Control/Monitor Bandwidth by IP

Posted on 2005-04-12
Last Modified: 2008-03-06
I have a network designed as follows:
Line to internet coming into firewall
(firewall running NAT)
Firewall to Switch
Switch to servers

I need to monitor the incoming/outgoing bandwidth on an IP basis (port would be even better). This is mostly for billing purposes. Currently we are using a Layer 2 switch which can obviously not handle any IP information. What do we need to buy to be able to properly monitor this info. Where would it fit in the network? I was looking at L3 Cisco switches (3550), but I was wondering if I would need to put the switch on the outside facing part of the network, since I do not need to monitor internal traffic, only external. All help appreciated
Question by:moruda
    LVL 27

    Expert Comment

    If you're mostly concrerned about Internet traffic, then you should get something like Microsoft ISA server.  You could require all machines on the inside to go through the ISA server for Internet.  You could control where people go, how much bandwidth they get and account for it, and what applications get Internet access.  Then you could write a rule that only your ISA server gets access out, so your ISA server couldn't be bypassed.

    More info:

    Ps.  A Cisco layer 3 switch will begin to allow some of this, but not without a lot more infrastructure added on - AAA (Authentication and Accounting) servers, etc.
    LVL 23

    Expert Comment

    << L3 Cisco switches (3550)>>
    Sure they should be able to do this, but any reasonably capable router should be able to do the same thing.  If the router is delivering DHCP, then you can get a daily or hourly report from the router sent to one of the IP addresses on the network (like you), and those reports will give you which IPs were trafficking for how long.

    And yes, this device should be on the external side of the network, the idea being that all the switched data internal to the network is NOT involved in the auditing, only that data and time going to the extrnal WAN (internet).  Make sense?

    Author Comment

    So I should get a router? Which one do you suggest?  What about security on the router since it isnt behind a firewall?
    LVL 23

    Expert Comment

    Even the most basic routers have great firewalling built in -- just turn them on in default mode, and they usually give full stealth mode on all essential ports.  That is one of the best things about a router today, it has firewalling built in that is way better than software firewalls, even windows firewalls.  For example, take a very basic router like a Linksys BEFSVP41 -- this costs only $75, and is not only a router to the internet with full stealth mode firewall protection on all ports, and a DHCP server, but in addition, it is a VPN endpoint router, so now you have the capability that 1-2 people can VPN into your network from their home offices.  The router handles all this, plus it can send logs of usage and traffic to an IP number at any specified time.

    Now I am not suggesting that a basic router like this will solve the needs of a big corporation with many users, but they do do all of what you want.  Linksys is now owned by cisco, and Cisco, the router leader, now makes linksys routers too.  So if you want to go up in capabilities, then go from linksys (or similar low-end routers) to the higher priced, more feature rich Cisco PIX routers.  Some of the high end Ciscos can do amazing things, I would go to their website and check them out.  Of course, you pay and they are harder to configure than the simpler Linksys routers, but in answer to the Q, should you get a router instead, I would say "YES".  They can completely protect the network without any need for software firewalls, and they can do what you want.  But check out the specs first, find a router that is compatible with your modem that connects to the internet.  Start from there, and also consider VPN capabilities, if you need it.  Assume great firewalling is built in.
    LVL 1

    Expert Comment


    You can put a management ip address on a 3550 it will allow one IP address.. You should do this for management purposes. You don't want to be using your console cable every time you want to make a config change.

    You can find more info here about your switch and what it is capable of doing..

    Once you have done that telnet in and enable SNMP and use a common tool such as MRTG..

    If you want totals (in out MB/GB ect) you can use MRTG Total Traffic Generator.

    LVL 1

    Expert Comment

    Depends how "big" you want to get.  Packetteer boxes will let you manage your usage......have a look at:
    LVL 4

    Expert Comment

    Moruda: Which traffic do you want to bill? Do you want to bill internal users or you want to check bils from your ISP?

    - To bill internal users you need analyze internal traffic - in your LAN before firewall. ISA may help or (check) even firewall can give you statistics. If not - buy 3550 and replace your switch.
    - To check ISP - what firewall you use? Check manual, probably it will give statistics on the outside interface to you. If not - buy a router, or if you have ethernet from firewall to provider - put a HUB and plug external interface of firewall, provider's link and put there spare machine to monitor traffic. You will not be able to correlate traffic to users - just the whole traffic for all.


    Author Comment

    My sonicwall does have some type of monitoring, but I have never successfully set it up. Has anyone set this up in a useful configuration?
    LVL 2

    Accepted Solution

    You could try logging all the traffic which passes through the firewall. You should get the info on how many Bytes were transfered during the connection. THen you can parse the log files, extract the internal-external addressing relation and bill them based on that.

    You can get some reporting tools as well.

    How many public IP addresses do you have? If you have one or two and many hosts behind the firewall, you will not get any relevant info in front of the firewall.... ALl internal addresses will go in this one.

    Basically, the only machine really capable of telling you what happened is te firewall, or some SW solution which could reside on your workstations ( I would not advise this if you do not have your users educated and/or security tightened so they can not do anything without your consent).


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    #Citrix #Citrix Netscaler #HTTP Compression #Load Balance
    Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now