For the last few months, our product team has been adding exciting, new capabilities that transform Kentik from a network monitoring product into an AIOps platform — turning data into insights and using automation to empower network teams.

Here is the complete product update on all new major features that were released between August 2019 and February 2020. We’ll also talk about what’s next on our near-term roadmap. Let’s dig in.

Overview

Running networks has never been easy, especially today. As digital business drives the fastest revenue growth in history, infrastructure/Ops teams are under tremendous pressure to run networks smoothly. However, since even small networks continuously generate gigabytes of diagnostic and telemetry data, operators spend hours collecting, collating, merging and analyzing this information to understand network utilization, manage and optimize network capacity, troubleshoot problems, identify malicious actors, and manage costs.

At Kentik, we want to make managing networks significantly easier. We have done that in this release by:

• Providing use case-specific workflows that are designed to help users address complicated, error-prone tasks quickly and easily
• Equipping users with proactive insights that are both automatically generated and user-defined
• Providing convenient, interactive and fast access to your most frequently used views easily
• Adding a highly intuitive Network Map to help users oversee the entire infrastructure

Workflows and Modules At-a-glance

At a high level, workflows focus on common Ops tasks and are categorized into four different modules (Operate, Edge, Protect, Service Provider). There are also some shared core components that are used across multiple workflows, such as Insights & Alerting, Data Explorer, and Network Map.

OPERATE

Troubleshoot and visualize network traffic and infrastructure across cloud, data center, WAN and campus environments.

• Centralize visibility and control of your entire network footprint
• Answer any network question quickly and easily
• Reduce MTTR and improve team efficiency with guided workflows

EDGE

Analyze and optimize network performance and costs across the internet edge.

• Manage interconnection with other networks to optimize traffic paths for cost or performance
• Project network costs and verify provider invoices against measured traffic volumes
• Ensure infrastructure reliability for internet-facing applications and services

PROTECT

Protect the network from DDoS attacks with fast, accurate detection, automated mitigation actions, and fine-grained forensics.

• Eliminate midnight wake-ups with automated DDoS detection and mitigation
• Detect service-impacting network events before they affect customer experience
• Trace malicious or suspicious traffic across the network and back to its origin

SERVICE PROVIDER

Understand the dynamics of customer and subscriber network utilization to optimize network costs, survey the competitive landscape and discover new revenue opportunities.

• Reveal the third-party content owners and service operators that drive network cost and traffic growth
• Make data-driven decisions to minimize network CAPEX and OPEX
• Improve customer service outcomes with detailed per-subscriber network utilization details
• Equip CSP sales teams with network utilization reports to discover, retain and grow customer revenue

Onboarding

From the start, we offer step-by-step onboarding guidance to help you setup your Kentik environment based on your specific interests and needs. The onboarding includes easy and quick steps to configure the data to be ingested from your devices.

Setup Steps

1. Purpose of your Network

Define the purposes your networks serve, for example, how it:

• Delivers digital products to customers over the internet
• Provides internet service to paying customers
• Provides wholesale internet and carrier services
• Provides enterprise connectivity and services
• Serves application traffic from data centers and/or cloud environments

2. Network Boundaries

Classify IP addresses and ASNs as Internal or External. By doing this, Kentik will be able to profile the traffic as it traverses the network. With these traffic profiles, users can get an immediate sense of where the traffic is coming from and going to in relation to the network’s boundary.

3. Data Sources

Add the data sources that can generate flows — either networking devices or instances from public clouds.

(You will be prompted to enter various device / cloud information in order to send the traffic data to the Kentik Platform.)

For more information, please contact our Customer Success team.

Operate

Network Explorer

Network Explorer is the default landing page of the new Kentik Portal. It curates an intuitive summarized view for all traffic (including cloud) across your entire infrastructure, categorized into different traffic profiles. To be specific:

• Traffic bandwidth consumption for the past 24 hours in different profiles
  • Total: All traffic regardless of profile.
  • Inbound: Traffic that originates outside your network and terminates inside your network.
  • Outbound: Traffic that originates inside your network and terminates outside your network.
  • Internal: Traffic that both originates and terminates inside your network.
  • Through: Traffic that both originates and terminates outside your network.
  • Other: Traffic that is not classified by the above profile

• Traffic summaries for sites and clouds
• A detailed table with customizable tabs (up to 8) to display the information that you are most interested in
• A set of “cards” that show key information and real-time stats for each use case

It’s important to highlight the “Explorer Top Talkers” in the “Operate” box. This provides direct and quick access to the data visualization that ties to specific aspects of traffic beyond just the overview. You can now more easily view your traffic from different perspectives and look for the things you care about the most.

We also call this “Quick View,” which aims to provide a table-view of what’s happening in your network with the attribute that you are interested in. Instead of having users manually create repetitive queries to slice-and-dice the network data, Kentik now has these frequently-used queries available with a single click:

• Sites, Devices, Interfaces, Providers, Connectivity Types, Network Boundaries in the NETWORK & TRAFFIC context
• TCP Traffic, DNS traffic in the HOST MONITORING context
• ASNs, AS Path, BGP Community, INET Family, IP Addresses, Next-Hop ASNs, Packet Size, Protocols, Route Prefixes in the IP & BGP ROUTING context
• Applications, Services in the APPLICATION context
• Countries, Regions, Cities in the GEOGRAPHIC context
• Amazon Web Services, Google Cloud Platform, Microsoft Azure in the CLOUD context

Each Quick View enables users to drill down to any level of detail to help them understand their network better, for example:

• You start by analyzing “Countries” traffic
• You pick the “United States” which ranks #1 for its inbound and outbound traffic
• You pick other attributes such as Sites, Devices, Interfaces to drill further down
• You click on one of the “Sites”, which takes you to another Quick View on that site, including a topology view
• Until you get to a complete conclusion of your current network state

Kentik also enables a very handy way of accessing those views via URL:

• Devices page: portal.kentik.com/v4/operate/quick-views/devices
• Interfaces page: portal.kentik.com/v4/operate/quick-views/interfaces
• Sites page: portal.kentik.com/v4/operate/quick-views/sites

For more information, please see the Network Explorer topic in our Knowledge Base, or contact our Customer Success team.

Insights & Alerting

We revamped our platform around an AIOps Engine, which was designed to surface relevant, actionable and interesting events related to your network traffic, health, security, and applications. This system empowers operators to efficiently identify, troubleshoot and resolve real issues on their networks, and fast.

In short, proactive and interactive insights and human-assisted and machine-powered automation are how Kentik delivers the promise of AIOps for network professionals.

We provide two categories of Insights:

• Custom Insights: Users can define an “Alerting Policy” based on what they know about their network and possible problems.
• Kentik Insights: Kentik’s predefined algorithms, based on our strong domain knowledge, help users understand what they didn’t know, focused on various use cases such as “Capacity Analytics”, “Connectivity Costs”, “Network Health”, “Peering Analytics”, “Threat Activity”, “Traffic Analytics”, “Traffic Trends”, and so on.

With Kentik Insights, network engineers will be able to:

• Have one central place to view both system-detected and user-defined insights and alerts
• Have one central place to view, modify and silence alerts
• Silence Insights related to a specific key (IP address, device, geography) so that the Insights delivered are more relevant

You can always expand the view of a specific Insight and get quick details without leaving the page. From there, you can dig deeper with the links that are provided — either by looking at the details page for the Insight or by going directly to the related Device, Site, AS, whichever the Insight is about.

The notifications from Insights will be filtered and shown in the right panel across the board based on relevancy. If you are on the “Overview” page, all Insights will be shown; if you are on the “Sites” page, only Insights related to “Sites” will be shown, and the same applies to “Devices”, “Interfaces” views, and so on.

For more information, please see the Insights topic in our Knowledge Base, or contact our Customer Success team.

Data Explorer

Data Explorer is one of Kentik’s core functionalities that can be used across multiple use cases.

Data Explorer provides direct views into your network activity and traffic, from a high-level picture down to the deep details. Data Explorer’s key capabilities include unlimited nested filtering and rapid click-through to get you the answers you need fast. This has been a powerful feature that all existing Kentik customers love because it allows easy access to all data, grouped by any variable.

As shown below, we’ve implemented some improvements such as:

• Ability to hide the query window
• Results update automatically with each query change
• Full-width support

For more information, please see the Data Explorer topic in our Knowledge Base, or contact our Customer Success team.

Network Map

Network Map is another core functionality that can be used across multiple use cases. Network Map provides a visual overview of the network topology with every component and real-time traffic across the entire infrastructure.

In a large-scale network, it’s always hard not to lose the big picture while chasing after small details, and vice versa. Depending on your role, Network Map can help answer your questions from both macro and micro perspectives.

If you are a network architect overseeing your entire infrastructure, you can:

• Get an “At-A-Glance” view that shows the important attributes of the network, such as utilization and health
• Understand the network layout and get an idea on how close links are running to maximum capacity

If you are a network operator focusing on one particular site, you can see things like:

• The external connectivity available at each site, also on a per-device basis
• The current ingress/egress bandwidth utilization of each external peering link, also on a per-device basis
• All the devices within the site, how they are connected, and what the bandwidth utilization is for the interconnect links among all of them

If you are a network engineer under tremendous pressure when a critical issue happens, you want to:

• View how sites are connected to providers to determine which ones are being affected by certain issues due to that provider
• Setup different purpose-built Network Map views that your engineers can look at to debug
• Have different teams look at different aspects of the topology (e.g. backbone, edge)

Network Map enables you to take action via workflows. You can always drill down to detail pages from topology panels to solve your problem instantly.

For example:

• If you notice certain links are running close to maximum capacity, you can drill down with the Traffic Engineering workflow
• If you are interested in particular traffic flows, you can always drill down to Data Explorer
• If you have concerns about the health of some links, you can drill down to Insights and Alerting to set alarms for closer monitoring

Roadmap: In the near future, we will add more rich context in Network Maps to help users understand their networks better:

• Add GEO Maps to associate topology with geographic information for more intuitive site-level visualizations
• Overlay Service Maps onto the topology to understand what applications are running and what the traffic patterns are between applications
• Add more visualizations that are use-case specific, such as hosts and host links, VRF, and DDoS

For more information, please see the Network Map topic in our Knowledge Base, or contact our Customer Success team.

Capacity Planning

Infrastructure utilization is directly related to operational efficiency which impacts the business. Bad capacity planning can result in a big mess — either wasting resources or creating congestion when the infrastructure is not keeping up with business growth.

Capacity Planning creates an automated workflow for managing infrastructure capacity. This replaces old, tedious, error-prone manual methods and generates alerts and run-out date predictions so network architects and capacity teams can properly plan their network capacity throughout the planning lifecycle. Planning teams can then easily analyze and optimize costly connections between locations, to the internet and cloud providers.

Capacity Planning can help network architects and network services buyers in the following use cases:

• Network architects need to increase the capacity of the network or manage traffic to reduce utilization in order to prevent congestion
• A network services procurement team has concerns about overprovisioning in many places, but other places have occasional hotspots which cannot be under-served. They need to understand these dynamics and receive automatic notifications.
• Network architects need to view all of the capacity to specific network providers so that they can determine when to make network upgrades or decommission underutilized capacity for that provider
• Network architects need to view all of the capacity to groups of customer interfaces so that they can determine when to make network upgrade recommendations to that customer

To achieve the best planning accuracy, we leverage multiple data sources across the environments as necessary, such as SNMP, flow data and streaming telemetry data. We currently use SNMP data primarily which will be augmented with additional data sources in the near future.

The workflow for Capacity Planning is very intuitive via the following steps:

• Create a capacity plan: define metrics, define aggregation threshold, pick a time range
• Kick off the Capacity Calculation
• Show month-over-month growth, current utilization, expected runout date
• Provide advance notification when approaching the threshold

For more information, please see the Capacity Planning topic in our Knowledge Base, or contact our Customer Success team.

Edge

Peering & Interconnection

Peering is a voluntary interconnection between networks belonging to separate organizations for the purpose of exchanging traffic. There are many motivations behind peering and interconnection, such as:

• Increased redundancy by reducing dependence on one or more transit providers
• Increased capacity for extremely large amounts of traffic (distributing traffic across many networks)
• Increased routing control over one’s traffic
• Improved performance (attempting to bypass potential bottlenecks with a “direct” path)
• Improved perception of one’s network (being able to claim a “higher tier”)
• Ease of requesting emergency aid (from friendly peers)

(source: Wikipedia)

The Peering & Interconnection workflow is designed to help access/eyeball networks, enterprise networks, and content networks to make informed decisions on how to architect their internet edge and structure routing policies in order to reduce costs and/or improve performance.

There are many use cases when it comes to Peering & Interconnection that Kentik can help with. Here are a couple of examples :

For network strategists, architects or operators:

• Find opportunities to save money on transit costs and/or facilitate better performance for customers and applications
• Understand the potential impact of a new peering connection on existing transit and peering links
• Understand where end users are physically located to evaluate peering opportunities in the context of physical proximity to these users, especially for businesses which deliver interactive or latency-sensitive applications

Today’s Peering & Interconnection workflow provides the capability to discover potential peers automatically and identify attractive peering opportunities. By default, the Sankey diagram displays all possible peers, but you can always use the filters (e.g. sites, countries, peering policy, peering traffic ratio, etc.) on the top of the page to narrow that list.

Depending on your business, you may care about peering using different directional perspectives. Kentik can populate the data using both inbound and outbound modes. The inbound mode will help networks that receive a lot of traffic from remote networks. The outbound mode will help networks that send a lot of traffic to remote networks.

The rest of the page will display all the potential peers with more details in a table, with controls to exclude networks which are not good peering candidates.

From there, you can go to the Peer Explorer by clicking on one of the table items to drill in on a specific opportunity to discover how easy or hard it would be to peer with the network in question, and the implications of peering with a specific network. You’ll see things like the AS number and name, a visualization of the last 30 days of traffic, with one-hour granularity, a visualization that shows the bitrate to/from the ASN, unique IP and prefix counts, traffic distribution by country, external traffic details from that potential peer by site and more. You can always type in the URL portal.kentik.com/v4/edge/peering/[asn] to access the information for a specific peer.

For more information, please see the Discover Peers topic in our Knowledge Base, or contact our Customer Success team.

Connectivity Costs

Managing the costs of connecting your business to the world is an essential aspect of controlling your overall service delivery costs. Maintaining a firm grasp on how these costs are allocated, and knowing exactly when they change, can help guide you through critical decisions and planning exercises. However, calculating and making sense of these costs can easily become a full-time job. Kentik now provides a Connectivity Costs workflow to help NetOps teams contextualize and manage these costs quickly and easily — no spreadsheets needed!

The Connectivity Costs workflow aims at helping Kentik customers understand how traffic entering or exiting external interfaces (transit and/or peering interfaces) impacts operational costs. This workflow serves the following purposes:

• Easily use your own network data to check the accuracy of billing statements from network providers
• Visually detect and understand unexpected changes in cost, allowing users to drill into the root cause of these changes
• Surface current cost trends, useful in network planning and forecasting

Roadmap: In a future iteration, we will allow users to surface historical cost trends across providers based on the data, as well as see how customer network utilization impacts your overall costs. We will also soon build automatic insights and report export capabilities.

Configuration Steps

• Interface Classificationneeds to be configured properly as one of the prerequisites because the platform needs to know:
  1. Whether each interface is external or internal
  2. What the connectivity type is (e.g. Transit, IX, Paid Peer, Free Peer, etc.)
  3. Corresponding Provider
• Since it requires using SNMP to poll the interface data, you will need to enable SNMP on your network devices
• Click the “Configure” button at the upper right to add or edit a provider setting
• Add/Edit Provider by inputting the provider’s name, type and billing cycle start date
• Add/Edit Cost Groups info with details such as name, cost model (e.g. Commit or Flat Rate), committed information rate, unite price, and Metered percentile.
• Add/Edit Cost Group Interfaces info to add interfaces to the Cost Group

For complete steps, please refer to the Enabling Connectivity Costs topic in the Knowledge Base.

A very important feature called Cost Rollup gives the “bottom line” cost estimation for all of the computed providers and their associated cost groups. This number is computed by taking the sum of all computed provider groups without performing any additional aggregation at this level.

The Total Ingress and Total Egress figures show the amount of traffic recorded inbound or outbound across the interfaces identified within the cost groups. This is useful as it provides the user with context as to which “direction” of traffic flow they are billed on.

On the same page, you will also find the distribution of “Costs by Provider Group”, “Costs by Site” as well as “Costs by Site Country”, where you can click to dive into detailed breakdowns for each of these important perspectives.

For more information, please see the Connectivity Costs topic in our Knowledge Base, or contact our Customer Success team.

Traffic Engineering

Traffic Engineering is a daily function that nearly all service providers and digital enterprises employ to optimize network performance, control costs and prepare for service interruptions. For instance:

• Eyeball ISP Networks usually have multiple uplinks to different network providers for redundancy to prepare for failover only, rather than utilize all uplinks at the same time
• Transit AS Networks usually optimize their traffic flows by retaining traffic loads within PoPs and minimizing traffic across the backbone
• Content Providers care more about shaping outgoing traffic to ensure performant delivery directly to their end-users
• Others may have concerns with maintaining a balance between incoming and outgoing traffic between and across providers

Our goal is to help our customers to leverage flow data to make sound traffic engineering decisions in an automatic manner, depending on their intentions, instead of routinely adjusting BGP knobs to shift traffic from one network peer to another manually.

We built the Traffic Engineering workflow together with multiple Kentik users who work on the largest peering networks in the world. We listened carefully to their pain points when it comes to handling traffic engineering and developed a solution to address that pain. We also allow grouping traffic using real-world traffic attributes such as AS-Path regex patterns and IP prefixes to simplify the traditional traffic engineering approach.

The configuration is automatic and leverages existing BGP, SNMP and flow data already collected from your network. Assuming these prerequisites are met, you can navigate to the main window to find the particular sets of interfaces that you are interested in, as well as highly-utilized interfaces within the last 24 hours as shown below:

Then let’s say you select one interface to see the current load distribution based on Raw Prefix or Destination 2nd/3rd Hop AS-Path and your target utilization. If the actual traffic load exceeds the target utilization, this amount of traffic will be highlighted, and you can discover the correct prefixes to match on in a routing policy in order to reduce traffic on the interface.

Roadmap: Future iterations of this product will include the ability to sort prefixes by bitwise order as well as automatic aggregation of prefixes.

For more information, please see the Traffic Engineering topic in our Knowledge Base, or contact our Customer Success team.

Protect

DDoS Defense

DDoS attacks have the potential to wreak havoc on your network. Beyond the negative impacts on your service availability, denial-of-service attacks can have serious negative consequences on your team’s efficiency, lower revenues, and hurt your reputation.

Kentik uses flow data as a key signal to determine “normal” vs. abnormal traffic activity. When abnormal conditions are detected, Kentik can step in to reduce the harmful effects of DDoS or even mitigate attack traffic. (Please refer to the DDoS Defense topic on our website for more information.)

On top of our existing, powerful DDoS protection capabilities, we’ve built a new DDoS Defense workflow to make it quick and painless for users by focusing on ease-of-use features and a beautiful and intuitive UI that enables users to:

• Configure the product, fast (in the amount of time it takes to enjoy a cup of coffee)
• Provide immediate attack detection and prevention (so you can rest easy today)
• Help users obtain a deep understanding of their ongoing and historical attacks (so more time can be spent on protecting and operating your network rather than running reports)

The DDoS Defense workflow is composed of two main parts: DDoS Defense Configuration and the DDoS Defense Dashboard Page. The Configuration part helps users set things up correctly in order to accurately detect attacks. The Dashboard Page gives a view of where users can quickly and easily see details about ongoing and historical attacks and mitigations.

Note, effective DDoS-attack detection requires us to fully understand the structure of your network so that we can differentiate normal traffic patterns from anomalous behavior. Kentik gains this understanding through prerequisites, including: Interface Classification, Traffic History and BGP Configuration. The DDoS Defense workflow walks you through those prerequisite settings step-by-step.

After checking prerequisites is complete, this workflow guides you the ability to the “Enable Attack Profiles” page and select and activate one or more Kentik preset alert policies (20+ of them!) — each of which is designed to respond to a specific attack profile. With a few simple adjustments to a given policy’s threshold settings, you will be able to tailor that policy to the specifics of your network’s traffic.

Once attack profiles are configured, Kentik will start ingesting at least 120 hours of traffic history to accurately detect any attack traffic that might enter later.

After finishing the initial configuration, DDoS Defense by default will take you to the dashboard page to give you a high-level view of DDoS attack activity that has generated alarms from the alert policies that you configured earlier. Each of the attacks can be further expanded with more details, and will be highlighted in the traffic charts above.

For more information, please see the DDoS Defense topic in our Knowledge Base, or contact our Customer Success team.

Service Provider

CDN Analytics

Today, nearly all content providers leverage one or more CDN (content delivery network) providers, which means each CDN normally carries traffic for a multitude of content providers. Eyeball ISPs, whose networks deliver bandwidth to subscribers, are now facing a huge challenge to make sensible engineering decisions that drive business growth without a clear and unified picture of how CDNs factor into traffic delivery. Furthermore, CDNs constantly change delivery sources and paths for each ISP and they routinely modify routing to adapt to ever-changing capacity and cost constraints on their end. All of this adds more complications for Eyeball ISPs to make data-driven business decisions in order to retain subscribers and maximize the ratio of performance versus cost.

Eyeball ISPs need visibility into how CDNs deliver traffic to their end-users in order to operate efficiently.

Kentik now offers CDN Analytics, arming ISPs with the following capabilities:

• Read, track and optimize CDN traffic delivery and performance to subscribers
• Inform interconnection negotiations with CDNs using data-driven analytics

Let’s dive into a few user scenarios where CDN Analytics become very helpful for various roles in Eyeball ISPs:

• Network and NOC engineers need to know when and how routing changes happen for any given CDN that could generate performance impact for their own subscribers. Furthermore, they need to understand and track the cost and performance differences between On-Net CDN caching and Off-Net CDN traffic.
• Infrastructure executives need to know about and evaluate the option of embedding caches from a CDN into their own networks (whether this is a purpose-built CDN or a commercial CDN) to evaluate the decision of improving subscribers’ experience versus cost.
• Network and NOC engineersneed to get alerts and take action to ensure business continuity in the case of:
  • Volume change of ingress traffic from a given CDN deviates from the normal level
  • Certain connectivity types run out of capacity for a given CDN that will result in further traffic mix change
  • A shift of traffic mix from some CDN that will cause an effect on the user performance
  • Per-subscriber traffic volume changes for a given CDN or Connectivity Type

CDN Analytics provides a guided workflow to configure all required background data properly which builds a solid foundation to optimize CDN detection accuracy and unlock every view, including:

• Classification for interfaces connected to CDNs via External (IX, Transit, Peering) and Internal (Embedded Cache) interfaces
• Associated providers and their cost group
• Subscriber definition
• Embedded Cache detection (if any)

After setup, the CDN Analytics workflow is able to provide the following capabilities:

• CDN Traffic Overview shows the volume of traffic entering your network from each CDN, which is of interest to peering/interconnection managers and network architects
• Yearly peaks for a given CDN for network engineers and peering managers to prepare extra resources for when the usual peak is going to take place
• CDN provider attributes/profiling that peering/interconnection managers find useful for network strategy
• Connectivity type mix for both current and past, so that peering managers and network architects can consistently try to reduce the amount of costly transit involved in the mix
• CDN offloading - OnNet vs OffNet to see the efficiency of each CDN’s on-net caching solution
• Overview of the OTT services a given CDN carries for NOC engineers and network engineers to identify the source of Specific subscriber issues

Below is a sample look at the CDN Analytics main page. It clearly maps out your CDN vs. non-CDN traffic, traffic by connectivity type, and your top CDNs’ traffic. All the source CDNs will be listed below for users to further drill down. In the right panel below, all the insights related to CDNs are surfaced, driven both by manually configured and system-generated policies.

Together, CDN, OTT, and Subscriber (future release) Analytics in our Service Provider product provides a holistic subscriber and content analytics solution.

For more information, please see the CDN Analytics topic in our Knowledge Base, or contact our Customer Success team.

OTT Service Tracking

Eyeball ISP engineering leaders and network strategists need to support many activities, including customer retention, content performance/cost analysis, and content-focused interconnection and planning. They need to react quickly and troubleshoot efficiently to ensure smooth delivery of content towards subscribers. However, there currently aren’t many good ways to get metrics on OTT content services consumed by Eyeball ISP users.

The Kentik OTT Service Tracking workflow gives DPI-like visibility, delivered as a SaaS solution, without the cost, operational complexity and security concerns of appliance-based solutions. The OTT Service Tracking workflow arms Eyeball ISPs with the instrumentation they need to deliver content to subscribers by providing very precise insights such as overlays of delivery methods, subscriber groups, subscriber performance, OTT applications and providers, and more.

Let’s dive into a few user scenarios where OTT Service Tracking can be very helpful for various roles in Eyeball ISPs:

• Network engineers and strategists need to detect and analyze “content events,” then provide timely and efficient guidance for the NOC or hotline for near/long-term remediation (e.g. think about a new Fortnite release)
• Network engineers and QA staff need to define cross-sections of the users to evaluate OTT metrics over those specific sections (e.g. Unique Users, DSLAM/CMTS/OLT aggregation points, Last Mile PoPs, Subscriber Plans, etc.)
• Marketing leaders want to look at the subscribership and Mbps-per-subscriber for a given OTT service to understand the subscriber footprint
• Network engineers and executives need to evaluate the ramifications of zero-rating specific content providers
• Network engineers, ISP quality assurance staff and frontline customer support need to identify users with poor performance towards a given OTT service to maintain and improve customer retention
• ISP executives or ISP security leaders are eager to get insights on suspicious traffic from or between users to discover the possibility of legal liability
• Network engineers or ISP executives want to be alerted when performance decreases from a given OTT service or provider to ensure the customer experience
• And much more…

The OTT Service Tracking workflow provides the following key features to address the above use cases:

• OTT service lookups and meta-data
• DNS data sources provisioning
• Specific OTT hostname matching
• IP-defined OTTs, in addition to the existing hostname patterns

Below is a sample look at the OTT Service Tracking workflow landing page. It gives an overview of your total OTT traffic, traffic by connectivity type, and your top providers’ traffic. All of the OTT service types will be listed below for users to further drill down. In the right panel, all the insights related to OTT are surfaced, driven by both manually configured and system-generated policies.

For more information, please see the OTT Service Tracking topic in our Knowledge Base, or contact our Customer Success team.

Summary

Kentik is AIOps for network professionals. We launched the new Kentik platform in winter 2020 to power up network teams with AIOps techniques like large-scale data collection, correlation, and machine learning to manage the scale and complexity of todayʼs networks.

To see all of the new capabilities in action, you can request a personalized demonstration, or

At Kentik, we believe that the future is insights and automation to empower humans—not replace them.

Kentik V4 focuses on proactive insights—both system-driven and custom user-defined, as well as interactive insights driven by humans. The new Quick Views offer convenient, built-in interactive visualizations for fast access to the most-used views. Custom Views & Data Explorer allow users to answer more sophisticated, interactive questions about the network—instantly—and at the full resolution as the data is collected.

V4 also makes managing networks significantly easier by adding use-case-specific workflows. This dramatically improves the learning curve for onboarding new networks, devices, and capabilities. We’ve reduced the time from signup to get real, useful insights from Kentik.

This new interface is much more than a new look with an overhauled UI, but also a transformation in how Kentik provides proactive advice and advanced troubleshooting capabilities. This change represents the beginning of Kentik’s transformation from a network monitoring product to an AIOps platform, turning your data into actionable insights.

Kentik V4 Highlights

Kentik V4 is built around a brand new AIOps Engine, that was designed to surface relevant, actionable and interesting events around your network traffic, health, security, and applications. This system empowers operators to efficiently identify, troubleshoot and resolve real issues on their networks- fast.

With V4, we took note of our customers’ feedback to design and build workflows that make time-consuming and repetitive tasks easy. We are kicking this effort off with the launch of two new modules:

• The Connectivity Costs module helps network operators keep track of their current and historical bandwidth costs- helping network operators gain visibility into their costliest applications, sites, and customers.
• We’ve also released our new Traffic Engineering module, which makes easy work of finding complex traffic groups when performing traffic engineering tasks.

We’ve also developed an innovative way for users to interact with their network data. V4’s new Quick Views module was designed from the ground up to present users with their infrastructure data elegantly and intuitively. While the beloved Data Explorer lives on for those that wish to limitlessly spelunk into flows, our new Quick Views module promises to deliver the same precision and flexibility you’ve come to expect from us, but without requiring expert-level knowledge of the Data Explorer.

Kentik V4 UI Design Overview

Your new Kentik landing page is shown in the screenshot below. There are 3 panels (left, middle, right) that serve different purposes:

• The Sidebar Navigation on the left is a menu to navigate around the portal.
• The Main Panel is a content display, with content related to the which menu item you click on.
• The Insights Sidebar on the right is one of the highlights of Kentik V4. It automatically notifies users of interesting or anomalous network conditions or traffic behaviors based on the patterns surfaced by our new Insights Engine.

Here are a few quick peeks to the New Kentik UI. Note that all aspects of the UI shown here are subject to change as the product evolves.

V4 Menu Walkthrough:

V4 Connectivity Costs Module:

V4 Network Map Module:

Conclusion and What’s Next

Kentik V4 is designed to guide users to discover hidden conditions in the network that would be very difficult for operators to find within with a huge volume of diverse network data streams—across both traditional and cloud infrastructure . With the Kentik V4 AIOps platform, customers can accelerate the network team’s efficiency, automate issue resolution, and create new business capabilities using these instant insights.

Kentik’s AIOps platform is available for early access to existing customers and will be GA in later 2019 with more comprehensive support for more use cases and functions, such as Capacity Planning, Container Networking Visibility, Subscriber intelligence, MyKentik Portal and much more.

For more information, please see the Knowledge Base V4 or contact our Customer Success team to get access to the preview.

Multi-Protocol Label Switching (MPLS), sometimes classified as a Layer 2.5 networking protocol, reduces router load by using packet labeling to avoid IP routing lookups. MPLS is known for providing benefits such as scalability, performance, better bandwidth utilization, reduced network congestion, and a better end-user experience. It’s been heavily used for implementing traffic engineering, segmenting multi-service networks as well as improving network resiliency via MPLS Fast Reroute.

With support for MPLS flow templates, Kentik can now collect and visualize label values applied to traffic coming in/out of interfaces. This gives operators greatly needed visibility to monitor or troubleshoot MPLS traffic by filtering or segmenting traffic based on labels.

The secret sauce enabling this capability is Kentik’s Universal Data Records, which allow us to rapidly add new data sources and data dimensions to the Kentik platform and address our customers’ ever-evolving network visibility challenges. Read our recent blog post for more background on Universal Data Records.

For Phase 1 of MPLS, we support MPLS flow templates in different flavors including Cisco and Juniper, with full support for policies and alerting.

See the table below for details of the newly-added MPLS dimensions:

The following Sankey diagram depicts an overview of the MPLS traffic flowing end-to-end within an example network, including values for MPLS attributes of the traffic.

For more information on MPLS Template Support, please contact our Customer Success team.

While we are embracing cutting-edge technologies such as Streaming Telemetry, our core focus has always stayed on solving our customers’ problems.

SNMP is still a widely-used protocol in network operations for managing and monitoring network devices and their functions. Now, with Kentik’s first phase of SNMP support, our customers can observe many more aspects of network devices than before: discovering devices on the network based on IP ranges or subnet, collecting information such as network devices’ OS, version, name, management IP, interface metadata, VRF settings, processors and much more.

With this additional visibility, Kentik makes it easier for operations teams to get a comprehensive picture of the devices in their infrastructure. These features support many use cases including capacity & utilization planning, and more efficient network troubleshooting.

As a network engineer, there are many problems that can be solved with detailed SNMP visibility, including:

• You can see SNMP base interface stats per interface and other Interface Classification dimensions
• You can visualize the capacity of an interface over time
• You can aggregate capacities from all backbone logical interfaces.
• You can a__ggregate the inbound and outbound utilization__ of an interface or group of interfaces

Phase 1 primarily supports a basic set of SNMP metrics such as Interface metrics, which are very similar to the list mentioned above in Streaming Telemetry. Available interface metrics include: Input Bit Rate, Input Packets, Out Bit Rate, Input Errors, Output Errors, Input Discards, Output Discards, Input Multicast Packets, Output Multicast Packets, Input Broadcast Packets, and Output Broadcast Packets. See screenshot below:

We offer a 5-minute resolution on standard polling in this initial release. In the future, we’ll support more polling rates based on the use cases and requests we see from customers.

Collecting SNMP data from the Kentik platform is flexible. Kentik can directly poll your devices from our SaaS platform, or you can use the latest kproxy agent running on any local host to act as an SNMP polling proxy.

In subsequent phases, we will support an ever-increasing part of the SNMP OID tree including full interface metrics and interface metadata. We’ll also provide full alerting capability over SNMP data.

For more information, please see the SNMP OID Polling topic in our Knowledge Base, or contact our Customer Success team.

Streaming Telemetry is not a new term anymore, yet adoption is still in very early stages. In short, it is a technology that provides a new approach for collecting network device metrics in which data is streamed from the devices continuously, as opposed to periodic polling like SNMP. Streaming telemetry is a more scalable and flexible way of exposing metrics from your infrastructure.

Our recent blog post on the subject explains what Streaming Telemetry is, discusses how to maximize the value of it, and shares Kentik’s vision of leveraging this new technology.

We believe that Streaming Telemetry can improve efficiency for network operators in use cases like detecting problems, troubleshooting issues, planning for networking capacity and much more.

Kentik ingests streaming telemetry data at scale, the same way we handle other types of data we ingest like NetFlow. Then with enrichment and machine learning, we surface potential problems, using both built-in and custom user-defined detection methods. We help network teams swiftly and accurately respond to incidents, proactively recognize and prevent issues from impacting service and business, and allow them to focus on optimization rather than firefighting.

The first phase of Kentik’s support for streaming telemetry, offers:

• Direct collection of telemetry data
• Interface classification support
• Juniper “gNMI” JTI with UI support
• Interface metrics with including metrics: Input/Output Unicast/Multicast/Broadcast BitRate/Packets/Errors/Discards (see screenshot below)

As an example, we can now use streaming telemetry data to view statistics and visualizations of network ingress and egress traffic, via which interfaces, with connectivity types and so on.

In subsequent phases, we will support more vendors (e.g., Cisco Dial-Out for ASR), add full interface metrics, provide more sample interval options, provide full alerting on metrics and state changes, and much more.

Please contact our Customer Success team if you want to get a preview of this early version of Streaming Telemetry support.

Kentik has always supported metric options to count unique source and destination IPs in each row of a query response. We’ve now added a new metric that shows the average bit rate (Mbps) per unique IP. This metric is particularly useful to examine if and when an issue is arising. Here are a couple of examples:

• Find the Average Mbps per Destination towards subscribers in a specific last mile aggregate of their traffic. The aggregate can be easily described in a Custom Dimension matching traffic based on a set of CMTS or DSLAM local loop aggregators, or even more simply just a Site.
• To look at traffic towards subscribers for a given Internet Access Plan. The Plan aggregation level can also be a Custom Dimension based on CIDRs. In this case, users are assigned to specific CIDRs in the IPAM based on their plan.

This “Bitrate Per IP” can be found in the Data Explorer under both “Source IPs” and “Destination IPs”:

This feature works best when paired with Kentik’s ability to detect Over The Top (OTT) services, to display Average/Max/95-99p of the Bitrate for each individual OTT service. For video-based OTT services, we now have a scalable way to calculate Average Bitrate across subscriber sets. As a result, ISPs are now able to track subscriber experience for important content sources.

Let’s look at an example content provider (OTT Service) that has their own CDN and also embeds caches within the ISP network. We’ll compare performance (Mbps per subscriber) for traffic sourced from On-Net Caches vs the OTT service’s CDN.

First, we use filters to set these criteria:

Second, we’ll use a Filter-Based Dimension to compare two time series: Traffic from embedded local caches vs Traffic served from the Content Provider’s own Network and off-net caches (i.e., long-tail content):

Lastly, we’ll select the new “95th Bitrate by Destination IP” metric:

The resulting chart below clearly confirms the assumption that the video traffic coming from On-Net Embedded Caching Servers has a higher Bitrate than the long tail traffic coming from Off-Net Caching Servers in Content Provider’s CDN.

For more information, please contact our Customer Success team.

Why Syslog? Syslogs that are generated by network devices (e.g., switches/routers, firewalls, SD-WAN appliances, etc.) are essential data about the traffic, including applications, SSIDs, overlay information and so on. It’s something beyond what Netflow delivers. It’s especially important to analyze for people who handle security-related operations.

Kentik is a platform that ingests a large volume of data from diverse data sources. Flow is just one of them, and we keep adding additional data types for enrichment and correlation. Syslog is on the list and we just finished Phase 1 support, including:

Cisco ASA Firewall Syslog (Flow ID, Message, Severity, Message ID)

Juniper Routers’ Packet Forwarding Engine (PFE) Syslog (Message, Subtype, Interface, Event)

General Syslog (chfAgent) chfAgent is Kentik’s Netflow proxy agent, to enable encrypted transport of flow from users’ organizations’ network devices to the Kentik Platform. Now via the same chfAgent, you can ingest general Syslog data as well. Note that it’s a beta feature and the Kentik team is happy to work with you to gain value from this for your business.

For more information, please see the Cisco ASA Syslog Dimensions, Juniper PFE Syslog Dimensions and chfagent Syslog Parsing topics in our Knowledge Base, or contact our Customer Success team.

BGP is the routing protocol that makes the internet work—it is the language spoken by routers on the Internet to determine how packets can be sent from one router to another to reach their final destination.

However, route leaks and hijacks happen semi-frequently and usually result in part of the internet being unreachable.

An improved routing security mechanism is needed to make the Internet routing world safer. Enter RPKI…

Resource Public Key Infrastructure (RPKI), defined by RFC6480, is a cryptographic method that was designed to sign BGP route prefix announcements with the originating AS number. One way to think about what RPKI: RPKI is to BGP is what DNSSEC is to DNS. It offers a way to validate the origination of BGP prefixes against an official, signed list of prefixes by origin ASN.

Kentik has now integrated RPKI support via new dimensions, to allow users to precisely determine what would happen to the existing network traffic if they were to turn on RPKI validation on their networking equipment.

More details about these dimensions:

RPKI Validation Status: Contains the full RPKI state for a given flow, including the values shown in the table below:

RPKI Quick Status: Tells how traffic is going to behave globally by aggregating the RPKI validation Statuses. See the table below:

Furthermore, using RPKI dimensions with multiple other dimensions can provide a very detailed picture of potentially invalid or malicious traffic, to help network operators make informed decisions about turning on/off RPKI Route Validation selectively. For example, you can cross check with connectivity types, such as PNIs, IX peerings, transit and so on; or cross check with Routers and Sites; or cross check with end customers’ IDs.

For more information, please see our blog post with an introduction to RPKI, our blog post with a technical walkthrough of how RPKI features can be used in Kentik, and the BGP Dimension Reference in our Knowledge Base and look for “RPKI”, or contact our Customer Success team.

Lastly, stay tuned for more news concerning chfAgent as it now embeds both an RPKI validator and an RTR-speaking server, that can be leveraged by routers to perform route validation based on the aggregated global list of ROAs.

Forwarding Status refers to the action that a router or network device took on a flow or packet stream. Certain devices (including Cisco IOS XR) include a field that indicates which action was taken, such as ACL deny, dropped due to policers on the system, unroutable traffic, or Weighted Random Early Detection (WRED), which can illustrate when congestion issues have caused traffic drops on certain interfaces.

Kentik now supports this “Forwarding Status” field in IPFIX flows for Cisco IOS XR devices, which means that the 6-bit forwarding status code of the flow is now one of the traffic attributes that the Kentik Platform ingests (see table below).

For more information, please see the IOS XR Dimensions topic in our Knowledge Base, or contact our Customer Success team.

Cisco Meraki MX series is a security & SD-WAN appliance-based product line for distributed sites, campuses or datacenter VPN concentration. It offers capabilities such as SD-WAN, application-based firewalling, content filtering, web search filtering, intrusion detection and prevention, web caching, 4G cellular failover and so on. It aims to maximize network resiliency and bandwidth efficiency in this era of WAN traffic explosion.

For the first phase of Meraki integration, we leveraged the Universal Data Records (UDR) architecture (which we previously used for integrating with Cisco ASA Firewall, Palo Alto Networks Firewalls, Silver Peak and various security and SD-WAN appliances) to support the Meraki MX Netflow Template, so we can ingest Meraki-specific flow fields into Kentik. New capabilities include:

• Dimension - Source IP/CIDR: Initiator of the conversation
• Dimension - Destination IP/CIDR: Responder in the conversation
• Metrics - Out Bytes: Number of bytes leaving the MX for this flow
• Metrics - Out Packets: Number of packets leaving MX for this flow

With this kind of visibility, you can now analyze who is initiating conversations __to and from__ various parts of your network. For example: - Internal resources in a corporate network should not usually get connections originating from the internet, and/or - Resources in your DMZ should not usually initiate conversations to the internet

For more information, please see the [Cisco Meraki Metrics](https://kb.kentik.com/Da06.htm#Da06-Cisco_Meraki_Metrics "Kentik KB: Cisco Meraki Metrics") topic in our Knowledge Base, or contact our [Customer Success team](mailto:support@kentik.com "Contact Customer Support").