WAN Clarity Branch Reports
Focus
Focus

WAN Clarity Branch Reports

Table of Contents


WAN Clarity Branch Reports

Let us learn about the branch reports in the WAN Clarity Reports.
The following are the descriptions of branch reports in the WAN Clarity Reports.

Traffic Distribution

The Traffic Distribution report helps administrators understand utilization across different WAN path types at an AppFabric-level. This report provides a quick overview of traffic distribution across the AppFabric, ensuring traffic meets the aggregate path policy objectives.
The sample chart above lists traffic distribution for a global enterprise for the week of July 5, 2021. This enterprise’s objective of using more of their public WAN circuit types (e.g., broadband Internet) versus their private WAN circuits (e.g., MPLS) is being met at an aggregate level. The following Utilization Quadrant report will help identify which sites and circuits an administrator will focus on next.

Utilization Quadrant

The Utilization Quadrant report offers a visual synopsis of circuit utilization for all sites. The report plots 90th percentile utilization for every circuit across the AppFabric, in both ingress and egress directions. The quadrant highlights circuits whose 90th percentile utilization is above 50% of the provisioned capacity in either the ingress or egress direction, thereby making it a candidate for further investigation.
For example, if a particular site and circuit show up week after week, it may warrant adjustments to the circuit capacity. However, to assess whether the high utilization in a specific circuit is carrying business-critical traffic and occurs during business-impacting hours, you may use the next set of reports to clarify the utilization.
The sample chart above summarizes utilization over a week for a global enterprise. 13 circuits stand out based on their utilization at the 90th percentile. One site and circuit to review further is the MPLS circuit at Chicago that seems to stand out for its egress utilization. The Utilization Over Threshold report in the next section will provide more clarity as to the days and minutes when the MPLS circuit was highly utilized.

Utilization Over Threshold

The Utilization Over Threshold reports provides any site and circuit present in the three quadrants of the Utilization Quadrant report, representing greater than 50% utilization (at the 90th percentile). This report provides a daily aggregate of minutes when a circuit operates over the defined utilization threshold. For the initial WAN Clarity Reports release, the threshold set is 70%. This report supplements the Quadrant report as it informs administrators of the days and the duration when a particular circuit exceeded that threshold.
The sample chart above displays the total minutes when the Chicago MPLS circuit operated at or above 70% of the provisioned bandwidth. The majority of the high utilization is during the workweek and in the egress direction. However, to understand when the hotspots occurred during those days, review the Heatmap report described in the next section.

Heatmap

The Heatmap reports provide any site and circuit present in the three quadrants of the Utilization Quadrant report, representing greater than 50% utilization (at the 90th percentile). The report provides context to the day's hours (site local time) when the high utilization occurs. If the observed contention happens during business hours, an assessment of provisioned capacity may be warranted. The heatmap also sheds light on abnormal bandwidth-consumption behavior outside of regular business hours.
The sample chart above shows the bandwidth consumption trend for the MPLS circuit in Chicago for one week. This chart is interesting as many more egress activities post business hours (after 1600 hours) than during business hours. This may not be anomalous if scheduled software upgrades, backup replication jobs, etc., typically happen after business hours.
However, there is also a good bit of contention between 2021-07-05 and 2021-07-11 during regular business hours. Suppose this trend is observed week after week. In that case, the network administrator should reassess the provisioned bandwidth on this circuit or rewrite application policies to load-balance traffic across multiple paths. The following set of Hotspot reports will help identify which traffic contributes to the heavy load during these periods

Hotspots

The Hotspot reports provide each site and circuit with a corresponding Heatmap report for granular insight into the circuits at the hotspots' time. The reports provide a list of applications, undefined domains, destination IPs, source IPs, and source and destination IP pairs observed during the hotspots.
A hotspot is any period when the circuit utilization in either the ingress or egress direction is above 70% of the provisioned bandwidth. The charts generated for each hotspot report displays the top 10, and a companion CSV file is available within the package that provides all of the data for each hotspot report. The charts are generated for the top 10 largest sites by volume. You can preview these charts.
Hotspot ReportDescription
Hotspots: Applications
Provides clarity as to which applications contribute to the hotspots. The report gives insight into whether business-relevant applications are consuming bandwidth during hotspots.
This information can be instrumental in ensuring that the appropriate QoS and Path policies are applied in the future to guarantee that business-critical applications are serviced first, with non-business-relevant applications potentially offloaded to alternate paths. If business-critical applications contribute to the hotspots week after week, reassess if the circuit capacity may be oversubscribed.
The sample chart above lists the top 10 applications accessed during hotspots on the MPLS link at Chicago for one week. One of the takeaways from this report is the amount of traffic matching enterprise SSL and enterprise-unknown applications, which are generic catch-all applications for flows destined to enterprise prefixes: SSL and non-SSL (and non-HTTP), respectively.
The next set of reports around undefined domains and destination IPs can help clarify which enterprise FQDNs and IPs have the highest traffic to see if they are candidates for custom application creation.
Hotspots: Destination IPs
Based on the hotspots identified in the heatmap, the Hotspots: Destination IPs report clarify which destination IP addresses contributed to the hotspots. This report is useful to correlate with the Hotspots: Application report, especially when the top application is a generic one like enterprise-unknown.
With these destination IP addresses, you will have enough information to create a custom application so that they can apply unique QoS, path, or security policies to these flows as needed, or at a minimum, define an application for purposes of utilization tracking and performance.
The sample chart above lists the top 10 destination IP addresses accessed when the MPLS link in Chicago was hot.
Hotspots: Undefined Domains
Lists the HTTP and SSL undefined domains that you may observe during the hotspots. As these domains currently do not map to any system or previously defined custom application signatures, you may not be able to service them appropriately. Instead, you may observe the domains match the flow of the generic application signatures of enterprise-SSL, enterprise-HTTP, HTTP, or SSL.
This report is useful to correlate with the Hotspots: Application report, especially when the top application is a generic one like enterprise-http or enterprise-ssl. With these domains, an administrator will have enough information to create a custom L7 application definition and apply unique QoS, path, or security policies to these flows as needed, or at a minimum, define an application for purposes of utilization tracking and performance.
The sample chart above lists the top 10 domains accessed when the MPLS link in Chicago was experiencing a hotspot in either the ingress or egress direction.
Hotspots: Source IPs
Helps you understand the consumption from an end user’s perspective. It sheds light on the top bandwidth consumers from a source IP perspective during the observed hotspot periods.
This information can help filter out sources that may contribute to the unnecessary load on the circuit. For example, a server that is unscheduled to run backup replication jobs during regular business hours.
The sample chart above lists the IP addresses of the top 10 users who were active when the MPLS link in Chicago was experiencing a hotspot in either the ingress or egress direction.
Hotspots: Source IP – Destination IP Pairs
While the previous Hotspot reports provided visibility into the most-active origin and endpoints when the link was hot, this report, Hotspots: Source IPs and Destination IPs, lists the most active source-destination IP pairs.
This report helps determine if the same set of source and destination IP pairs contribute to the contention week after week.
The sample chart above lists the top 10 source and destination IP pairs that were active when the MPLS link in Chicago was experiencing a hotspot in either the ingress or egress direction.

Top N

Top N reports are a set of reports that provide insight into the top applications, source IPs, destination IPs, source and destination IP pairs, and undefined domains for the entire week. You may view these reports at a site level. They include a chart listing the top 10 of each category and a companion CSV file with information about all the contributors in that specific category. The charts are generated for the top 10 largest sites by volume. You can preview these charts. You can use insights from this report to understand site-specific trends and turn them into actions such as changing path policies, changing application priorities, and reassessing the provisioned bandwidth for over-subscribed and under-utilized circuits.
Unlike the Hotspots report, which only looks at flows that traversed the network during periods of hotspots, the Top N reports study flow and application data for the entire week to determine which applications, users, and domains contribute the most to high bandwidth utilization.
As shown in the previous sections, sample reports for the Chicago branch for the same week are listed below.
Top N ReportDescription
Top N: Applications
Lists the top applications for the entire week and is not limited to hotspots. You may generate this report per site, unlike the Hotspots Application report, which is specific to periods of hotpots (utilization over 70%) on a particular circuit.
The sample chart above lists the top 10 applications for Chicago across all circuits for the week. Note that a similar set of applications are listed for the Hotspot: Applications chart for the Chicago MPLS circuit. This indicates that further refinement of application definitions is required, with possible path, QoS, and security policies.
Top N: Source IPs
Lists the top source IPs for the entire week and is not limited to hotspots. You may generate this report per site, unlike the Hotspots Source IP report, which is specific to periods of hotpots (utilization over 70%) on a particular circuit.
The report above was generated for Chicago for the same duration as the Hotspots Source IP report, as shown in an earlier section. Note that top users for the week vary from the top users during hotspots. Suppose there is an overlap with the Hotspots Source IP report. In that case, a possible conclusion could be that the end user experience was impacted, which could have affected Application SLAs.
Top N: Destination IPs
Lists the top destination IPs for the entire week and is not limited to hotspots. You may generate this report per site, unlike the Hotspots Destination IP report, which is specific to periods of hotpots (utilization over 70%) on a particular circuit.
This report helps understand the destination of most traffic during the week. One potential use case for this information could be the flagging of anomalous or ill-intended destination IPs.
The report above lists the top 10 destination IP addresses for the Chicago branch for the same duration as analyzed in the Hotspots Destination IPs report in the earlier section. Notice there are some overlapping IP addresses between the two reports, which could prompt an administrator to create one or more custom applications to track performance and utilization for these highly utilized destination IP addresses.
Top N: Undefined Domains
Lists the top HTTP and SSL domains accessed per site during the week. These domains currently do not map to any system or previously defined custom application signatures, and therefore may not be appropriately serviced. Instead, you may observe these domains in flows that match the generic application signatures of enterprise-SSL, enterprise-HTTP, HTTP, or SSL.
This report helps identify missing domains for existing custom applications or indicates a need to create new custom applications.
The image above lists the top 10 domains at the Chicago branch. If significant traffic to 10.212.26.24 is observed week after week, an administrator should assess if this domain belongs to an existing application. If not, it is recommended that a custom application be created for this domain to appropriate tracking and policy treatment.

Application Volume per Circuit

The Application Volume per Circuit reports list the total volume of application data transferred per circuit and provide this information in a CSV file format. The report helps understand how traffic is shaped and how application traffic is load-balanced across different available paths.
This data helps redefine path policy. A significant use case is studying application data on metered links. If applications other than mission-critical applications are visible on these links, they can cause unnecessary tariffs on these metered links. An application policy for these links can be re-written to remove the metered link as a possible option in such an event.