I'm an admin for a small company and we have a T1 for our internet connection.
When viewing SNMP graphs I see that our T1 is filled to capacity 80% of the day. We only have about 20 employees and the traffic should just consist of email, web traffic, and shell access.
I'd like to view statistics per local IP address on our router (2621). I'm still getting the hang of the Cisco thing but with Unix or Linux I'd be able to use something like iptraf to view these stats based on traffic usage to pinpoint the bandwidth hog. Can these stats be seen by the router and if so, how?
My last resort is to stick a Linux firewall in between the router and switch.
There are several options that you can consider which might give you the information that you want. My first suggestion would be to enable NetFlow on the router. Cisco will generate statistics about the network traffic. One of the attractive things is that you can configure the router to dynamically identify the top talkers in the network. I believe that this is the easiest way to get what you want. There are also NetFlow analyzers that can go through the detailed NetFlow statistics and can provide more detailed analysis of the network traffic.
You could also consider configuring IP accounting on the router. This will also generate information which can help you to identify who is generating the most traffic.
Just a quick question on Netflow: I'm using PRTG as my collector but it seems the stats I'm getting is inaccurate.
Is this just a question of the frequency my router is sending info to the collector? Is there a way for the router to make this more frequent?
I'm only using version 5 since that's what PRTG only supports.
Perhaps you can help us with some specifics about what you are seeing that seems inaccurate?
There are a couple of things to think about which might affect the results that you are seeing.
- Are you running NetFlow on all the interfaces of the router? If not is it possible that traffic on an interface if affecting what you are seeing and what you are comparing it to?
- is it possible that some of the packets that the router generates are not making it to the collector because of congestion somewhere along the data path?
- are you using sampling to generate statistics. This can cause some of the statistics to be skewed.
If you want the router to send info more frequently you should be able to decrease the timer at which NetFlow expires flows. This would cause the NetFlow data to be generated and transmitted on a shorter interval = more quickly.
Thanks Rick for the reply. Here are the Netflow settings for my router:
ip flow-cache timeout inactive 10
ip flow-cache timeout active 5
ip flow ingress
ip flow-export version 5
ip flow-export destination 10.10.8.9 2048
This router acts as a gateway between two file transfer servers. From the server's own monitoring, I can see that I'm peaking at 20Mbps but the real-time data I'm getting at PRTG is only < 2Mbps.
Any thoughts? Do I need to apply Netflow to the other FE0/0 interface where the FTP server is facing?
Thanks for the additional information. I would suggest turning on NetFlow for the other interface and see what happens. That much difference would seem more than could be explained by dropped packets on the way to the PRTG server.
Is your router 2621? Because there is another way in the 2600XM router. Do a "show version" to look for the hardware type.
If you have the 2621XM router, you can turn on NBAR, and use the MIB to monitor the statistic. But this process is a bit CPU intensive.
You also have to be realistic also, you only have a T1 , 1.5 megabits per second . That is probably 4 times less than your home cable connection or dsl connection and you have 20 people using it . It only takes 2-3 people downloading stuff and browsing to probably fill alot of that so while a T1 sounds like a lot and it used to be in the old days its not any more . You can turn on netflow on the router and see who is using a lot of the bandwidth. On the interfaces add "ip route-cache flow" . You can then look at the flow table to see what addresses are doing what with the "show ip cache-flow command .