Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

NetFlow & Internal LAN IP Tracking

Posted on 2009-04-12
4
780 Views
Last Modified: 2012-05-06
For a while I've been trying to get a handle on the types of traffic eating up my T1 pipe to the Internet.  This past week I finally got NetFlow set up on our Cisco 2800 series gateway router and configured it to export the data to a system on my LAN.

I also set up the aforementioned LAN system with a NetFlow monitor (Scrutinizer).  Once the appropriate ports were opened in the firewall, the Scrutinizer app was able to receive and interpret the NetFlow data.

On minor problem: because the Scrutinizer system is on my LAN, and the Cisco router sits on the other side of my firewall (LAN > Firewall > Cisco Router), while it is able to show all traffic type info, it is unable to give me specific internal IP addresses as originators for the traffic.  Instead, the public port on the firewall always shows up in Scrutinizer as the originating system.  Makes sense, but does me no good.

In an attempt to obtain the interal IP info for systems consuming bandwidth, the following suggestions have been made to me:

 - Mirror port information on the closet switches and stick a NetFlow-receiving PC in each of the closets.  No idea how to do this, or how it would be beneficial.

 - Install NetFlow probes onto each PC in my environment and direct those probes to export data back to the Scrutinizer system.  This would work, but there's no easy way to narrow down high bandwidth consumption from within my NetFlow app, so it be tedius at best.

I thought about it for a while, and the only other idea I came up with was to place a second router between the LAN and the firewall, making the final topology something like this: LAN > Router running NetFlow > Firewall > Router to Internet T1.

I think this idea would work, but it seems really dumb in that now I'd have to use two routers instead of just one.

As always, I'm sure there is a simpler method.  Keeping in mind I am not a firewall nor router guru, are there any options I'm missing that wouldn't require that I be an expert in order to implement.

Thanks!

-Bob

PS: My firewall is a CheckPoint firewall, to which I have access, but for which I have zero training.  No GUI - just a linux terminal front-end.
0
Comment
Question by:bgruett
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 24127535
There may be a much simpler solution with ManageEngine's Firewall Analyzer 5
You simply point the CheckPoint's syslog to the Firewall Analyzer internal host.
http://www.manageengine.com/products/firewall/index.html
Free 30-day eval..
0
 
LVL 7

Expert Comment

by:diepes
ID: 24128547
One other solution will be to move the nat. (assuming it is nat overloading) , for the pc's, out to the router.

This should solve the visibility problem.  
1. Enable nat overloading on the cisco for outgoing traffic from your internal ip range e.g. 10.x.x.x
2. Disable the nat on the firewall for the pc's outbound.
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 500 total points
ID: 24151627
Assuming that your LAN switch is layer 3, you could monitor the outbound port connecting to the firewall. If it isn't, consider spending the money on a layer 3 switch instead of another router. It will give you the same benefit for this purpose, with a lot more flexibility down the road (multiple vlans, etc.).

Oh, and this would mean using 2 vlans- one for your LAN, and a 2nd for the connection to the firewall.
0
 

Author Closing Comment

by:bgruett
ID: 31569340
Hey, sorry for the late credit here.  Turns out the tech who set up my infrastructure had already segregated two ports on our primary Catalyst switch, one of them going to the firewall's WAN NIC and the other hitting the router.  I was able to span one of these ports to an unrelated port, stick a packet sniffer on there, and now I've got all the data I was looking for.

Thanks for the help!

-Bob
0

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
clear arp 1 38
Where is running-config located at in ASR9K? 3 16
Dlink-DIR 816 router 4 21
creating SVI on layer 3 switch 1 27
This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question