Best practices for network monitoring

In network monitoring, New Relic utilizes containers to collect network telemetry data, which can be used to monitor network performance, identify bottlenecks, and troubleshoot problems. Learn best practices for monitoring network containers based on your system architecture and deployment.

Deployment considerations

This guide references a common networking architecture with the following requirements:

• SNMP polling and SNMP Traps collection
• Syslog collection from network devices
• Network Flow collection in NetFlow v5, NetFlow v9, IPFIX, and sFlow protocols
• Support for multiple sites separated by a geographically large distance

Architectural considerations

A container's task

The tasks of individual containers will determine the design of your network deployment. Here are some basic rules to follow:

• Containers that collect SNMP data can also receive SNMP traps by default.
• Containers that receive Syslog data should run on their own.
• Containers that receive network flow data must be isolated based on the type of flow template being collected.

Network Flow and Syslog containers

When using Network Flow and Syslog containers, you do not need a custom configuration file. The default settings from the container image will work fine because all of the container settings are passed at runtime via flags.

However, if you do not provide a configuration file with entries in the devices section, the results sent to New Relic APIs will use device_name resolved via DNS from the IP address in the respective packet. You can provide a custom DNS server location at runtime, but for full control with tagging, you should provide your own entries in the devices section with the flow_only setting set to true. This is what administrators generally want to do so that the name sent to New Relic APIs aligns with the name sent in from SNMP polling the same device.

Geography

Due to the downgrade of their priority in modern networks, SNMP and ICMP (ping) protocols can be affected by extended latency in round trip times. To prevent failed polling scenarios due to timeouts, containers should be created close to their target devices.

Compute scale

Individual containers are usually hosted on very small hosts and have minimal requirements as outlined in KTranslate container requirements. However, in heavy polling scenarios, you may need to scale the host's CPU. The primary reason for scaling to a larger CPU footprint for a container is the amount of load presented to the task. In these situations, it is typically better to run multiple containers to load balance instead of increasing the total size of your Docker host, which has cost implications.

Common architecture example

This diagram reflects a sample networking architecture with the following:

• Each geographical location has its own local containers used to collect and forward data to New Relic:

  • DC_01 (AMER):
    • Three containers on one host serving the DC_01 location in New York City.
    • Containers process SNMP polling, NetFlow v5 collection, and Syslog collection
    • Consideration: This host conaints a Class B private subnet (/16). To ensure that the job has time to complete, the discovery targets should be split up into manageable subnet sizes.
  • OFFICE_01 (APJ):
    • One container on one host serving the OFFICE_01 location in Sydney, Australia.
    • Container processes SNMP polling and SNMP Trap collection with discovery against a /24 subnet.
  • DC_02 (EMEA):
    • Three containers on one host serving the DC_02 location in Dublin, Ireland.
    • Containers process NetFlow v9, IPFIX, and sFlow collection
    • Consideration: This host has an even larger Class A private subnet (/8), but there is no need to scale the jobs since there is no need for discovery in this location. Depending on the flows-per-second, there may be a need to scale out into additional containers in the future. If so, you simply need to configure your network flow exporters to target different ports on the Docker host.

Maintaining your deployment

After initial installation, the network monitoring observability footprint can be maintained using various techniques. These include integrating configuration file changes with tools like Ansible, and building GitOps pipelines around the architecture to support versioning and "guest" options where external teams can submit changes for review.

The most common need for ongoing maintenance is to keep the list of target devices accurate. This can be done using three main discovery methods:

devices: {}
trap:
  listen: '0.0.0.0:1620'
discovery:
  cidrs:
      - 192.168.0.0/24
  ignore_list: []
  debug: false
  ports:
      - 161
  default_communities:
      - public
  default_v3: null
  add_devices: true
  add_mibs: true
  threads: 4
  replace_devices: true
  check_all_ips: true
  use_snmp_v1: false
global:
  poll_time_sec: 300
  mib_profile_dir: /etc/ktranslate/profiles
  mibs_enabled:
      - IF-MIB
  timeout_ms: 3000
  retries: 0

$
docker run -d --name ktranslate-$CONTAINER_SERVICE_NAME --restart unless-stopped --pull=always -p 162:1620/udp \
>
  -v `pwd`/snmp-base.yaml:/snmp-base.yaml \
>
  -e NEW_RELIC_API_KEY=$NR_LICENSE_KEY \
>
kentik/ktranslate:v2 \
>
  -snmp /snmp-base.yaml \
>
  -nr_account_id=$NR_ACCOUNT_ID \
>
  -metrics=jchf \
>
  -tee_logs=true \
>
  -service_name=$CONTAINER_SERVICE_NAME \
>
  -snmp_discovery_on_start=true \
>
  -snmp_discovery_min=180 \
>
  nr1.snmp

devices:
  ups_snmpv2c__10.10.0.201:
    device_name: ups_snmpv2c
    device_ip: 10.10.0.201
    snmp_comm: public
    oid: .1.3.6.1.4.1.318.1.3.27
    mib_profile: apc_ups.yml
    provider: kentik-ups
    user_tags:
      owning_team: dc_ops
...
global:
...
  mibs_enabled:
    - ARISTA-BGP4V2-MIB
    - ARISTA-QUEUE-MIB
    - BGP4-MIB
    - CISCO-MEMORY-POOL-MIB
    - CISCO-PROCESS-MIB
    - HOST-RESOURCES-MIB
    - IF-MIB
    - OSPF-MIB
    - PowerNet-MIB_UPS