Solved

Cisco 3560 switch configuration with VLAN for wifi

Posted on 2010-09-09
18
1,006 Views
Last Modified: 2012-08-14
I have a Cisco 3560 48 port switch with 1 port on it's own VLAN (Vlan3) that is supposed to be configured for a wifi AP and set to allow only certain types of traffic for guests and intraoffice sales people, such as port 80/443 for web browsing, port 1494 for Lotus Notes replication and port 1352 for Citrix.  I have it partially configured where it will assign via DHCP an IP, NM, GW and DNS, but with a computer connected to that port, I still can't browse to the Internet.  I can connect to our internal Citrix server as I expect, so it is partially working.  I was expecting in the "access-list" section to see something that points web traffic to our network gateway (which is this switch I'm working on - 10.10.1.10) or firewall (10.10.1.2).

I am looking for assistance on correcting the configuration so that web browsing is allowed yet still isolates Vlan3 traffic frm everything else.  Instead of including the complete config, I included what I think are the relevant lines from the configuration.   Let me know if something else form the config would be needed.

Thanks!
version 12.2



-- SKIPPED LINES HERE --



ip subnet-zero

ip routing

ip domain-name ahi.int

no ip dhcp use vrf connected

ip dhcp excluded-address 10.11.0.1 10.11.70.0

ip dhcp excluded-address 10.11.71.1 10.11.255.255

ip dhcp excluded-address 10.12.0.1 10.12.50.0

ip dhcp excluded-address 10.12.51.1 10.12.255.255

!

ip dhcp pool VOICE

   network 10.11.0.0 255.255.0.0

   option 150 ip 10.11.10.50

   default-router 10.11.1.10

!

ip dhcp pool Vlan3

   network 10.12.0.0 255.255.0.0

   default-router 10.12.1.10

   dns-server 10.10.10.14 10.10.10.15

!

-- SKIPPED LINES HERE --

!

vlan internal allocation policy ascending

!

-- SKIPPED LINES HERE --

!

interface FastEthernet0/48

 description Connection to Wireless Uplink

 switchport access vlan 3

 switchport mode access

 mls qos trust device cisco-phone

 spanning-tree portfast

!

-- SKIPPED LINES HERE --

!

interface Vlan1

 description DATA

 ip address 10.10.1.10 255.255.0.0

 no ip proxy-arp

 ip pim sparse-dense-mode

!

interface Vlan2

 description VOICE

 ip address 10.11.1.10 255.255.0.0

 no ip proxy-arp

 ip pim sparse-dense-mode

!

interface Vlan3

 description WIRELESS

 ip address 10.12.1.10 255.255.0.0

 no ip proxy-arp

 ip pim sparse-dense-mode

!

!

router eigrp 100

 redistribute static

 network 10.10.0.0 0.0.255.255

 network 10.11.0.0 0.0.255.255

 network 10.12.0.0 0.0.255.255

!

ip classless

ip http server

ip http secure-server

!

!

access-list 101 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.1 eq www    (Note: mail server)

access-list 101 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.1 eq 443    (Note: mail server)

access-list 101 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.26 eq 1494    (Note: Citrix server)

access-list 101 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.7 eq 1352    (Note: Domino server)

access-list 101 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.17 eq www    (Note: web server)

access-list 101 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.17 eq 443    (Note: web server)

access-list 101 deny   tcp 10.12.0.0 0.0.255.255 10.20.0.0 0.0.255.255

access-list 101 deny   tcp 10.12.0.0 0.0.255.255 10.21.0.0 0.0.255.255

access-list 101 deny   tcp 10.12.0.0 0.0.255.255 10.10.0.0 0.0.255.255

access-list 101 deny   tcp 10.12.0.0 0.0.255.255 10.11.0.0 0.0.255.255

access-list 101 deny   tcp 10.12.0.0 0.0.255.255 10.30.0.0 0.0.255.255

access-list 101 deny   tcp 10.12.0.0 0.0.255.255 10.31.0.0 0.0.255.255

Open in new window

0
Comment
Question by:kbirecki
  • 9
  • 9
18 Comments
 
LVL 3

Expert Comment

by:kf4zmt
ID: 33641195
Is this a layer 3 switch or is there a router that is routing between vlans?  Either way, have you configured an interface for vlan 3 on whatever device is routing your vlan traffic?  Can you ping the default gateway when you have a laptop connected to this port?
0
 
LVL 11

Author Comment

by:kbirecki
ID: 33641523
yes it is a layer 3 switch.  All the vlans are on this switch - no other devices.  If I understand your question about the interface, I think the portion of the config I included shows vlan3 has an interface.  I can ping the gateway, which I configured to be the switch itself (should the switch be the gateway?)  I'm thinking either I need to set my gateway to my firewall or I need something like a new access list entry.  I'm not sure of the specifics though.
0
 
LVL 3

Expert Comment

by:kf4zmt
ID: 33641603
In the config you have posted, the acl isn't applied to interface vlan3 so I assume you've removed the acl for testing purposes.  Is there a gateway of last resort set on the 3560 that forwards all unknown routes to your internet router or firewall?
0
 
LVL 11

Author Comment

by:kbirecki
ID: 33643146
Regarding the acl not being applied to the interface vlan3, do you mean the config needs a "ip access-group {number|name} {in|out}" command?  If I understand that correctly, would that be on "interface Vlan3" a command like the following:

     ip access-group 101 out

I haven't removed anything for testing, so anything required needs to be added.

And what is a gateway of last resort and how is that supposed to be configured?

Thanks!
0
 
LVL 3

Expert Comment

by:kf4zmt
ID: 33643304
The gateway of last resort is Cisco terminology for a default gateway of a router or switch.  On routers it is usually set by

ip route 0.0.0.0 0.0.0.0 x.x.x.x  where x.x.x.x is the ip address where you want all traffic to unknown subnets sent.

On switches it is sometimes set like above or sometimes by depending on the IOS:

ip default-gateway x.x.x.x  

Yes, you are correct about how to apply the acl to an interface. In your case I think you'd want to apply it as an "in".

 ip access-group 101 in
0
 
LVL 11

Author Comment

by:kbirecki
ID: 33644602
OK, on the switch in question, I don't have any "ip route..." statements, nor any "ip default-gateway" statements.  A "show ip route" on the switch gives me:
----------------------------------------------------
Gateway of last resort is 10.10.1.1 to network 0.0.0.0

D EX 192.168.40.0/24 [170/2172672] via 10.10.1.1, 15:44:28, Vlan1
D EX 192.168.4.0/24 [170/2172672] via 10.10.1.1, 15:44:28, Vlan1
     10.0.0.0/16 is subnetted, 7 subnets
C       10.10.0.0 is directly connected, Vlan1
C       10.11.0.0 is directly connected, Vlan2
C       10.12.0.0 is directly connected, Vlan3
D       10.30.0.0 [90/2172672] via 10.10.1.1, 19:32:13, Vlan1
D       10.31.0.0 [90/2172928] via 10.10.1.1, 19:32:13, Vlan1
D       10.20.0.0 [90/2172672] via 10.10.1.1, 15:44:28, Vlan1
D       10.21.0.0 [90/2172928] via 10.10.1.1, 15:44:28, Vlan1
     192.168.1.0/30 is subnetted, 1 subnets
D       192.168.1.0 [90/2170112] via 10.10.1.1, 15:44:29, Vlan1
     192.168.2.0/30 is subnetted, 1 subnets
D       192.168.2.0 [90/2170112] via 10.10.1.1, 19:32:17, Vlan1
D*EX 0.0.0.0/0 [170/28416] via 10.10.1.1, 19:32:17, Vlan1
----------------------------------------------------

The gateway of last resort on this 3560 switch is shown as 10.10.1.10, and that is my main voice router, a 2851.  When I run a "show ip route" on that device, it shows the following:
----------------------------------------------------

Gateway of last resort is 10.10.1.2 to network 0.0.0.0

D EX 192.168.40.0/24 [170/2172416] via 192.168.1.2, 15:43:49, Serial0/0/0
D EX 192.168.4.0/24 [170/2172416] via 192.168.1.2, 15:43:49, Serial0/0/0
     10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
C       10.10.0.0/16 is directly connected, GigabitEthernet0/0
D       10.11.0.0/16 [90/28416] via 10.10.1.10, 5w2d, GigabitEthernet0/0
D       10.12.0.0/16 [90/28416] via 10.10.1.10, 19:31:17, GigabitEthernet0/0
D       10.30.0.0/16 [90/2172416] via 192.168.2.2, 2d12h, Serial0/1/0
D       10.31.0.0/16 [90/2172672] via 192.168.2.2, 2d12h, Serial0/1/0
C       10.16.1.1/32 is directly connected, Loopback0
D       10.20.0.0/16 [90/2172416] via 192.168.1.2, 15:43:49, Serial0/0/0
D       10.21.0.0/16 [90/2172672] via 192.168.1.2, 15:43:49, Serial0/0/0
     192.168.1.0/30 is subnetted, 1 subnets
C       192.168.1.0 is directly connected, Serial0/0/0
     192.168.2.0/30 is subnetted, 1 subnets
C       192.168.2.0 is directly connected, Serial0/1/0
S*   0.0.0.0/0 [1/0] via 10.10.1.2
----------------------------------------------------

So this router has a gateway of last resort to be the firewall, 10.10.1.2, which is "ip route 0.0.0.0 0.0.0.0 10.10.1.2" as you described, and it happens to be the only ip route statement.

Question(s) #1:  So far, does this all make sense the way it is configured?  As I understand it, the expectation is that internet-bound traffic from my test computer connected to port 48 on the switch will be filtered by the acl (once assigned to Vlan3), and anything (*) that doesn't match the acl will be forwarded to the "gateway of last resort" (router 10.10.1.10), and that router seeing internet-bound traffic will forward it to it's "gateway of last resort" (firewall at 10.10.1.2), which should pass it out.  Is that correct?  So in this config, without the acl assigned to Vlan3 on the switch, do you think that is what is causing the problem?

(*)Question #2: Regarding my assumed "anything" in the Q above, I see specific protocols listed in the acl with specific IP's.  So how would, say, port 80 traffic, be allowed through to the "gateway of last resort"?  I wouldn't think it would be much of an acl if it allowed anything other than what was defined to just pass on through.  What am I missing?

Question(s) #3: Why would an "in" policy apply and not an out?  I was actually thinking there should be a in-out to apply in both directions, or do I need two applications of the policy, one for in and one for out?

I'll be at the office in a while and I'll try the application of the acl as suggested.
0
 
LVL 3

Expert Comment

by:kf4zmt
ID: 33646297
Even though it doesn't appear in the acl, all acl's have a "deny any any" statement at the end by default.  This means that anything that doesn't get matched in the preceding lines will be denied.  The acl doesn't do routing; it just decides whether a packet meets a list of criteria or not.  In this case, it is a decision about whether to allow the packet to pass through the router or not.  In other words, an acl doesn't tell the router where to route a packet, just whether or not it should get routed at all.  If a packet is allowed through by your acl, the routing table will then make a decision about where it goes from there.  In any case, since your acl isn't applied to an interface yet, this can't be causing a problem.

The "in" & "out" determines if the acl is applied to packets entering an interface or leaving it.  In this situation, the traffic you want to filter is entering the vlan3 interface so you must use an "in".  You would apply an "out" to an interface to filter traffic as it is leaving the router going out toward the switch or whatever device the router is connected to.  In other words, an "out" is used when packets have already passed through the router having entered from another interface and are about to exit the router.  An "in" decides if the packets are allowed to enter the router at all.

=== IMPORTANT===
Does your firewall exchange eigrp information with your routers?  If not, you will need a static route on the firewall to tell the firewall how to route packets destined for ip addresses on vlan3.  It's entirely possible that your vlan3 traffic is making it to the firewall and going out to the Internet but the firewall doesn't know where to send the returning traffic.  You should check this before doing anything else!
0
 
LVL 11

Author Comment

by:kbirecki
ID: 33646734
That was very helpful.  The route on the firewall may be a significant part of the resolution.  I'll try that.

Regarding the acl and Vlan3, I'm thinking two things: 1) I need another statement there, and 2) if I understand correctly, I think you're thinking I want to protect and limit access to devices on Vlan3 from everything beyond that point, where what I want to do is only allow devices on Vlan3 (anything plugged into port 48) to be able to get very restricted capabilities *out* of Vlan3, pass across our network to the firewall (for internet traffic), and a couple specific internal servers (i.e. Citrix ports and Lotus Notes Replication ports).  So in that case, might an "out" be the right config?

It's intended to be poor man's proxy providing open wifi for customers and suppliers when they visit so they can get online only and not have access to our internal network, and also for the infrequent internal user roaming on a laptop that wants to use Citrix (usually me).  I previously had the wifi router outside our network and the Cisco partner that set this up said this would be better: "put it on a VLAN and it can be managed it better."  The job was only partially finished and I'm still trying to get it working.

So I'm thinking that if a "deny any any" is assumed to be at the end of the acl list, I need at least one more entry for general Internet traffic that allows port 80 and port 443 out to our firewall (10.10.1.2), correct?  Would I need to add:

access-list 101 permit tcp 0.0.0.0 255.255.255.255 host 10.10.1.2 eq www    
access-list 101 permit tcp 0.0.0.0 255.255.255.255 host 10.10.1.2 eq 443


Maybe this next question should come after I test the change to the firewall, but what about DNS?  If the policy does end up needing to be "out", do I need to allow port 53/tcp to pass through or is that automatically allowed?

By the way, kf4zmt, thank you very much for your help on this.
0
 
LVL 3

Expert Comment

by:kf4zmt
ID: 33646914
I think I correctly understood you.  You want to use an "in" so that traffic from the ip address range assigned to vlan3 will be restricted when it enters (goes IN to) interface vlan3.  Think of interface vlan3 as an international border crossing.  The customs agents or border patrol examines all the cars at the border as they enter the country.  Same with the router.  Interface vlan3 is the check point.  Nothing will get IN to (or beyond) the router from the ip range assigned to vlan3 (your wireless range) unless the acl allows it.  By doing this, you control what network resources the wireless clients can gain access to beyond their own subnet.

You are exactly right about needing to add the additional permit statements for ports 80 & 443.  You'll also need to allow port 53 (dns) to your dns servers.

Hope this helps.

0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 11

Author Comment

by:kbirecki
ID: 33646993
OK, I see your point about in vs. out.  I was thinking of the Vlan being the devices I plug into port 48, and "in" pointed from the switch to the device(s).  So "in" actually points from the device(s) connected to ==> the physical port "in"to the switch.  I should think of the vlan being inside the switch, not the devices themselves.  Got it!  I'll be able to test shortly and respond with results.
0
 
LVL 11

Author Comment

by:kbirecki
ID: 33648930
I'm very close on this.  I've applied your suggestions and everything works except that when I have the acl enabled, I can't browse out to the web.  I added icmp so I could ping and that helps to verify that the problem is just web browsing.  So I went back to basics and tried to create just enough of an acl to allow web browsing to the internet and I'm still not getting something right.  I've tried various combinations, but where I am right now is a problem with the acl.  Can you look at it and tell me what I might be missing or have incorrect?  I'm just trying to get a basic setup that allows brosing to the Internet.

access-list 102 permit icmp 10.12.0.0 0.0.255.255 any  (for ping test)
access-list 102 permit tcp 10.12.0.0 0.0.255.255 host 10.10.1.1 eq www (host is the main voice router; I tried the firewall 10.10.1.2 as the host as well and that didn't work either)
access-list 102 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.14 eq domain (host is DNS server #1)
access-list 102 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.15 eq domain (host is DNS server #2)

===(other stuff I tried)===
access-list 102 permit tcp 10.12.0.0 0.0.255.255 any eq www
access-list 102 permit tcp 0.0.0.0 0.0.255.255 any eq www
access-list 102 permit tcp 0.0.0.0 0.0.255.255 any eq 443

Any suggestions?
0
 
LVL 3

Expert Comment

by:kf4zmt
ID: 33648974
So, I assume there was a static route needed on the firewall?  

DNS queries use udp, not tcp.  Try this and see what happens:


access-list 102 permit udp 10.12.0.0 0.0.255.255 host 10.10.10.14 eq domain (host is DNS server #1)
access-list 102 permit udp 10.12.0.0 0.0.255.255 host 10.10.10.15 eq domain (host is DNS server #2)
0
 
LVL 3

Expert Comment

by:kf4zmt
ID: 33649001
P.S.

DNS servers use tcp on port 53 to exchange zone files between each other, but dns clients use udp port 53.
0
 
LVL 11

Author Comment

by:kbirecki
ID: 33661356

Yes, there was a static route needed on the firewall.  That helped immensely; I verified this worked by disabling the acl on the interface and was able to successfully access the Internet.  So now my issue is down to the point that the acl is the problem and I've been trying different combinations of acl configs over the weekend.  I've found that I have to be less restrictive to allow access for the devices connected to Vlan3.  I found that the following works, but I'm concerned it might be too open security-wise:

===Current Config===
access-list 102 permit udp any any eq domain
access-list 102 permit tcp any any eq domain
access-list 102 permit udp any any eq bootps
access-list 102 permit udp any any eq bootpc
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq 443


The following does not work:

==Non-Working Config==
access-list 102 permit udp any host 10.10.10.14 eq domain
access-list 102 permit tcp any host 10.10.10.14 eq domain
access-list 102 permit udp any host 10.10.10.15 eq domain
access-list 102 permit tcp any host 10.10.10.15 eq domain
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq 443
access-list 102 permit udp any host 10.10.10.14 eq bootps
access-list 102 permit udp any host 10.10.10.14 eq bootpc
access-list 102 permit udp any host 10.10.10.15 eq bootps
access-list 102 permit udp any host 10.10.10.15 eq bootpc

And any variation where I specify any IP like "10.12.0.0 0.0.255.255" in place of the first "any" in the non-working config lines does not work either.  I expect the udp lines don't need the explicit IP set because intially, the device has no IP and is trying to communicate over UDP with the DHCP server to get an IP. But I haven't really been confident with the combinations I've found that worked as far as balancing between working (important) and security (also important) because they are more like the current config above.

Do I leave it as I have it in the current config, or is that too wide open?
Thanks!
0
 
LVL 3

Accepted Solution

by:
kf4zmt earned 500 total points
ID: 33663831
The only problem that I see with your working ACL is that it allows access to ports 80 & 443 on your wired lan.  If this acceptable, then you are good to go.   If this is undesired you could do this:


===Current Config===
access-list 102 permit udp any any eq domain
access-list 102 permit tcp any any eq domain
access-list 102 permit udp any any eq bootps
access-list 102 permit udp any any eq bootpc

access-list 102 deny ip any [ip range of wired network here]

access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq 443
0
 
LVL 11

Author Comment

by:kbirecki
ID: 33664817
That did the trick.  After a lot of trial and error, I also figured out that the order in which I place statements (which I think you implied by your placement of the new line) matters.  And also it matters whether I'm adding a line or trying to delete an existing line; under certain circumstances (maybe all the time), I can't delete one line without all acl lines for the same acl # being affected and usually being deleted.  So I've just started using a text file with a line that first deletes the last acl (which causes all of that numbered acl to be deleted) and then all of the new acl commands the way I want it.  This has helped.  

Anyway, the final resolution I have put together with your immensely appreciated assitance is:

1. Added a static route to my firewall that directed 10.12.0.0 traffic to this switch being configured.
2. Modified the config of the switch:
A: Proper DHCP assignment:
        ip dhcp pool Vlan3
           network 10.12.0.0 255.255.0.0
           default-router 10.12.1.10
           dns-server 10.10.10.14 10.10.10.15
B: Proper Vlan3 interface config to include the assignment of the acl:
        interface Vlan3
         description WIRELESS
         ip address 10.12.1.10 255.255.0.0
         ip access-group 102 in
         no ip proxy-arp
         ip pim sparse-dense-mode
C: Modified acl as shown in code below.

It works perfectly!  

The only thing that puzzles me still is that I can't seem to explicitly set the DHCP host to the router, even though it is the DHCP server for Vlan3.  It does show as the DHCP server when I allow "any any" in the DHCP section, but not when I set those lines to "any host 10.12.1.10".  Likewise, the same occurs for the ICMP section, I can't limit it to just that router, it has to be "any any".  That's fine, those are things I can live with.

Thank you very much for your assistance kf4zmt!
access-list 102 remark ================DHCP================

access-list 102 remark - Allow DHCP (server) communications

access-list 102 permit udp any any eq bootps

access-list 102 remark - Allow DHCP (Client) communications

access-list 102 permit udp any any eq bootpc

access-list 102 remark ================ICMP================

access-list 102 remark - Allow ICMP for troubleshooting

access-list 102 permit icmp any any

access-list 102 remark ================DNS================

access-list 102 remark - Allow UDP to DNS server 1 - Required for client comm

access-list 102 permit udp any host 10.10.10.14 eq domain

access-list 102 remark - Allow UDP to DNS server 2 - Required for client comm

access-list 102 permit udp any host 10.10.10.15 eq domain

access-list 102 remark - Allow TCP to DNS server 1

access-list 102 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.14 eq domain

access-list 102 remark - Allow TCP to DNS server 2

access-list 102 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.15 eq domain

access-list 102 remark ================LOCAL Web/SSL================

access-list 102 remark - Allow Web access to mail server

access-list 102 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.1 eq www

access-list 102 remark - Allow SSL access to mail server

access-list 102 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.1 eq 443

access-list 102 remark - Allow Web access to web server

access-list 102 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.17 eq www

access-list 102 remark - Allow SSL access to web server

access-list 102 permit tcp 10.12.0.0 0.0.255.255 host 10.10.10.17 eq 443

access-list 102 remark ================BLOCK Local network================

access-list 102 remark - BLOCK any other traffic to local network

access-list 102 deny   ip any 10.10.0.0 0.0.255.255

access-list 102 remark ================Public Web/SSL================

access-list 102 remark - Permit web traffic to Internet

access-list 102 permit tcp 10.12.0.0 0.0.255.255 any eq www

access-list 102 remark - Permit SSL traffic to Internet

access-list 102 permit tcp 10.12.0.0 0.0.255.255 any eq 443

Open in new window

0
 
LVL 3

Expert Comment

by:kf4zmt
ID: 33665284
If I understand what you are saying about the dhcp server, you can't specify it in an acl because the dhcp requests are sent to the broadcast address, not the server address.  An acl wouldn't match because the server is one ip and the broadcast address is another.

Anyway, glad you got it working!
0
 
LVL 11

Author Closing Comment

by:kbirecki
ID: 33666308
Thank you for your prompt and very effective assistance!  If I could give you more points, I would.  It turned out to be more difficult than I expected.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco MRA Phones 4 28
Network Config 9 59
Nortel Baystack 5510-48T Web GUI problems 27 45
Recover password from HP 4300 SAN 2 18
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now