traffic accounting per IP on a 515 PIX possible?

Discussion in 'Cisco' started by alex, Nov 1, 2003.

  1. alex

    alex Guest

    hi

    are there any ways to get out the traffic per IP address for inbound and
    outbound traffic?

    i've used with our 1603 access lists but some people told me this is very
    CPU aggressive and i should use netflow. i cannot found anything about
    netflow on a PIX and the solution must be cheap... for you linux box i used
    bwacct in the past and it runs fine - but this one is based on iptables and
    snmp. maybe there is a way to get a snmp counter for each IP ? any tip/idea
    is welcome!


    Greetings
    Alex
    alex, Nov 1, 2003
    #1
    1. Advertising

  2. In article <bo0lob$fn6$04$-online.com>,
    alex <-darmstadt.de> wrote:
    :are there any ways to get out the traffic per IP address for inbound and
    :eek:utbound traffic?

    Not in the sense you mean.


    :i've used with our 1603 access lists but some people told me this is very
    :CPU aggressive and i should use netflow. i cannot found anything about
    :netflow on a PIX and the solution must be cheap... for you linux box i used
    :bwacct in the past and it runs fine - but this one is based on iptables and
    :snmp. maybe there is a way to get a snmp counter for each IP ? any tip/idea
    :is welcome!

    No, the PIX has very little in the way of SNMP, and it has no feature
    such as netflow.

    You might be able to use 'aaa accounting' for your purposes. I
    have never used that myself, so I cannot tell you much about it.


    The accounting we do here is based upon examining the syslog
    for the Teardown messages that show up if you have Debug level turned on.
    Those counts only include TCP and UDP though.
    --
    Oh, yeah, an African swallow maybe, but not a European swallow.
    That's my point.
    Walter Roberson, Nov 1, 2003
    #2
    1. Advertising

  3. alex

    alex Guest

    hi

    > Not in the sense you mean.

    this is bad

    > No, the PIX has very little in the way of SNMP, and it has no feature
    > such as netflow.

    :-(((

    > The accounting we do here is based upon examining the syslog
    > for the Teardown messages that show up if you have Debug level turned on.
    > Those counts only include TCP and UDP though.

    i've read about this, too - isn't this debug level not very stressfull for
    the firewall? debug mode from my view will print ton's of lines to the
    syslog. maybe this will work for us too, but i don't know how. have you
    written any scripts for this task - are they downloadable? how will you save
    this? With MRTG, database or what? Another idea is using many VLANs and
    calculate traffic per VLAN. Do you know if this is possible?


    Greetings
    Alex
    alex, Nov 2, 2003
    #3
  4. In article <bo2o2d$a79$00$-online.com>,
    alex <-darmstadt.de> wrote:
    :i've read about this, too - isn't this debug level not very stressfull for
    :the firewall? debug mode from my view will print ton's of lines to the
    :syslog. maybe this will work for us too, but i don't know how.

    I've never seen our 525 exceed 5% CPU, with full debugging on.
    We are currently logging about 150 Mb of SYSLOG per day; during the
    peak of Swen, it was closer to 1 Gb per day.

    :have you
    :written any scripts for this task - are they downloadable? how will you save
    :this? With MRTG, database or what?

    We do not charge for traffic [hmmm, that's how I could get some
    internal revenue ;-) ], so when we are analyzing, we are doing so to
    profile our traffic (and to check that our users are not going places
    they should not be.) We do not save our analysis results in a database;
    we just create summary text files and review them and delete them
    afterwards. We keep all the SYSLOG for years so we can recreate the
    reports if we need to.

    We did write our own scripts, but the one I have now has not been updated
    to work with anything later than PIX 6.1. Starting in PIX 6.2,
    Cisco changed the traffic log messages a bit, making it harder to
    keep track of whether a given connection was inbound or outbound, and
    I have not had time to adjust my scripts yet.


    :Another idea is using many VLANs and
    :calculate traffic per VLAN. Do you know if this is possible?

    Not on the PIX 515. The PIX 515 supports only 3 VLANs (Restricted
    license) or 6 VLANs (Unrestricted license). Even the PIX 535
    supports at most 22 VLANs.


    You must have your hosts plugged into a switch that is plugged into
    the 515. Is your switch a managed switch? If all your switches are
    managed, you might be able to do per-port traffic monitoring on your
    network. Those counters will include internal traffic, though.
    --
    "No one has the right to destroy another person's belief by
    demanding empirical evidence." -- Ann Landers
    Walter Roberson, Nov 2, 2003
    #4
  5. alex

    alex Guest

    hi

    > We do not charge for traffic [hmmm, that's how I could get some
    > internal revenue ;-) ], so when we are analyzing, we are doing so to
    > profile our traffic (and to check that our users are not going places
    > they should not be.) We do not save our analysis results in a database;
    > we just create summary text files and review them and delete them
    > afterwards. We keep all the SYSLOG for years so we can recreate the
    > reports if we need to.

    what traffic/connections do you have? :). we've got 200GB per month and
    1500connections - currently...what will happen if your interfaces are near
    bussy :)))?

    > We did write our own scripts, but the one I have now has not been updated
    > to work with anything later than PIX 6.1. Starting in PIX 6.2,
    > Cisco changed the traffic log messages a bit, making it harder to
    > keep track of whether a given connection was inbound or outbound, and
    > I have not had time to adjust my scripts yet.

    will cisco help about this problem? we realy need this calculation :-(.
    thousands of EURs every month for traffic and no way to bill the customers
    is realy a problem.

    > Not on the PIX 515. The PIX 515 supports only 3 VLANs (Restricted
    > license) or 6 VLANs (Unrestricted license). Even the PIX 535
    > supports at most 22 VLANs.

    we bought last week a PIX 515 unrestricted with failover and 6 NICs. the
    documentations says 8 VLANs. a 535 is realy expensive - we don't like to buy
    two BMWs :).

    > You must have your hosts plugged into a switch that is plugged into
    > the 515. Is your switch a managed switch? If all your switches are
    > managed, you might be able to do per-port traffic monitoring on your
    > network. Those counters will include internal traffic, though.

    thats the problem... i need - only traffic from/to internet... i will have a
    look to the accounting rules and hope they will not break the box under
    stress.


    Greetings
    Alex
    alex, Nov 2, 2003
    #5
  6. In article <bo3eou$82f$00$-online.com>,
    alex <-darmstadt.de> wrote:
    :> We do not charge for traffic [hmmm, that's how I could get some
    :> internal revenue ;-) ], so when we are analyzing, we are doing so to
    :> profile our traffic (and to check that our users are not going places

    :what traffic/connections do you have? :). we've got 200GB per month and
    :1500connections - currently...what will happen if your interfaces are near
    :bussy :)))?

    My PIX is serving a [research-oriented] office building. It is just
    slightly after noon on a Sunday here, and we currently have 2573
    connections; our peak since the count was last reset (probably
    early Friday afternoon about 40 hours ago) was 13432.

    MRTG says that we are averaging about 30 Kbyte/s over the month,
    which would put us at about 75 Gbyte per month.

    If you have a 515 (rather than a 515E), the CPU is 200 MHz,
    compared to the 600 MHz of our 525. Thus you have 4 times the traffic
    load on 1/3 the speed, so your load should be roughly 12 times ours...
    which typically runs at 1-2% CPU, 5% being the highest I've ever seen
    [and very rarely at that.] So you are probably running no more than
    about 50% load on a 515.

    As I recall, though, you indicated that you recently acquired the 515.
    If so, then it would more likely be a 515E than a 515, as the 515 is
    not sold anymore (except used or refurbished.) The 515E is 433 MHz.
    If it is the 515E you have, you are likely at only around 15% to 20% CPU
    load.
    --
    "WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG"
    WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG. (GEB)
    Walter Roberson, Nov 2, 2003
    #6
  7. In article <bo3eou$82f$00$-online.com>,
    alex <-darmstadt.de> wrote:
    :we bought last week a PIX 515 unrestricted with failover and 6 NICs. the
    :documentations says 8 VLANs.

    The documentation was wrong about the 8 VLANs. I had them fix it in
    the PIX Command Reference; the new documentation went in about a week ago.

    The PIX 515/515E Unrestricted is limited to 10 total interfaces.
    If you have 6 interface cards in it, you would be limited to (10-6) = 4
    VLANs.

    --
    Scintillate, scintillate, globule vivific
    Fain would I fathom thy nature specific.
    Loftily poised on ether capacious
    Strongly resembling a gem carbonaceous. -- Anon
    Walter Roberson, Nov 2, 2003
    #7
  8. alex

    alex Guest

    hi

    > As I recall, though, you indicated that you recently acquired the 515.
    > If so, then it would more likely be a 515E than a 515, as the 515 is
    > not sold anymore (except used or refurbished.) The 515E is 433 MHz.
    > If it is the 515E you have, you are likely at only around 15% to 20% CPU
    > load.


    ah - ok - i meed the 515E :)


    Alex
    alex, Nov 2, 2003
    #8
  9. alex

    alex Guest

    hi

    > The documentation was wrong about the 8 VLANs. I had them fix it in
    > the PIX Command Reference; the new documentation went in about a week ago.
    >
    > The PIX 515/515E Unrestricted is limited to 10 total interfaces.
    > If you have 6 interface cards in it, you would be limited to (10-6) = 4
    > VLANs.

    shit... but currently no problem... i hope there are no more bugs in
    documentation...


    Alex
    alex, Nov 2, 2003
    #9
  10. In article <bo437a$kc7$02$-online.com>,
    alex <-darmstadt.de> wrote:
    :> As I recall, though, you indicated that you recently acquired the 515.
    :> If so, then it would more likely be a 515E than a 515, as the 515 is
    :> not sold anymore (except used or refurbished.) The 515E is 433 MHz.
    :> If it is the 515E you have, you are likely at only around 15% to 20% CPU
    :> load.

    :ah - ok - i meed the 515E :)

    I can't tell whether that was "I need the 515E", or "I mean the 515E" ??
    --
    IEA408I: GETMAIN cannot provide buffer for WATLIB.
    Walter Roberson, Nov 3, 2003
    #10
  11. alex

    Ivan Ostres Guest

    "alex" <-darmstadt.de> wrote in message
    news:bo3eou$82f$00$-online.com...
    > hi
    >
    > will cisco help about this problem? we realy need this calculation :-(.
    > thousands of EURs every month for traffic and no way to bill the customers
    > is realy a problem.
    >


    Well, if you really have such amount of traffic/money, you should invest in
    netflow or in some probe (we have an old HP probe which works ok with
    eHealth for out traffic accounting)...

    Ivan
    Ivan Ostres, Nov 3, 2003
    #11
  12. alex

    alex Guest

    > I can't tell whether that was "I need the 515E", or "I mean the 515E" ??

    mean :)


    Alex
    alex, Nov 3, 2003
    #12
  13. alex

    alex Guest

    yeah - i have no money... but it costs... and i cannot bill it if i cannot
    account it *G*


    Alex
    alex, Nov 3, 2003
    #13
  14. alex

    Ivan Ostres Guest

    "alex" <-darmstadt.de> wrote in message
    news:bo552i$n34$03$-online.com...
    > yeah - i have no money... but it costs... and i cannot bill it if i cannot
    > account it *G*
    >


    Yup, magic circle... you wanna get something and give nothing... won't work
    :)

    Ivan
    Ivan Ostres, Nov 3, 2003
    #14
  15. alex

    alex Guest

    > Yup, magic circle... you wanna get something and give nothing... won't
    work
    > :)


    i think 13.000 EUR is *not* enough!!! additional i give my worktime...


    Alex
    alex, Nov 3, 2003
    #15
  16. alex

    alex Guest

    > i think 13.000 EUR is *not* enough!!! additional i give my worktime...

    i meen 13.000 EUR/$ is engouh!!!


    Alex
    alex, Nov 3, 2003
    #16
  17. In article <bo3jbe$t0k$>,
    Walter Roberson <-cnrc.gc.ca> wrote:
    |In article <bo3eou$82f$00$-online.com>,
    |alex <-darmstadt.de> wrote:
    |:we bought last week a PIX 515 unrestricted with failover and 6 NICs. the
    |:documentations says 8 VLANs.

    |The documentation was wrong about the 8 VLANs. I had them fix it in
    |the PIX Command Reference; the new documentation went in about a week ago.

    Sigh, it looks like none of the original documentation was
    correct, and I did not re-check the new documentation in detail
    before I said 6 instead of 8. The current documentation for the 515/515E
    does say 8 VLANs can be available. The limit is still 10 interfaces,
    though, so with your 6 NICs, the maximum would still be (10-6) = 4.
    --
    Take care in opening this message: My grasp on reality may have shaken
    loose during transmission!
    Walter Roberson, Nov 3, 2003
    #17
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Skybuck Flying
    Replies:
    0
    Views:
    4,799
    Skybuck Flying
    Jan 19, 2006
  2. Scott Townsend
    Replies:
    8
    Views:
    677
    Roman Nakhmanson
    Feb 22, 2006
  3. djjase
    Replies:
    3
    Views:
    1,608
    djjase
    Mar 2, 2006
  4. Scott Townsend

    PIX 515 to PIX 515e not passing traffic

    Scott Townsend, May 10, 2006, in forum: Cisco
    Replies:
    6
    Views:
    3,704
    Vikas
    May 25, 2006
  5. kooch
    Replies:
    0
    Views:
    436
    kooch
    Oct 28, 2008
Loading...

Share This Page