In today’s network environment, WAN monitoring has different meanings to different people. For some, WAN monitoring is simple router queries to monitor link utilization on an ad hoc basis. For others, WAN monitoring means a distributed set of remote-monitoring agents and probes that collect and send comprehensive link statistics to a central server that stores, analyzes and displays the data. Still others view WAN monitoring as something only done during troubleshooting, where a portable device is used to capture packets “on the line” in real-time.

Typical enterprise WAN networks use multiple interface types. In-line analyzers must support all these interfaces in order to resolve WAN issues.

Simple utilization monitoring is probably not sufficient, however, if immediate worldwide access to mission-critical information is needed to serve transaction-based customers. With the cost of network downtime as high as $96,632/hour, according to one source, careful monitoring of these mission-critical links becomes crucial. Unauthorized applications, unauthorized users, hackers and wasted bandwidth all need to be detected and corrected.

In a recent study of customer requirements for WAN link-analyzer tools, three key requirements rose to the surface: ease of setup and use, compatibility with multiple interfaces and statistical packet analysis. Equipment setup and effective use of WAN analyzer tools consistently outranks all other factors when making decisions concerning WAN monitoring schemes.

While different users prefer different GUIs and form factors, the dominant factors driving ease of use are the user’s level of familiarity with WAN analyzers and the estimated time the user will spend with the system. For a smaller enterprise with only a handful of WAN links, a user may find anything over a two-hour setup time unacceptable. The GUI should be intuitive, informative and easy to navigate, as the user does not use the tool every day.

In contrast, an enterprise with a dedicated WAN group that commonly uses multiple WAN tools to monitor different aspects of a large WAN network may find that a two-day installation window for the main console and a three-month rollout of a distributed system is perfectly reasonable. Since the tool will be used often, rich capability is preferred even it means complex screens with multiple pull-down menus and complicated tables and graphs.

Analysis of all topologies

Most networks cover a broad variety of WAN topologies, including Frame Relay, point-to-point protocol and asynchronous transfer mode over different lines speeds, such as T-1, DS-3 and OC-3. WAN analysis coverage across all these topologies is required for almost every enterprise network.

To support these different WAN interfaces quickly and easily, a totally auto-configured, dedicated device for each WAN interface has its advantages. These include quick setup and lower single-link analysis cost. Using a dedicated analyzer for each interface, however, can become costly and time-consuming.

The opposite extreme is a single unit with multiple “personality modules” and setup protocols. This type of analyzer provides comprehensive interface coverage from a single analyzer tool, allowing analysis of any type of link using one mainframe analyzer and a library of add-on modules. These tools can have a steep learning curve for each new interface, and may be less effective when multiple links need to be diagnosed at the same time. The result is an increase in mean time to repair (MTTR).

Cost-effective WAN monitoring tools are those that adapt to multiple network interfaces without hardware changes or elaborate reconfiguration rituals. Such tools can simplify problem identification and resolution, reducing MTTR and eliminating concerns about lost or degraded service.

A WAN link analyzer needs to deliver clear, concise and complete analysis of the link. For mission-critical links, a WAN monitoring tool should perform statistical analysis of link performance across all seven OSI layers and report performance over a period of time. The analysis should also allow the user to filter on specific virtual circuits, protocols, hosts and other metrics, and subsequently view WAN performance data on only those in the filter criteria.

Specific statistics should include traffic use tables of top hosts and conversations, traffic usage by virtual circuit and host lists by application. Ultimately, the data needs to provide insightful details that help network managers troubleshoot problems, verify service agreements and improve network performance.

Pinpointing network conflicts

The ability to drill down and examine minute details of packet contents also is important. This data can be invaluable in pinpointing network conflicts, traffic bottlenecks and security issues, such as rogue applications or viruses. Packet capture and analysis can identify a faulty application and pinpoint details needed for problem resolution.

Packet capture and analysis are also ideal for monitoring security on the network. For example, a hacker may first run a port scan program that finds which hosts on the network have which open ports. Armed with this knowledge, the hacker can launch a denial-of-service attack to prevent legitimate users from reaching network resources. Without the ability to capture packets on the WAN link, the network engineer does not understand the nature of the attack, since “port scans” may not initially appear to use an excessive amount of bandwidth.

To effectively troubleshoot and to eliminate network hardware as the cause of a WAN problem, a monitoring instrument should be able to capture packets at line rate. Operation at lower than line rate forces the tool to sample incoming packets, and interpolate from the results. Sampling may cause the instrument to miss the packets that are the cause of WAN problems. Comparing instruments helps to know when sampling is used and whether the sampled data can be used effectively in troubleshooting.

The WAN analyzer should be connected to an actual WAN link. Solutions that are not on the WAN link may be missing crucial data. Layer 1 data, Layer 2 data and traffic blocked by a router or firewall will not be captured on the Ethernet side, leaving the network professional blind to the real cause of the problem.

Many of today’s WAN monitoring instruments are designed to provide an instant view of WAN link performance upon hook-up, with virtually no configuration. Circuit endpoints are automatically detected, all hosts using the link are automatically discovered and Layer 1-7 analysis automatically begins.