NetFlow & Internal LAN IP Tracking
Posted on 2009-04-12
For a while I've been trying to get a handle on the types of traffic eating up my T1 pipe to the Internet. This past week I finally got NetFlow set up on our Cisco 2800 series gateway router and configured it to export the data to a system on my LAN.
I also set up the aforementioned LAN system with a NetFlow monitor (Scrutinizer). Once the appropriate ports were opened in the firewall, the Scrutinizer app was able to receive and interpret the NetFlow data.
On minor problem: because the Scrutinizer system is on my LAN, and the Cisco router sits on the other side of my firewall (LAN > Firewall > Cisco Router), while it is able to show all traffic type info, it is unable to give me specific internal IP addresses as originators for the traffic. Instead, the public port on the firewall always shows up in Scrutinizer as the originating system. Makes sense, but does me no good.
In an attempt to obtain the interal IP info for systems consuming bandwidth, the following suggestions have been made to me:
- Mirror port information on the closet switches and stick a NetFlow-receiving PC in each of the closets. No idea how to do this, or how it would be beneficial.
- Install NetFlow probes onto each PC in my environment and direct those probes to export data back to the Scrutinizer system. This would work, but there's no easy way to narrow down high bandwidth consumption from within my NetFlow app, so it be tedius at best.
I thought about it for a while, and the only other idea I came up with was to place a second router between the LAN and the firewall, making the final topology something like this: LAN > Router running NetFlow > Firewall > Router to Internet T1.
I think this idea would work, but it seems really dumb in that now I'd have to use two routers instead of just one.
As always, I'm sure there is a simpler method. Keeping in mind I am not a firewall nor router guru, are there any options I'm missing that wouldn't require that I be an expert in order to implement.
PS: My firewall is a CheckPoint firewall, to which I have access, but for which I have zero training. No GUI - just a linux terminal front-end.