Best way to setup traffic utilization logging on a router?

ande0255ande0255 Banned Posts: 1,178
I am tasked with setting up logging of traffic utilization that will be expected to run probably for several days to analyze slow dips in a customers network, and I'm wondering if anyone has experience in this that could suggest any particular method?

I found something on configuring netflow on the router, and configure the logging to an internal SFTP server via Solarwinds, which looks like it may work but wanted to see if any of you fine people could chime in with better suggestions.

Thanks!

Comments

  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    If you aren't looking to us it long term then I would download the eval copy of Netflow Analyzer by ManageEngine. Setup is really easy and you'll get all the information you are looking for. A long time ago we had a customer who was seeing slowness all day long. We installed it and analyzed it for a week to find that Symantec Updates were configured to call back to their headquarters for updates. On T1 lines it was destroying them. Ultimately I was able to set it up so a server at each location would download the updates from HQ and then update the machines behind it.

    Currently we use Netflow Analyzer to look at the connections of the companies we regulate. We're looking at open source alternatives due to wanting to correlate a number of other programs with our Netflow data, but for you it should do exactly what you need.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • ande0255ande0255 Banned Posts: 1,178
    Cool thank you much for the info, I will check this out tomorrow morning!
  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    I use ptrg to monitor netflow, very nice tool, easy to use, 30 days eval license.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • ande0255ande0255 Banned Posts: 1,178
    That looks pretty cool as well, I'm actually kind of geared to get to work on setting this up and check out the traffic flow, I usually ever only use wireshark to analyze traffic on a single host. Thanks for the info!
  • PurpleITPurpleIT Member Posts: 327
    EdTheLad wrote: »
    I use ptrg to monitor netflow, very nice tool, easy to use, 30 days eval license.

    I'm a fan of PRTG as well; good program at a good price point.
    WGU - BS IT: ND&M | Start Date: 12/1/12, End Date 5/7/2013
    What next, what next...
  • Dieg0MDieg0M Member Posts: 861
    I would suggest LiveAction for flow analysis. We use Statseeker for bandwidth analysis and Solarwinds/Spectrum/Cisco Prime for device management (SNMP polling). We also use HPNA for configuration backup and automation.
    Follow my CCDE journey at www.routingnull0.com
  • CodeBloxCodeBlox Member Posts: 1,363 ■■■■□□□□□□
    We're using icinga/nagios to monitor bandwidth utilization. We have a guy who set it all up and it sends alerts when circuits peg out. Very nifty and open source.
    Currently reading: Network Warrior, Unix Network Programming by Richard Stevens
  • brian89gpbrian89gp Member Posts: 19 ■□□□□□□□□□
    Cacti

    Netflow tells you what is on a link (and somewhat how much is on it), SNMP monitoring tools how much is on it.
  • ande0255ande0255 Banned Posts: 1,178
    Question for you gentlemen who suggested PRTG. I have it setup on a local PC on the network, and set the parameters on the Cisco router for netflow, but PRTG is not receiving any of the Netflow packets on port 2055.

    Here is some show output of the router config:

    interface Vlan1
    description BLAH BLAH BLAH
    ip address 10.60.71.1 255.255.255.0
    ip access-group 105 in
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    ip tcp adjust-mss 1452


    interface FastEthernet4
    description BLAH BLAH BLAH
    ip address 111.112.122.123 255.255.255.252
    ip access-group deny-hack-attack in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    no cdp enable
    crypto map vpn-map

    ip flow-export destination 10.60.71.234 2055 <---- Host with PRTG installed

    router#show ip flow export
    Flow export v1 is enabled for main cache
    Export source and destination details :
    VRF ID : Default
    Destination(1) 10.60.71.234 (2055)
    Version 1 flow records
    331022 flows exported in 30206 udp datagrams
    0 flows failed due to lack of export packet
    0 export packets were sent up to process level
    0 export packets were dropped due to no fib
    0 export packets were dropped due to adjacency issues
    0 export packets were dropped due to fragmentation failures
    0 export packets were dropped due to encapsulation fixup failures



    I checked the code running on the router, its a C850 series running 12.4, which uses Netflow v5 which is configured on the PRTG sensor pointed at the router.

    I'm at a loss as to what I could possibly be missing, the PRTG is set up locally to a PC on that inside interface of the router, and PRTG is seeing the router via a Ping sensor I setup for auto-discovery.

    Any ideas?
  • higherhohigherho Member Posts: 882
    Look into Zabbix. We use it for bandwidth monitoring, port monitoring, polling, web traffic, and much more. Its free too and you create your own templates.

    https://support.zabbix.com/browse/ZBXNEXT-37?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

    Homepage of Zabbix :: An Enterprise-Class Open Source Distributed Monitoring Solution
  • PurpleITPurpleIT Member Posts: 327
    ande0255 wrote: »
    Question for you gentlemen who suggested PRTG. I have it setup on a local PC on the network, and set the parameters on the Cisco router for netflow, but PRTG is not receiving any of the Netflow packets on port 2055.


    My first question was going to be are the router and PRTG using the same version. I read this as yes, they are.

    I'm at a loss as to what I could possibly be missing, the PRTG is set up locally to a PC on that inside interface of the router, and PRTG is seeing the router via a Ping sensor I setup for auto-discovery.

    Any ideas?

    PRTG has a netflow tester Test NetFlow based monitoring configurations with NetFlow Tester that will show you if traffic is showing up or not. If it is showing up then it may be a PRTG issue; I don't use it much and when I do it is V9 from ASAs, but there are frequent delays which I believe have to do with how the ASA processes and sends the data.
    WGU - BS IT: ND&M | Start Date: 12/1/12, End Date 5/7/2013
    What next, what next...
  • ande0255ande0255 Banned Posts: 1,178
    I actually fired up both v5 and v9 testers and neither detected anything, the pc has windows firewall disabled as well. I did see the unknown protocol dropped counter rising pretty quickly after I cleared counters on the inside interface, so I am wondering if it'd be incrementing the exports value in 'show ip flow export' even if the netflow packets are getting dropped.

    Thanks for the suggestion higherhero, think I may have to go a different avenue and test out netflow in a lab environment at a later time.
  • phoeneousphoeneous Go ping yourself... Member Posts: 2,333 ■■■■■■■□□□
    higherho wrote: »
    Look into Zabbix. We use it for bandwidth monitoring, port monitoring, polling, web traffic, and much more. Its free too and you create your own templates.

    https://support.zabbix.com/browse/ZBXNEXT-37?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

    Homepage of Zabbix :: An Enterprise-Class Open Source Distributed Monitoring Solution

    Agreed. Been using Zabbix for 2 years and it is win.
  • xnxxnx Do they matter? UKMember Posts: 464 ■■■□□□□□□□
    Would creating a SPAN session be of any use?
    I personally just wiretap ethernet with some keystone jacks that are wired up so I can see the traffic going through on my laptop.
    Getting There ...

    Lab Equipment: Using Cisco CSRs and 4 Switches currently
Sign In or Register to comment.