Bandwidth Utilization - QUERY

Unanswered Question
Feb 17th, 2009
User Badges:

Hi,


ISP internet-Backbone is directly connected to our ASA with Public IP without a Router in between, its becomming difficult to know the utilization of Internet Bandwidth.


One option is to terminate the ethernet cable to a switch. Is there any other options.


I am trying to understand as well ; how does ISP maintain customer connection and provide MRTG

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hobbe Tue, 02/17/2009 - 08:22
User Badges:
  • Gold, 750 points or more

There are several reasons why terminating it in a small switch is a good idea.


1) it gives you control over the external network and the possibility to sniff the external network.


2) if a problem arises in fx a firewall such as a bug or something then you atleast have a chance to mitigate this by adding an access list for that specific bug until it is fixed.


3) port monitoring for ids functions.


This is just some nice advantages you have with a switch (with no ip ofcourse) outside the firewall. if you do not have one today. However do not forget that it is also a single point of faliure.


Now back to your original problem.


there are counters in the firewall that you can monitor to see the output and input in the graphical environment.

also there are several monitoring softwares that utilising snmp can do that for you, aswell as some special software. in the CLI you can get the utilisation with the command show interface ethernet0/(port id)

so you should be covered to do what you want.


good luck

ronald.ramzy Tue, 02/17/2009 - 08:28
User Badges:

Thansk for the detailed reply.


Pluging a switch makes more sense.


If my Monitoring Server is on inside network VLAN ; what is required on the switch to be configured.


Will this not be a security issue if your Internet-Switch communicating with Internal Server..


hobbe Wed, 02/25/2009 - 08:44
User Badges:
  • Gold, 750 points or more

That all depends on how you do it.


first there is the layer three type.

set an ip and add an access-list.

it might be a risk if there is a problem in the switch or a misconfiguration.


if you want you can utilise VLAN technology and have an ip on the switch, me personally I do NOT like it one bit, but I know of people who uses it.


Another way of getting information is to put in a sniffer on a Monitor port.

then the monitor port will not send out anything, so you can add a switch to the switch that is plugged in and this second switch can have an ip and be monitored by snmp.

This makes it a bit complicated and expensive since you need two switches.

but it does work nice. altho 2 ports are required (one inbound and one outbound)


If you just want to know the utilisation then you can get it via the serial interface, you can either do it via a script in the switch that runs in intervalls and use fx kiwi harvester to send it to syslog/monitor system

or you can just use a script in the computer that lists the port utilisation.


needles to say I like the serial approach and if you have good monitoring equipment you actually can write selfdefending scripts. fx if the firewall itself tries to open alot of outgoing connections you can have an access-list that permits everything that alerts you and the monitor system who then kills them via the serial cable by loading another access-list.


good luck

Actions

This Discussion