WAN Clarity Branch Reports
Table of Contents
WAN Clarity Branch Reports
Let us learn about the branch reports in the WAN Clarity Reports.
The following are the descriptions of
branch reports in the WAN Clarity Reports.
- Traffic Distribution
- Utilization Quadrant
- Utilization over Threshold
- Heatmap
- Hotspots
- Top N
- Application Volume per Circuit
Traffic Distribution
The Traffic Distribution report
helps administrators understand utilization across different WAN
path types at an AppFabric-level. This report provides a quick overview
of traffic distribution across the AppFabric, ensuring traffic meets the
aggregate path policy objectives.
The sample
chart above lists traffic distribution for a global enterprise for
the week of July 5, 2021. This enterprise’s objective of using more
of their public WAN circuit types (e.g., broadband Internet) versus
their private WAN circuits (e.g., MPLS) is being met at an aggregate
level. The following Utilization Quadrant report
will help identify which sites and circuits an administrator will
focus on next.
Utilization Quadrant
The Utilization Quadrant report
offers a visual synopsis of circuit utilization for all sites. The
report plots 90th percentile utilization for every circuit across
the AppFabric, in both ingress and egress directions. The quadrant
highlights circuits whose 90th percentile utilization is above 50%
of the provisioned capacity in either the ingress or egress direction,
thereby making it a candidate for further investigation.
For
example, if a particular site and circuit show up week after week,
it may warrant adjustments to the circuit capacity. However, to
assess whether the high utilization in a specific circuit is carrying
business-critical traffic and occurs during business-impacting hours,
you may use the next set of reports to clarify the utilization.
The sample
chart above summarizes utilization over a week for a global enterprise.
13 circuits stand out based on their utilization at the 90th percentile.
One site and circuit to review further is the MPLS circuit at Chicago
that seems to stand out for its egress utilization. The Utilization
Over Threshold report in the next section will provide
more clarity as to the days and minutes when the MPLS circuit was
highly utilized.
Utilization Over Threshold
The Utilization Over Threshold reports
provides any site and circuit present in the three quadrants of the
Utilization Quadrant report, representing greater than 50% utilization
(at the 90th percentile). This report provides a daily aggregate
of minutes when a circuit operates over the defined utilization
threshold. For the initial WAN Clarity Reports release, the threshold
set is 70%. This report supplements the Quadrant report as it informs
administrators of the days and the duration when a particular circuit
exceeded that threshold.
The
sample chart above displays the total minutes when the Chicago MPLS
circuit operated at or above 70% of the provisioned bandwidth. The
majority of the high utilization is during the workweek and in the
egress direction. However, to understand when the hotspots occurred
during those days, review the Heatmap report
described in the next section.
Heatmap
The Heatmap reports
provide any site and circuit present in the three quadrants of the
Utilization Quadrant report, representing greater than 50% utilization
(at the 90th percentile). The report provides context to the day's
hours (site local time) when the high utilization occurs. If the
observed contention happens during business hours, an assessment
of provisioned capacity may be warranted. The heatmap also sheds
light on abnormal bandwidth-consumption behavior outside of regular
business hours.
The sample
chart above shows the bandwidth consumption trend for the MPLS circuit
in Chicago for one week. This chart is interesting as many more
egress activities post business hours (after 1600 hours) than during
business hours. This may not be anomalous if scheduled software
upgrades, backup replication jobs, etc., typically happen after
business hours.
However, there is also a good bit of contention
between 2021-07-05 and 2021-07-11 during regular business hours.
Suppose this trend is observed week after week. In that case, the
network administrator should reassess the provisioned bandwidth
on this circuit or rewrite application policies to load-balance
traffic across multiple paths. The following set of Hotspot reports
will help identify which traffic contributes to the heavy load during
these periods
Hotspots
The Hotspot reports
provide each site and circuit with a corresponding Heatmap report
for granular insight into the circuits at the hotspots' time. The
reports provide a list of applications, undefined domains, destination
IPs, source IPs, and source and destination IP pairs observed during
the hotspots.
A hotspot is any period when the circuit utilization
in either the ingress or egress direction is above 70% of the provisioned bandwidth.
The charts generated for each hotspot report displays the top 10,
and a companion CSV file is available within the package that provides
all of the data for each hotspot report. The charts are generated
for the top 10 largest sites by volume. You can preview these charts.
| Hotspot Report | Description |
|---|---|
| Hotspots: Applications | Provides clarity as to which applications
contribute to the hotspots. The report gives insight into whether
business-relevant applications are consuming bandwidth during hotspots. This
information can be instrumental in ensuring that the appropriate
QoS and Path policies are applied in the future to guarantee that
business-critical applications are serviced first, with non-business-relevant
applications potentially offloaded to alternate paths. If business-critical
applications contribute to the hotspots week after week, reassess
if the circuit capacity may be oversubscribed. 
The
sample chart above lists the top 10 applications accessed during
hotspots on the MPLS link at Chicago for one week. One of the takeaways
from this report is the amount of traffic matching enterprise SSL
and enterprise-unknown applications, which are generic catch-all
applications for flows destined to enterprise prefixes: SSL and
non-SSL (and non-HTTP), respectively. The next set of reports
around undefined domains and destination IPs can help clarify which
enterprise FQDNs and IPs have the highest traffic to see if they
are candidates for custom application creation. |
| Hotspots: Destination IPs | Based on the hotspots identified in the
heatmap, the Hotspots: Destination IPs report clarify which destination
IP addresses contributed to the hotspots. This report is useful
to correlate with the Hotspots: Application report, especially when the
top application is a generic one like enterprise-unknown. With
these destination IP addresses, you will have enough information
to create a custom application so that they can apply unique QoS,
path, or security policies to these flows as needed, or at a minimum,
define an application for purposes of utilization tracking and performance. 
The
sample chart above lists the top 10 destination IP addresses accessed
when the MPLS link in Chicago was hot. |
| Hotspots: Undefined Domains | Lists the HTTP and SSL undefined domains
that you may observe during the hotspots. As these domains currently
do not map to any system or previously defined custom application signatures,
you may not be able to service them appropriately. Instead, you
may observe the domains match the flow of the generic application
signatures of enterprise-SSL, enterprise-HTTP, HTTP, or SSL. This
report is useful to correlate with the Hotspots: Application report,
especially when the top application is a generic one like enterprise-http
or enterprise-ssl. With these domains, an administrator will have
enough information to create a custom L7 application definition
and apply unique QoS, path, or security policies to these flows
as needed, or at a minimum, define an application for purposes of
utilization tracking and performance. 
The
sample chart above lists the top 10 domains accessed when the MPLS
link in Chicago was experiencing a hotspot in either the ingress
or egress direction. |
| Hotspots: Source IPs | Helps you understand the consumption from
an end user’s perspective. It sheds light on the top bandwidth consumers
from a source IP perspective during the observed hotspot periods. This
information can help filter out sources that may contribute to the
unnecessary load on the circuit. For example, a server that is unscheduled
to run backup replication jobs during regular business hours. 
The
sample chart above lists the IP addresses of the top 10 users who
were active when the MPLS link in Chicago was experiencing a hotspot
in either the ingress or egress direction. |
| Hotspots: Source IP – Destination IP Pairs | While the previous Hotspot reports provided
visibility into the most-active origin and endpoints when the link
was hot, this report, Hotspots: Source IPs and Destination IPs,
lists the most active source-destination IP pairs. This report
helps determine if the same set of source and destination IP pairs
contribute to the contention week after week. 
The
sample chart above lists the top 10 source and destination IP pairs
that were active when the MPLS link in Chicago was experiencing
a hotspot in either the ingress or egress direction. |
Top N
Top N reports are a set of reports
that provide insight into the top applications, source IPs, destination IPs,
source and destination IP pairs, and undefined domains for the entire
week. You may view these reports at a site level. They include a
chart listing the top 10 of each category and a companion CSV file
with information about all the contributors in that specific category.
The charts are generated for the top 10 largest sites by volume.
You can preview these charts. You can use insights from this report
to understand site-specific trends and turn them into actions such
as changing path policies, changing application priorities, and
reassessing the provisioned bandwidth for over-subscribed and under-utilized
circuits.
Unlike the Hotspots report,
which only looks at flows that traversed the network during periods
of hotspots, the Top N reports study flow and application data for
the entire week to determine which applications, users, and domains contribute
the most to high bandwidth utilization.
As shown in the previous
sections, sample reports for the Chicago branch for the same week
are listed below.
| Top N Report | Description |
|---|---|
| Top N: Applications | Lists the top applications for the entire
week and is not limited to hotspots. You may generate this report
per site, unlike the Hotspots Application report,
which is specific to periods of hotpots (utilization over 70%) on
a particular circuit. 
The
sample chart above lists the top 10 applications for Chicago across
all circuits for the week. Note that a similar set of applications
are listed for the Hotspot: Applications chart for the Chicago MPLS
circuit. This indicates that further refinement of application definitions
is required, with possible path, QoS, and security policies. |
| Top N: Source IPs | Lists the top source IPs for the entire
week and is not limited to hotspots. You may generate this report
per site, unlike the Hotspots Source IP report,
which is specific to periods of hotpots (utilization over 70%) on
a particular circuit. 
The
report above was generated for Chicago for the same duration as
the Hotspots Source IP report, as shown in an earlier section. Note
that top users for the week vary from the top users during hotspots.
Suppose there is an overlap with the Hotspots Source IP report.
In that case, a possible conclusion could be that the end user experience
was impacted, which could have affected Application SLAs. |
| Top N: Destination IPs | Lists the top destination IPs for the entire
week and is not limited to hotspots. You may generate this report
per site, unlike the Hotspots Destination IP report, which
is specific to periods of hotpots (utilization over 70%) on a particular
circuit. This report helps understand the destination of
most traffic during the week. One potential use case for this information
could be the flagging of anomalous or ill-intended destination IPs. 
The
report above lists the top 10 destination IP addresses for the Chicago
branch for the same duration as analyzed in the Hotspots Destination
IPs report in the earlier section. Notice there are some overlapping
IP addresses between the two reports, which could prompt an administrator
to create one or more custom applications to track performance and
utilization for these highly utilized destination IP addresses. |
| Top N: Undefined Domains | Lists the top HTTP and SSL domains accessed
per site during the week. These domains currently do not map to
any system or previously defined custom application signatures,
and therefore may not be appropriately serviced. Instead, you may observe
these domains in flows that match the generic application signatures
of enterprise-SSL, enterprise-HTTP, HTTP, or SSL. This report
helps identify missing domains for existing custom applications
or indicates a need to create new custom applications. 
The
image above lists the top 10 domains at the Chicago branch. If significant
traffic to 10.212.26.24 is observed week after week, an administrator
should assess if this domain belongs to an existing application.
If not, it is recommended that a custom application be created for
this domain to appropriate tracking and policy treatment. |
Application Volume per Circuit
The Application Volume per
Circuit reports list the total volume of application
data transferred per circuit and provide this information in a CSV
file format. The report helps understand how traffic is shaped and
how application traffic is load-balanced across different available
paths.
This data helps redefine path policy. A significant
use case is studying application data on metered links. If applications
other than mission-critical applications are visible on these links,
they can cause unnecessary tariffs on these metered links. An application policy
for these links can be re-written to remove the metered link as
a possible option in such an event.