Monitoring Internet usage with an ASA and VLANs

Unanswered Question
Nov 20th, 2009

I have a VSAT connection in an office.  The office is shared by Christian Aid and several others.  I have an ASA 5505 connected to the VSAT equipment, and have created two VLANs on the ASA - one for my organisation, and one for everyone else.

I am using Cacti to collect traffic data using SNMP, and graphing the traffic on each VLAN: Internet, ChristianAid and OtherOrgs.  I am trying to see which VLAN is making the most use of the Internet connection for management purposes.  All traffic to the internet goes through the Internet VLAN.


Here are the graphs:

KinshasaTraffic.gif

The graphs show inbound and outbound traffic on each VLAN.  However, since traffic from one VLAN to another is outbound on one VLAN, and inbound on the other, the graphs are quite hard to read.  Also, since all traffic, not just traffic to and from the internet is included, I don't think the graphs are telling me what I need to know.

The graphs above seem to indicate that the other organisations are using far more of the internet connection than Christian Aid.  However, I am confused that the OtherOrgs chart shows all that outbound traffic, which correlates with the Inbound traffic on the Internet VLAN.   But that could just mean that the OtherOrgs are sending a bunch of traffic to the Internet VLAN, rather than downloading.  Perhaps the ASA is dropping most of this traffic.

Has anyone tried to use SNMP to see how much different VLANs are accessing a network resource?  Am I heading in the right direction?  Any suggestions gratefully recieved.


Duncan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
blindmind Fri, 12/11/2009 - 07:53

Ok - I haven't had a reply, so I thought I'd clarify why I think there might be a problem with reading the three graphs as indicators of how much each VLAN is "using" the internet connection:

Internet - this is traditionally called "outside" on the ASA.

ChristianAid - my org's computers

OtherOrgs - the other orgs in the office connect to this VLAN.

Now I was originally assuming that the Internet VLAN would represent all traffic too and from the internet.  Then I could look at how ChristianAid and OtherOrgs are using that connection.

I then realised that we are talking about VLANs here, and inbound to Internet does not mean downloads, and outbound does not mean uploads.  Here's why I think that is the case.

The connection looks like this:

vsat router - Internet - ChristianAid (or OtherOrgs).

Inbound to Internet can come either from the external source or from the ChristianAid or OtherOrgs network:

vsat router -> Internet <- ChristianAid

So all downloads from the internet will show as inbound traffic to Internet, but so will all upload traffic from ChristianAid.  Additionally, traffic from ChristianAid or OtherOrgs may get blocked by the firewall and never contribute to the outbound traffic on Internet.

I thought I might be able to get around this by monitoring individual ethernet interfaces on the ASA - but unfortunately this does not seem to be possible with snmp, as snmp only sees named interfaces, and only VLAN interfaces can be named.


Anyone got any better ideas?

JORGE RODRIGUEZ Sat, 12/12/2009 - 15:41

Hi, If you are trying to break down what hosts are using most internet bandwidth you may want to look into netflow  and be able to break that down into a more detailed source destination and bandwidth used per host , if you're running code 8.2 in your asa you can ruse  netflow there and retrieve that information .  Personally have not used netflow  in ASA so you will need to use it and see , I've use it in router devices and provides a brake down of what I think you're looking for, on the same token of you have router in front of firewall that can support netflow you may also use it there, or even on your router behind your firewall can also be used.

ASA netflow
http://www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html


IOS netflow
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/prod_white_paper0900aecd80406232.html

Regards

bradpitt3423 Mon, 02/29/2016 - 01:51

Try adding the counter command under the SVI

Cisco#config t
Cisco(config)#interface vlan 100
Cisco(config-if)#counter ?
ipv4 Enable IPv4 statistic counters
ipv6 Enable IPv6 statistic counters
<cr>
Cisco(config-if)#counter
Cisco(config-if)#end

This get me another question : Why this difference in the same interface (VLAN-100 and Vl100) ??

    VLAN-100 is a virtual interface for the actual layer2 vlan; there is no IP address associated with it, and thus it can't have the counters you're trying to poll
    Vlan100 is the SVI, which is why you can get IP counters for it

    My main question is still unanswered because the OID I get are for the packets and bytes counters on interface.

That's all SNMP will give you with respect to bandwidth; every SNMP monitoring station on the planet (such as cacti, Observium, or Graphite) derives interface bandwidth graphs from these same byte-counters (i.e. ifHCInOctets / ifHCOutOctets).

    What I want to get is the Bandwidth measurement on some vlan. So far I only see Netflow as a probable solution.

You're welcome to use any tool you like. However, I'm not sure how simply switching to Netflow helps... NMS systems (regardless of whether they speak SNMP or Netflow) are complicated beasts

Actions

This Discussion