Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > traffic accounting per IP on a 515 PIX possible?

Reply
Thread Tools

traffic accounting per IP on a 515 PIX possible?

 
 
alex
Guest
Posts: n/a
 
      11-01-2003
hi

are there any ways to get out the traffic per IP address for inbound and
outbound traffic?

i've used with our 1603 access lists but some people told me this is very
CPU aggressive and i should use netflow. i cannot found anything about
netflow on a PIX and the solution must be cheap... for you linux box i used
bwacct in the past and it runs fine - but this one is based on iptables and
snmp. maybe there is a way to get a snmp counter for each IP ? any tip/idea
is welcome!


Greetings
Alex


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      11-01-2003
In article <bo0lob$fn6$04$(E-Mail Removed)-online.com>,
alex <(E-Mail Removed)-darmstadt.de> wrote:
:are there any ways to get out the traffic per IP address for inbound and
utbound traffic?

Not in the sense you mean.


:i've used with our 1603 access lists but some people told me this is very
:CPU aggressive and i should use netflow. i cannot found anything about
:netflow on a PIX and the solution must be cheap... for you linux box i used
:bwacct in the past and it runs fine - but this one is based on iptables and
:snmp. maybe there is a way to get a snmp counter for each IP ? any tip/idea
:is welcome!

No, the PIX has very little in the way of SNMP, and it has no feature
such as netflow.

You might be able to use 'aaa accounting' for your purposes. I
have never used that myself, so I cannot tell you much about it.


The accounting we do here is based upon examining the syslog
for the Teardown messages that show up if you have Debug level turned on.
Those counts only include TCP and UDP though.
--
Oh, yeah, an African swallow maybe, but not a European swallow.
That's my point.
 
Reply With Quote
 
 
 
 
alex
Guest
Posts: n/a
 
      11-02-2003
hi

> Not in the sense you mean.

this is bad

> No, the PIX has very little in the way of SNMP, and it has no feature
> such as netflow.

((

> The accounting we do here is based upon examining the syslog
> for the Teardown messages that show up if you have Debug level turned on.
> Those counts only include TCP and UDP though.

i've read about this, too - isn't this debug level not very stressfull for
the firewall? debug mode from my view will print ton's of lines to the
syslog. maybe this will work for us too, but i don't know how. have you
written any scripts for this task - are they downloadable? how will you save
this? With MRTG, database or what? Another idea is using many VLANs and
calculate traffic per VLAN. Do you know if this is possible?


Greetings
Alex


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      11-02-2003
In article <bo2o2d$a79$00$(E-Mail Removed)-online.com>,
alex <(E-Mail Removed)-darmstadt.de> wrote:
:i've read about this, too - isn't this debug level not very stressfull for
:the firewall? debug mode from my view will print ton's of lines to the
:syslog. maybe this will work for us too, but i don't know how.

I've never seen our 525 exceed 5% CPU, with full debugging on.
We are currently logging about 150 Mb of SYSLOG per day; during the
peak of Swen, it was closer to 1 Gb per day.

:have you
:written any scripts for this task - are they downloadable? how will you save
:this? With MRTG, database or what?

We do not charge for traffic [hmmm, that's how I could get some
internal revenue ], so when we are analyzing, we are doing so to
profile our traffic (and to check that our users are not going places
they should not be.) We do not save our analysis results in a database;
we just create summary text files and review them and delete them
afterwards. We keep all the SYSLOG for years so we can recreate the
reports if we need to.

We did write our own scripts, but the one I have now has not been updated
to work with anything later than PIX 6.1. Starting in PIX 6.2,
Cisco changed the traffic log messages a bit, making it harder to
keep track of whether a given connection was inbound or outbound, and
I have not had time to adjust my scripts yet.


:Another idea is using many VLANs and
:calculate traffic per VLAN. Do you know if this is possible?

Not on the PIX 515. The PIX 515 supports only 3 VLANs (Restricted
license) or 6 VLANs (Unrestricted license). Even the PIX 535
supports at most 22 VLANs.


You must have your hosts plugged into a switch that is plugged into
the 515. Is your switch a managed switch? If all your switches are
managed, you might be able to do per-port traffic monitoring on your
network. Those counters will include internal traffic, though.
--
"No one has the right to destroy another person's belief by
demanding empirical evidence." -- Ann Landers
 
Reply With Quote
 
alex
Guest
Posts: n/a
 
      11-02-2003
hi

> We do not charge for traffic [hmmm, that's how I could get some
> internal revenue ], so when we are analyzing, we are doing so to
> profile our traffic (and to check that our users are not going places
> they should not be.) We do not save our analysis results in a database;
> we just create summary text files and review them and delete them
> afterwards. We keep all the SYSLOG for years so we can recreate the
> reports if we need to.

what traffic/connections do you have? . we've got 200GB per month and
1500connections - currently...what will happen if your interfaces are near
bussy ))?

> We did write our own scripts, but the one I have now has not been updated
> to work with anything later than PIX 6.1. Starting in PIX 6.2,
> Cisco changed the traffic log messages a bit, making it harder to
> keep track of whether a given connection was inbound or outbound, and
> I have not had time to adjust my scripts yet.

will cisco help about this problem? we realy need this calculation .
thousands of EURs every month for traffic and no way to bill the customers
is realy a problem.

> Not on the PIX 515. The PIX 515 supports only 3 VLANs (Restricted
> license) or 6 VLANs (Unrestricted license). Even the PIX 535
> supports at most 22 VLANs.

we bought last week a PIX 515 unrestricted with failover and 6 NICs. the
documentations says 8 VLANs. a 535 is realy expensive - we don't like to buy
two BMWs .

> You must have your hosts plugged into a switch that is plugged into
> the 515. Is your switch a managed switch? If all your switches are
> managed, you might be able to do per-port traffic monitoring on your
> network. Those counters will include internal traffic, though.

thats the problem... i need - only traffic from/to internet... i will have a
look to the accounting rules and hope they will not break the box under
stress.


Greetings
Alex


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      11-02-2003
In article <bo3eou$82f$00$(E-Mail Removed)-online.com>,
alex <(E-Mail Removed)-darmstadt.de> wrote:
:> We do not charge for traffic [hmmm, that's how I could get some
:> internal revenue ], so when we are analyzing, we are doing so to
:> profile our traffic (and to check that our users are not going places

:what traffic/connections do you have? . we've got 200GB per month and
:1500connections - currently...what will happen if your interfaces are near
:bussy ))?

My PIX is serving a [research-oriented] office building. It is just
slightly after noon on a Sunday here, and we currently have 2573
connections; our peak since the count was last reset (probably
early Friday afternoon about 40 hours ago) was 13432.

MRTG says that we are averaging about 30 Kbyte/s over the month,
which would put us at about 75 Gbyte per month.

If you have a 515 (rather than a 515E), the CPU is 200 MHz,
compared to the 600 MHz of our 525. Thus you have 4 times the traffic
load on 1/3 the speed, so your load should be roughly 12 times ours...
which typically runs at 1-2% CPU, 5% being the highest I've ever seen
[and very rarely at that.] So you are probably running no more than
about 50% load on a 515.

As I recall, though, you indicated that you recently acquired the 515.
If so, then it would more likely be a 515E than a 515, as the 515 is
not sold anymore (except used or refurbished.) The 515E is 433 MHz.
If it is the 515E you have, you are likely at only around 15% to 20% CPU
load.
--
"WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG"
WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG. (GEB)
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      11-02-2003
In article <bo3eou$82f$00$(E-Mail Removed)-online.com>,
alex <(E-Mail Removed)-darmstadt.de> wrote:
:we bought last week a PIX 515 unrestricted with failover and 6 NICs. the
:documentations says 8 VLANs.

The documentation was wrong about the 8 VLANs. I had them fix it in
the PIX Command Reference; the new documentation went in about a week ago.

The PIX 515/515E Unrestricted is limited to 10 total interfaces.
If you have 6 interface cards in it, you would be limited to (10-6) = 4
VLANs.

--
Scintillate, scintillate, globule vivific
Fain would I fathom thy nature specific.
Loftily poised on ether capacious
Strongly resembling a gem carbonaceous. -- Anon
 
Reply With Quote
 
alex
Guest
Posts: n/a
 
      11-02-2003
hi

> As I recall, though, you indicated that you recently acquired the 515.
> If so, then it would more likely be a 515E than a 515, as the 515 is
> not sold anymore (except used or refurbished.) The 515E is 433 MHz.
> If it is the 515E you have, you are likely at only around 15% to 20% CPU
> load.


ah - ok - i meed the 515E


Alex


 
Reply With Quote
 
alex
Guest
Posts: n/a
 
      11-02-2003
hi

> The documentation was wrong about the 8 VLANs. I had them fix it in
> the PIX Command Reference; the new documentation went in about a week ago.
>
> The PIX 515/515E Unrestricted is limited to 10 total interfaces.
> If you have 6 interface cards in it, you would be limited to (10-6) = 4
> VLANs.

****... but currently no problem... i hope there are no more bugs in
documentation...


Alex


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      11-03-2003
In article <bo437a$kc7$02$(E-Mail Removed)-online.com>,
alex <(E-Mail Removed)-darmstadt.de> wrote:
:> As I recall, though, you indicated that you recently acquired the 515.
:> If so, then it would more likely be a 515E than a 515, as the 515 is
:> not sold anymore (except used or refurbished.) The 515E is 433 MHz.
:> If it is the 515E you have, you are likely at only around 15% to 20% CPU
:> load.

:ah - ok - i meed the 515E

I can't tell whether that was "I need the 515E", or "I mean the 515E" ??
--
IEA408I: GETMAIN cannot provide buffer for WATLIB.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 515 - can Use VPN300 Client and PIX-to-PIX VPN at the same time? Stephen M Cisco 1 11-14-2006 02:03 PM
PIX 515 to PIX 515e not passing traffic Scott Townsend Cisco 6 05-25-2006 11:03 AM
Connecting two Cisco PIX 515 as per following Picture djjase Cisco 3 03-02-2006 06:18 AM
PIX 515 to PIX 515 via Internet & IPSec, should I get a VAC? Scott Townsend Cisco 8 02-22-2006 09:59 PM
How does typical ISP traffic shaping/bandwidth limiting work ? Do ISP's allow bursty traffic per second ? Skybuck Flying Cisco 0 01-19-2006 08:50 PM



Advertisments