cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
900
Views
7
Helpful
3
Replies
Highlighted

How to monitor the bandwidth utilized by Servers in a network connected to PIX(515e) via a switch(3560). Only need to montior the internet traffic to and fro from Server via PIX

Hi ,

I have 5 linux and 3 Microsoft 2008 Servers, each connected to 2 Cisco 3560 Switches. The 2 Cisco 3560 switches are connected to 2 different Cisco 515e Pix. Is it possible that if i enable Port SPAN in any of the switchport and send a copy of traffic to any of the windows 2008 server, will i be able to monitor the bandwidth of the servers (Here I am only looking for traffic going from servers to PIX and then to internet, also vice versa).

Also will wireshark be able to differentiate specify the bandwidth of each servers seperately ?

Your suggestions would be highly appreciable.

Thanks in advance
Thomas

3 REPLIES 3
Highlighted
Rising star

Hi,

With that method you will end up with 100s of megabytes of traffic per day that will be very difficult to analyse.

My suggestion is to enable SNMP on the switch ports used by the server to monitor traffic.

You can then use a tool like Catci to graph the results.

The PIX might be too old but check whether it supports Netflow. This is another alternative.

Don't forget to rate all posts that are helpful.

Cheers

Sean

Highlighted

NetFlow would have been the most suitable solution for traffic monitoring between end-points but unfortunately Cisco PIX does not support NetFlow export. The only Cisco firewall with NetFlow capability is Cisco ASA with IOS 8.2 onwards.

The solution will be to use SNMP as Sean stated, but SNMP shows IN and OUT traffic for the an interface and does not allow you to filter further based on source and destination. So, if the switch port carries server-to-server traffic as well as server-to-PIX traffic, SNMP stats of that switch-port will include all traffic and not just the server-to-PIX traffic.

An alternate option is to mirror traffic from the PIX to a server and run a NetFlow generator from there. This way, you will not need the resources or expertise associated with packet capture and can still know the bandwidth to and from the servers as well as detailed information like application, port, protocol, destination IP (provided there is no NAT), etc. Opensource solutions you can consider are nProbe, f-Probe, etc. Install the solutions on the server taking the mirrored traffic and it will take care of generating NetFlow data from that traffic. Then, you can use a flow analyzer to get your bandwidth reports based on source to destination IP Address.

Regards,

Don Thomas Jacob

http://www.solarwinds.com/netflow-traffic-analyzer.aspx

NOTE: Please rate posts and close questions if you have found the required information

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.
Highlighted

Hi ,

Thanks Sean and Don for your valuable comments. Sorry for the late reply as i was out of station and was only able to access through mobile.  I have created a network scenario with similar. Could you please spare some time and suggest a suitable way for the same.

In the above figure the communication comes as below;

From Internet -- ISP managed device -- Switch 1/Switch 2 -- Firewall 1/Firewall 2 (outside interface) -- Firewall 1/Firewall 2 (inside interface) -- Switch 1/Switch 2 -- Servers

The communication from servers to internet is also vice versa.

  1. The actual requirements what required is, we just need to know the bandwidth used by the servers to Internet (excluding the bandwidth used for internal communication between servers)
  2. Is it possible to do port span in any of the switch port and forward the traffic where we can use net flow and differentiate the bandwidth used by servers individually towards Internet (excluding the bandwidth used for internal communication between servers)

Kindly suggest your valuable comments regarding the same. Thanks in advance.

Regards,

Thomas

Content for Community-Ad