple layers as illustrated on the
next slide.
• The transport protocol layer provides for the underlying communication
transport. Different transports are possible and can be used—for example,
Secure Shell (SSH) and Block Extensible Exchange Protocol (BEEP).
• The RPC layer provides primitives that enable managers to invoke
functions on agents, using a request-response pattern. The primitives that
Netconf provides are, accordingly, RPC and RPC reply. RPC alludes to a
remote-procedure call
• The operations layer contains the guts of the Netconf protocol - that is,
the management operations themselves. This includes everything from
managing the management association itself to operations to manipulate
and push around configuration files.
NETCONF Architecture
 NETCONF Operations

• Netconf offers the following management operations:

– The get-config is used to retrieve a config file from the device.
– The edit-config is used to modify and change a configuration—that is, the
contents of a configuration datastore.
– The copy-config is used to change a configuration. It is thus similar to
edit-config. However, unlike edit-config, the change is not made within a
configuration; the configuration target is replaced in its entirety.
– The delete-config does just that—it removes a configuration from a
device. Of course, the running config cannot be deleted.
– The lock and unlock enable a manager to request exclusive access to a
configuration. While a manager holds a lock, other users are not allowed
to change the configuration.
• Note: XML is used to encode data
 Statistics & Accounting Tools

• Traffic accounting and analysis

– What is your network used for, and how much
– Useful for Quality of Service, detecting abuses, and
– billing (metering)
– Dedicated protocol: NetFlow
– Identify traffic ”flows”: protocol, source, destination, bytes
– Different tools exist to process the information
• Flowtools, flowc
• NFSen
• Many more: http://www.networkuptime.com/tools/netflow/
NETFLOW

NetFlow is a Cisco IOS technology that

provides statistics on packets flowing
through a Cisco router or multilayer
switch.
 Purpose of NetFlow

• Most organizations use NetFlow for some or all of the following key
data collection purposes:
– Efficiently measuring who is using what network resources for
what purpose.
– Accounting and charging back according to the resource
utilization level.
– Using the measured information to do more effective network
planning so that resource allocation and deployment is well-
aligned with customer requirements.
– Using the information to better structure and customize the set of
available applications and services to meet user needs and
customer service requirements.
 Network flows

• NetFlow technology has seen several generations that provide more

sophistication in defining traffic flows, but “original NetFlow”
distinguished flows using a combination of seven key fields.
• Source and destination IP address
• Source and destination port number
• Layer 3 protocol type
• Type of service (ToS) marking
• Input logical interface
 NetFlow Analysis with a NetFlow Collector

• Who are the top talkers and

to whom are they talking?
• What websites are
routinely visited and what
is downloaded?
• Who is generating the most
traffic?
• Is there enough bandwidth
to support mission-critical
activity?
• Who is monopolizing the
bandwidth?
 References and Acknowledgements

[0] Cisco Networking Academy, CCNA R/S – Connecting Networks,

Copyright 2015 Cisco Systems, Inc.

[1] Alexander Clemm, Ph.D., Network Management Fundamentals,

Copyright 2007 Cisco Systems, Inc.

[2] Chabalala S.C., National University of Lesotho, Mathematics &

Computer Science, 2012

[3] Allen L. Ramaboli, National University of Lesotho, MACS, 2014

[4] NGUYỄN CAO ĐẠT, Hochiminh City University Of Technology

Computer Science & Engineering, 2014