There are several reasons why terminating it in a small switch is a good idea.
1) it gives you control over the external network and the possibility to sniff the external network.
2) if a problem arises in fx a firewall such as a bug or something then you atleast have a chance to mitigate this by adding an access list for that specific bug until it is fixed.
3) port monitoring for ids functions.
This is just some nice advantages you have with a switch (with no ip ofcourse) outside the firewall. if you do not have one today. However do not forget that it is also a single point of faliure.
Now back to your original problem.
there are counters in the firewall that you can monitor to see the output and input in the graphical environment.
also there are several monitoring softwares that utilising snmp can do that for you, aswell as some special software. in the CLI you can get the utilisation with the command show interface ethernet0/(port id)
it might be a risk if there is a problem in the switch or a misconfiguration.
if you want you can utilise VLAN technology and have an ip on the switch, me personally I do NOT like it one bit, but I know of people who uses it.
Another way of getting information is to put in a sniffer on a Monitor port.
then the monitor port will not send out anything, so you can add a switch to the switch that is plugged in and this second switch can have an ip and be monitored by snmp.
This makes it a bit complicated and expensive since you need two switches.
but it does work nice. altho 2 ports are required (one inbound and one outbound)
If you just want to know the utilisation then you can get it via the serial interface, you can either do it via a script in the switch that runs in intervalls and use fx kiwi harvester to send it to syslog/monitor system
or you can just use a script in the computer that lists the port utilisation.
needles to say I like the serial approach and if you have good monitoring equipment you actually can write selfdefending scripts. fx if the firewall itself tries to open alot of outgoing connections you can have an access-list that permits everything that alerts you and the monitor system who then kills them via the serial cable by loading another access-list.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...