VLAN Traffic Monitoring

Hi all
I have a 2900XL core switches which in turn connected to several 2950 switches. All are connected to VLAN 1.
I have a few questions:
When people say broadcast traffic should not be more than 20% of the VLAN traffic.
1. Does it mean the broadcast of a single port in the 2950 switch or the core switch ?
2. How do i know the VLAN traffic ?
Any tools etc and how is the setup?
Hope comeone can help. :)
Thanks in Advance.
Alan

Hi Narayanan,
This is Guru Prasad.R from Saksoft Ltd. I am working as Network Engineer for past 1 year here. Also i had worked as part-time technical assistace in Networking Environment for 3 years too.
Since, i am new guy to this networking world i may require your guidance, support for making my career the best one.
I had finished my CCNA & 2-MCP exams one for Server 03 & another for Exchange Server 03. Also currently i doing with CCNP-Switching[BCMSN] exam.
Kindly help me to make my career the best one. Expeting your kindness on the same.
I had noted down ur contact number in Cisco profile. Below given my contact details:
Guru Prasad.R
Mobile: +91-9840822258
Mail id: [email protected]
Expecting your reply mail for the same.
Thanks & Regards,
Guru Prasad .R

Similar Messages

Monitoring VLAN traffic

I moved from 2500 series routers to a switched network using a Catalyst 3750 and 3560 switches over the course of the last year. In my routed network I used MRTG to monitor traffic on my interfaces. In my switched network environment I have not been able to find a free or low cost tool that will monitor VLAN traffic. Any suggestions?

I have the same problem and found these links that provided answers:
http://forums.cacti.net/about29656.html&highlight=
http://www.experts-exchange.com/Hardware/Networking_Hardware/Switches/Q_23738165.html
Vlans on 3560s, 3750s and 3550s do not show stats. The packets are forwarded with the ASIC chips and do not cross the CPU for actual processing. To actually see the traffic you will need to turn off CEF, which decrases the performance significantly (not recommended, see links above).

L4 Traffic Monitor question

In the IronPort web security appliance documentation, it indicates that the L4 traffic monitor ports (T1 and/or T2) should be connected to either a network tap or switch span.
I'm a little confused as to how this is supposed to be set up.
Does it mean that you take 2 ports on a switch, one on the same subnet/vlan as the P1 interface (data) on the IronPort, and the other that is on the subnet/vlan as the firwall (outbound Internet traffic) and create 2 monitor sessions (spans)? If so, where are these sessions pointed to?
Isn't the IronPort supposed to be doing the tapping/inspection?
The whole external tap thing has me confused.

Colin,
One way to think of it is that the WSA has 2 inspection engines that don't actually talk to one another...
1. the web proxy, where you're using WCCP to send specific traffic to
2. the L4TM engine that you send a spanned port to to catch all of the other weird stuff.
The web proxy does all of the user tracking/policy stuff, etc. Watching a specific set of ports.
The L4TM is intended for malware that might be running on your net... sort of like the Botnet Traffic filter that's available on ASA.
That said, you'll use 1 port for P1 on whatever vlan, redirection to that happens via WCCP or explicit proxy.
For the L4TM tap you can use 1 or 2 ports on the swtich, or none if you use an external tap. In the Network/Interfaces page, you set whether you want L4TM to use simplex or Duplex. If you use Duplex, just do a span session off the port the firewall is plugged into to the port that you connect T1 into...
If you use Simplex, you do 2 span sessions off of the port the firewall is connected to... ingress traffic on the port (eg. out of the firewall) to the port T1 is connected to, egress traffic on the port (eg. going to the firewall) spanned to the port T2 is hooked up to.
If you use an external tap, put it inline between the firewall and the switch, set the WSA for duplex and connect the "monitor" port to T1...
Hope that helps!
Ken

L4 traffic monitor - blocking traffic ?

Hello
How does L4 traffic monitor is blocking traffic if T1/T2 ports are "tap/sniffed ports" ?
For SPAN we might have "ingress vlan feature" which would allow us to send TCP RST (like IPS does),
but for hardware TAP we do not have such a feature.
So - maybe L4 traffic monitor can not block any traffic, just make a decision what to block and execution is on WebProxy and P1/2 ports ?
Thanks

Michael,
Yes, the reset is sent via P1
Ken
Sent from Cisco Technical Support iPad App

Wireshark capture on access port displays different vlan traffic

Hi Guys,
i have a nexus 4001i Blade Center Switch where i have a server connected in mode access to a particular vlan.
when i use wireshark on this port, i see different traffic conversations of different servers in different vlans which seems strange to me.
anybody have an idea why a server in mode access with wireshark is able to view different vlan traffic? I also see non multicast and non broadcast converations.
the port the server is connected to is not a monitor port but only in switch port mode access.
thanks in advance for you feedback

Hi,
So it looks like you're getting unicast traffic flooded to all ports. There are a couple of reasons I've come across that can cause this.
Asymmetric routing: See Unicast Flooding in Switched Campus Networks and/or Case Study #8: Asymmetric Routing and HSRP (Excessive Flooding of Unicast Traffic in Network with Routers That Run HSRP) for details of why it happens and how to prevent it.
Microsoft Network Load Balancing. As per the Microsoft Troubleshooting NLB:
In unicast mode (the default Forefront TMG cluster operation mode) NLB induces switch flooding, by design, relaying packets sent to the VIP addresses to all cluster hosts. Switch flooding is part of the NLB strategy for obtaining the best throughput for any specific load of client requests. However, if the NLB interfaces share the switch with other (non-cluster) computers, switch flooding can add to the other computers' network overhead by including them in the flooding and consequently have a detrimental effect on network and/or server performance.
Regards

Need help in generating L4 Traffic monitor logs

Hi,
As a part of my project I need to study different types of logs produced by Cisco IronPort. I could generate some access and authentication logs however not sure about generating the L4 Traffic Monitor logs. Can anyone point me to right documentation that will help me generate those logs?
Thanks,
Harshad Kashikar

Harshad,
L4 Traffic Monitoring needs to be configured within the IronPort - first question is do you have a SPAN/TAP port set up on your switch to capture L4 traffic?
Second, I only use this feature to capture information on malware/spyware - I have seen P2P, IRC, and 'phone-home' traffic amongst other things. Do you have an infected host you can monitor?
BF

Can an Ironport work in both WCCPv2 and L4 Traffic monitoring modes at the same time?

Hello Ciscoers,
We have an ironport installed and we use WCCPv2 to redirect the traffic. And as it occurs, I have a need to forward the traffic for another network, that uses another path to the Internet.
So I was thinking using the L4 Traffic Monitoring.
To the best of your knowledge, is there a way to have the appliance use both WCCPv2 and L4 Traffic monitoring at the same time? From the configuration, it's one or the other.
Thanks,
J.

Ok. I'll try.
As a matter of fact, I plan to use policy-based routing to forward all the "interesting" traffic to the appliance.
For your TCP-Resets not seen, do you allow ingress on the span session?
J.

Traffic monitoring for Coherence 3.1

The objective of our small project is to monitor the traffic on our coherence clusters. We also were trying to put the cache traffic as a object in the same cache name. The problem we encountered was during performance tests something happened to the coherence clusters and there appears to be some kind of lock not being released for others which made all the weblogic cluster go down. Weblogic went down with "too many open files". We have thread dumps which I can send if you guys need it nevertheless I have attached a part which I suspect is the reason.
Heres the Code that was trying to do the monitoring. The doPut Servlet method does the put , after the put it calls a method RegisterTraffic which has a small logic to increment the count & put back into the cache. It has a Lock for the particular "Traffic" key.
* The Servlets doPut method - Handles the Cache Put Requests
* @param HttpServletRequest request, HttpServletResponse response
* @return void
* @throws CacheException
public void doPut(HttpServletRequest request, HttpServletResponse response) throws
ServletException, IOException {
     ServletOutputStream out = response.getOutputStream();
     String value = "";
     try {
          String id = request.getPathInfo();
          String expires = request.getHeader("Expires");
          String contentType = request.getContentType();
          String app_name = request.getHeader("App-Name");
          int contentLength = request.getContentLength();
          if (contentLength > 0) {
               byte valueArray[] = new byte[contentLength];
               ServletInputStream in = request.getInputStream();
               int bytesRead = 0;
               int offset = 0;
               while (bytesRead > -1) {
                    bytesRead =
                         in.read(valueArray, offset, valueArray.length - offset);
                    offset += bytesRead;
                    if (offset == contentLength) {
                    break;
               DataObject myValue = new DataObject();
               myValue.setByte(valueArray);
               myValue.setExpirationTime((Long.parseLong(expires))*1000);
               Cache_Manager.put(id, myValue);
               response.setContentType("application/octet-stream");
               value = "ID "+id+" Stored";
               out.write(value.getBytes());
               out.flush();
               RegisterTraffic(app_name,"PUT");
     } catch (Exception ex) {
          response.setContentType("application/octet-stream");
          value = "CACHE_ERROR:"+ErrorCode.INTERNAL_PROBLEM_CODE+":"+"doPut:"+ErrorCode.INTERNAL_PROBLEM_MSG;
          response.setContentLength(value.length());
          out.write(value.getBytes());
          throw new ServletException(value+"\n"+ex.getMessage());
* The Servlets Traffic Monitor method - Handles the Traffic monitoring
* @param appname, get or put or clear
* @return void
* @throws CacheException
public void RegisterTraffic(String appName, String action) {
     String trafficKey = "Traffic";
     try {
          HashMap hmTotal = new HashMap();
          HashMap hmToday = new HashMap();
          Object obj = null;
          HIDataObject dObj = null;
          String today = (new java.util.Date().toString()).substring(0,3);
          //String today = "SAT";
          Long totalTrafficCount = new Long(1);
          Long todayTrafficCount = new Long(1);
          long totalCnt = 0;
          long todayCnt = 0;
          // Lock the Object.
          Cache_Manager.lock(trafficKey,-1);
          try{
               dObj = (HIDataObject)Cache_Manager.get(trafficKey);
          } catch(java.lang.NullPointerException nex) {
               // If this Exception then we are doing it for the first time.
               // Ignore this exception
          } catch(Exception exe) {
               CacheLog.error("CACHE_ERROR: RegisterTraffic Failed with Following Exception\n"+exe.getMessage());
          if (dObj != null) {
               hmTotal = dObj.getTotalTrafficHashMap();
               hmToday = dObj.getTodayTrafficHashMap();
          // HashMap.get will throw error for the first time , so initialize to 1.
          try{
               totalTrafficCount = (Long)hmTotal.get(appName+"-"+action);
          } catch(java.lang.NullPointerException nex) {
               CacheLog.error("CACHE_ERROR: RegisterTraffic Failed with Following Exception\n"+nex.getMessage());
          try{
               todayTrafficCount = (Long)hmToday.get(today+"-"+appName+"-"+action);
          } catch(java.lang.NullPointerException nex) {
               CacheLog.error("CACHE_ERROR: RegisterTraffic Failed with Following Exception\n"+nex.getMessage());
          try{
               totalCnt = totalTrafficCount.longValue();
               todayCnt = todayTrafficCount.longValue();
          } catch (Exception e) {
          // Increase the counn here
          totalCnt++;todayCnt++;
          hmTotal.put(appName+"-"+action,new Long(totalCnt));
          hmToday.put(today+"-"+appName+"-"+action,new Long(todayCnt));
          try{
               HIDataObject myValue = new HIDataObject();
               myValue.setTotalTrafficHashMap(hmTotal);
               myValue.setTodayTrafficHashMap(hmToday);
               myValue.setExpirationTime(86400000);
               Cache_Manager.put(trafficKey, myValue);
          } catch (Exception exe){
               CacheLog.error("CACHE_ERROR: RegisterTraffic Failed with Following Exception\n"+exe.getMessage());
     } catch (Exception ex) {
          CacheLog.error("CACHE_ERROR: RegisterTraffic Failed with Following Exception\n"+ex.getMessage());
     } finally {
          Cache_Manager.unlock(trafficKey);
Weblogic Thread Dumps
"TcpRingListener" id=76 idx=0x96 tid=19164 prio=6 alive, in native, daemon
at java/net/PlainSocketImpl.socketAccept(Ljava/net/SocketImpl;)V(Native Method)
at java/net/PlainSocketImpl.accept(Ljava/net/SocketImpl;)V(PlainSocketImpl.java:353)
^-- Holding lock: java/net/PlainSocketImpl@0xc5f4238[thin lock]
at java/net/ServerSocket.implAccept(Ljava/net/Socket;)V(ServerSocket.java:448)
at java/net/ServerSocket.accept()Ljava/net/Socket;(ServerSocket.java:419)
at com/tangosol/coherence/component/net/socket/TcpSocketAccepter.accept()Lcom/tangosol/coherence/component/net/socket/TcpSocket;(TcpSocketAccepter.CDB:17)
at com/tangosol/coherence/component/util/daemon/TcpRingListener.acceptConnection()V(TcpRingListener.CDB:9)
at com/tangosol/coherence/component/util/daemon/TcpRingListener.onNotify()V(TcpRingListener.CDB:1)
at com/tangosol/coherence/component/util/Daemon.run()V(Daemon.CDB:34)
at java/lang/Thread.run()V(Unknown Source)
at jrockit/vm/RNI.c2java(IIII)V(Native Method)
-- end of trace
"DistributedCache" id=78 idx=0x98 tid=19165 prio=5 alive, in native, waiting, daemon
-- Waiting for notification on: com/tangosol/coherence/component/util/daemon/QueueProcessor$Queue@0xc5c6998[fat lock]
at jrockit/vm/Threads.waitForSignal(J)Z(Native Method)
at java/lang/Object.wait(J)V(Native Method)[optimized]
at com/tangosol/coherence/component/util/Daemon.onWait()V(Daemon.CDB:9)[optimized]
^-- Lock released while waiting: com/tangosol/coherence/component/util/daemon/QueueProcessor$Queue@0xc5c6998[fat lock]
at com/tangosol/coherence/component/util/Daemon.run()V(Daemon.CDB:31)
at java/lang/Thread.run()V(Unknown Source)
at jrockit/vm/RNI.c2java(IIII)V(Native Method)
-- end of trace
"ListenThread.Default" id=79 idx=0x9a tid=19166 prio=5 alive, in native
at java/net/PlainSocketImpl.socketAccept(Ljava/net/SocketImpl;)V(Native Method)
at java/net/PlainSocketImpl.accept(Ljava/net/SocketImpl;)V(PlainSocketImpl.java:353)
^-- Holding lock: java/net/PlainSocketImpl@0x1729efc8[thin lock]
at java/net/ServerSocket.implAccept(Ljava/net/Socket;)V(ServerSocket.java:448)
at java/net/ServerSocket.accept()Ljava/net/Socket;(ServerSocket.java:419)
at weblogic/socket/WeblogicServerSocket.accept()Ljava/net/Socket;(WeblogicServerSocket.java:26)
at weblogic/t3/srvr/ListenThread.accept()Ljava/net/Socket;(ListenThread.java:735)
at weblogic/t3/srvr/ListenThread.run()V(ListenThread.java:301)
at jrockit/vm/RNI.c2java(IIII)V(Native Method)
-- end of trace
Blocked lock chains
===================
Chain 2:
"ExecuteThread: '2' for queue: 'weblogic.socket.Muxer'" id=53 idx=0x70 tid=18903 waiting for java/lang/String@0x102fb4d8 held by:
"ExecuteThread: '1' for queue: 'weblogic.socket.Muxer'" id=52 idx=0x6e tid=18902 in chain 1
Coherence Thread Dumps
"PacketPublisher" id=21 idx=0x32 tid=20248 prio=6 alive, in native, waiting, daemon
at jrockit/vm/Threads.waitForSignal(J)Z(Native Method)
at java/lang/Object.wait(J)V(Native Method)
at com/tangosol/coherence/component/util/Daemon.onWait()V(Daemon.CDB:9)
^-- Lock released while waiting: com/tangosol/coherence/component/net/Cluster$PacketPublisher$Queue@0xcb36648[fat lock]
at com/tangosol/coherence/component/util/Daemon.run()V(Daemon.CDB:31)
at java/lang/Thread.run()V(Unknown Source)
at jrockit/vm/RNI.c2java(IIII)V(Native Method)
-- end of trace
"Cluster" id=22 idx=0x34 tid=20249 prio=5 alive, in native, waiting, daemon
-- Waiting for notification on: com/tangosol/coherence/component/net/Cluster$ClusterService$Queue@0xcb30190[fat lock]
at jrockit/vm/Threads.waitForSignal(J)Z(Native Method)
at java/lang/Object.wait(J)V(Native Method)
at com/tangosol/coherence/component/util/Daemon.onWait()V(Daemon.CDB:9)
^-- Lock released while waiting: com/tangosol/coherence/component/net/Cluster$ClusterService$Queue@0xcb30190[fat lock]
at com/tangosol/coherence/component/util/Daemon.run()V(Daemon.CDB:31)
at java/lang/Thread.run()V(Unknown Source)
at jrockit/vm/RNI.c2java(IIII)V(Native Method)
-- end of trace
"PO Async Executor" id=27 idx=0x36 tid=20436 prio=5 alive, in native, waiting, daemon
-- Waiting for notification on: java/lang/Object@0xa7573d8[fat lock]
at jrockit/vm/Threads.waitForSignal(J)Z(Native Method)
at jrockit/vm/Locks.wait(Ljava/lang/Object;J)V(Unknown Source)
at java/lang/Object.wait()V(Native Method)
at com/wily/EDU/oswego/cs/dl/util/concurrent/BoundedLinkedQueue.take()Ljava/lang/Object;(BoundedLinkedQueue.java:225)
^-- Lock released while waiting: java/lang/Object@0xa7573d8[fat lock]
at com/wily/EDU/oswego/cs/dl/util/concurrent/QueuedExecutor$RunLoop.run()V(QueuedExecutor.java:82)
at java/lang/Thread.run()V(Unknown Source)
at jrockit/vm/RNI.c2java(IIII)V(Native Method)
-- end of trace
"TcpRingListener" id=24 idx=0x38 tid=20252 prio=6 alive, in native, daemon
at java/net/PlainSocketImpl.socketAccept(Ljava/net/SocketImpl;)V(Native Method)
at java/net/PlainSocketImpl.accept(Ljava/net/SocketImpl;)V(PlainSocketImpl.java:353)
^-- Holding lock: java/net/PlainSocketImpl@0xd441530[thin lock]
at java/net/ServerSocket.implAccept(Ljava/net/Socket;)V(ServerSocket.java:448)
at java/net/ServerSocket.accept()Ljava/net/Socket;(ServerSocket.java:419)
at com/tangosol/coherence/component/net/socket/TcpSocketAccepter.accept()Lcom/tangosol/coherence/component/net/socket/TcpSocket;(TcpSocketAccepter.CDB:17)
at com/tangosol/coherence/component/util/daemon/TcpRingListener.acceptConnection()V(TcpRingListener.CDB:9)
at com/tangosol/coherence/component/util/daemon/TcpRingListener.onNotify()V(TcpRingListener.CDB:1)
at com/tangosol/coherence/component/util/Daemon.run()V(Daemon.CDB:34)
at java/lang/Thread.run()V(Unknown Source)
at jrockit/vm/RNI.c2java(IIII)V(Native Method)

Hi user638596.
Frankly, there is not enough information to go by. The code you pointed to is definitely not "bullet proof". First, after the lock has been acquired, it only catches Exceptions, so any Errors (e.g. OutOfMemoryError) would "leak" a lock. In general, the locking-protected code should look like (in pseudo-code):
lock();
try
operations();
finally
unlock();
}However, without seeing the log files and entire thread dump, it's impossible to figure out a real reason. I'd suggest you to submit those to our support at Oracle Metalink.
Regards,
Gene

[Request] NTM - Network Traffic Monitor

Hi to everyone:
Could anyone package this?: NTM - Network Traffic Monitor
NTM is a monitor of the network and internet traffic for GNU/Linux. Some characteristics:
* Choice of the interface to monitoring.
* Period to monitoring: Day, Week, Month, Year or Custom Days. With autoupdate.
* Threshold: Autodisconnection if a limit is reached (by NetworkManager).
* Traffic Monitoring: Inbound, outbount and total traffic; Show the traffic speed.
* Time Monitoring: Total time of connections in the period.
* Time Slot Monitoring: Number of sessions used.
* Reports: Show of average values and daily traffic of a configurable period.
* Online checking with NetworkManager or by "Ping Mode".
* The traffic is attributed to the day when the session began.
* Not need root privilege.
* Not invasive, use a system try icon.
NTM is useful for the people that have a internet plan with a limit, and moreover the exceed traffic is expensive.
NTM is write in python and is a open source software, the license is the GNU GPL v2.
A lot of thanks.

#Maintairner: Brieuc Roblin <brieuc.roblin at gmail dot com>
pkgname='ntm'
pkgver='1.2.2'
pkgrel='1'
pkgdesc="Monitor of the network and internet traffic"
arch=('i686' 'x86_64')
license=('GPL')
depends=('pywebkitgtk' 'lsb-release' 'networkmanager')
makedepends=('dpkg')
url=('http://netramon.sourceforge.net/eng/index.html')
source=('http://freefr.dl.sourceforge.net/project/netramon/NTM/ntm-1.x/ntm-1.2.2.deb')
md5sums=('ec438b8c952ac866ffdaa57538d189b7')
build() {
cd "$srcdir"
# Extracting deb
msg2 "Extracting .deb ..."
dpkg-deb -x ntm-*.deb deb
cd "deb"
# Installing
msg2 "Installing..."
cp -r . "$pkgdir"/
I can't really test the program as I'm not using NetworkManager.
Last edited by PyrO_70 (2010-08-20 19:18:24)

Vlan traffic is not passing through Wireless Bridge

Hi,
Recently we have placed wireless bridge in our network (Cisco AIR-BR1410A-E-K9 model). Now after installing the bridge we are facing the issue like only the management interface traffic is reachable through bridge, but not able to reach other vlan traffic.
like management range is in vlan 1 (which inlcudes AP' Switch and router) and the bridge IP's are also in Vlan 1.
Switch port is kept in trunk mode both ends of bridge. still other vlan traffic is not reachable, do we have to place any special configuration for this ?
all the business users are in Vlan 3
all the sale team users are in vlan 123.
now problem is other end switches are reachable for me through bridge that is in vlan 1, but vlan 3 and vlan 123 are not reachable for me.users are not getting IP's, when we assigned the static ip address and tested still it is not working.
i am attaching my wireless bridge configuration in the discussion, please help on this issue.
Root Bridge ---- Non--Rootbridge--- Cisco Switch--Cisco Switch..
now i am able to those two switch also, but not able to reach the vlan 3 users who are connected to that switches.

Hi,
infrastructure-ssid has been placed at both end still not able to get IP's to the devices.
I am not able to attach txt files in the reply, could you please let me know your email ID so that i will send the config files to your ID.

Cisco WSA : no data found in L4 traffic monitor summary

Hello !
Does L4 traffic monitor only display rogue traffic ? Because, I made a packet capture on the T1 interface and i saw that there was a lot of traffic but in the overview, no data was found in the field "L4 Traffic Monitor Summary". Is it normal ? There is a screenshot in enclosed files.
Thank you,
Stephane Walker

UDP ports will not be blocked.
The L4TM will use the T1 interface to detect traffic to destinations that are on its blacklist. Once detected, the the data interface on the WSA will send a packet with the TCP reset flag to the client to prevent a TCP connection.
I have not tested this so someone correct me if I am wrong. I am answering this based on my understanding of the L4TM feature, and how it works. Since UDP is connectionless, there is no connection for it to kill.
Now this makes me wonder about the Monitor feature though. But I am almost certain it will not block if the action is set to block.
I'll check this out when I'm in the office and will get back to you.
-Vance

UDP traffic analyzed in L4 traffic monitor?

Dear all,
I just wonder if anyone knows whether UDP traffic is analyzed by the WSA's L4 traffic monitor?
It just tells "all ports" in the settings and reports also only reflect port numbers but no details like
which protocol (tcp/udp).
Anyone?
Best,
Hascha

UDP ports will not be blocked.
The L4TM will use the T1 interface to detect traffic to destinations that are on its blacklist. Once detected, the the data interface on the WSA will send a packet with the TCP reset flag to the client to prevent a TCP connection.
I have not tested this so someone correct me if I am wrong. I am answering this based on my understanding of the L4TM feature, and how it works. Since UDP is connectionless, there is no connection for it to kill.
Now this makes me wonder about the Monitor feature though. But I am almost certain it will not block if the action is set to block.
I'll check this out when I'm in the office and will get back to you.
-Vance

Traffic monitoring

I have a Cisco 4507 and would like to start monitoring traffic analysis and must admit Im a beginer so any information would be gratefully received

Hello,
you can use netflow traffic monitoring and analyzis. More information about netflow you can read on the cisco pages http://www.cisco.com/go/netflow or in the documentation of our software on the: http://www.caligare.com/netflow/download.php (section appendix 1). If you have more questions regarding netflow let me know...
Jan
Caligare Co.
http://www.caligare.com

Traffic monitoring on 3750

Hi Folks,
Greetings and happy new year!! I have a network core which is on a stacked 3750g, that has several SVIs for network segmantation. Some of the SVIs have ACLs applied on them. I need to help in determining whan tools to use to be able to see inter-VLAN traffic on the 3750's, we need this to determine how lockdown the network. I just realized that ip accounting and netflow is not supported on the 3750s.
Thank you in advanced.
JP

Kyle,
On a 3750, I think you can do WCCP if you have the right software load on it.
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps5023/prod_qas09186a00801b0971.html
There are limitations to the 3750... it only does L2 redirection (no GRE) and assignment must be mask.
and you have to have SDM set to prefer routing....
sdm prefer routing
Then turn on WCCP for dynamic service group 90 (so you can set what ports you need on the WSA)
Switch(config)# ip wccp 90 group-list 15
Create an ACL to keep traffic to internal servers from being redirected to your WSA
Switch(config)# access-list 15 deny any 10.90.0.0 255.255.0.0       <--add whatever networks you need.
Switch(config)# access-list 15 permit any any
Assuming the VLAN you have the WSA and the DSL router on is 301
Switch(config)# interface vlan 301
Switch(config-if)# ip wccp 90 redirect in
This will catch inbound traffic to the VLAN an hand it to the WSA, assuming it doesn't match the ACL.   If the WSA is down, it routes it as normal...
Here's the docs I pulled that from (near the bottom for doing a vlan instead of a port...)
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_58_se/configuration/guide/swwccp.html#wp1031033
The WSA should negotiate the L2 vs GRE & mask vs. hash issues...
Hope that helps.
Ken

24 Hr Network Traffic Monitoring

Hi Markus,
I got this 24-hour Network traffic monitoring output using the program you gave me ;)
I run every hour this > ./network-traffic.sh -c 1
It will give me 1 line output like this,
Monitoring eth0 every 3 seconds. (RXbyte total = 1 Gb TXbytes total = 2 Gb)
RXbytes = 58 Kb TXbytes = 51 Kband I call this program every hour via cron, to produce and output like this:
27-Oct-2010 00:00:07    RXbytes = 10 Kb TXbytes = 9 Kb
27-Oct-2010 01:00:07    RXbytes = 11 Kb TXbytes = 9 Kb
27-Oct-2010 02:00:07    RXbytes = 7 Kb TXbytes = 6 Kb
27-Oct-2010 03:00:07    RXbytes = 48 Kb TXbytes = 42 Kb
27-Oct-2010 04:00:07    RXbytes = 448 b TXbytes = 0 b
27-Oct-2010 05:00:08    RXbytes = 128 b TXbytes = 0 b
27-Oct-2010 06:00:07    RXbytes = 128 b TXbytes = 0 b
27-Oct-2010 07:00:08    RXbytes = 256 b TXbytes = 0 b
27-Oct-2010 08:00:08    RXbytes = 14 Kb TXbytes = 24 Kb
27-Oct-2010 09:00:07    RXbytes = 11 Kb TXbytes = 10 Kb
27-Oct-2010 10:00:08    RXbytes = 11 Kb TXbytes = 10 Kb
27-Oct-2010 11:00:07    RXbytes = 48 Kb TXbytes = 85 Kb
27-Oct-2010 12:00:08    RXbytes = 9 Kb TXbytes = 8 Kb
27-Oct-2010 13:00:07    RXbytes = 13 Kb TXbytes = 28 Kb
27-Oct-2010 14:00:08    RXbytes = 53 Kb TXbytes = 46 Kb
27-Oct-2010 15:00:08    RXbytes = 13 Kb TXbytes = 20 Kb
27-Oct-2010 16:00:08    RXbytes = 13 Kb TXbytes = 20 Kb
27-Oct-2010 17:00:08    RXbytes = 40 Kb TXbytes = 94 Kb
27-Oct-2010 18:00:07    RXbytes = 13 Kb TXbytes = 30 Kb
27-Oct-2010 19:00:08    RXbytes = 6 Kb TXbytes = 9 Kb
27-Oct-2010 20:00:08    RXbytes = 12 Kb TXbytes = 12 Kb
27-Oct-2010 21:00:08    RXbytes = 15 Kb TXbytes = 40 Kb
27-Oct-2010 22:00:07    RXbytes = 9 Kb TXbytes = 11 Kb
27-Oct-2010 23:00:07    RXbytes = 11 Kb TXbytes = 9 KbIs this output data gathering style valid?
I want to give this report to my boss using spreadsheets, but I want to put comments like :
1. at what hour is the network busiest?
2. at what hour is the network the not-busiest?
How do I sort this output from busiest (descending order)?
Thanks a lot,
Ms K

Hi again markie,
This is my actual source code of eth0stat.sh:
# File: eth0stat.sh
# Purpose: Gather network traffic increase between readings
# Command: . ./eth0stat.sh
ifcmd='/sbin/ifconfig eth0'
timestamp=$(date "+%D %T")
logfile=/u01/Monitor/eth0stat.txt
old_rxbytes=$RXBYTES
old_txbytes=$TXBYTES
get_rxbytes() {
   $ifcmd | grep "RX bytes" | cut -d: -f2 | awk '{ print $1 }'
get_txbytes() {
   $ifcmd | grep "TX bytes" | cut -d: -f3 | awk '{ print $1 }'
RXBYTES=$(get_rxbytes); export RXBYTES
TXBYTES=$(get_txbytes); export TXBYTES
if [ $old_rxbytes > 0 ]; then
   diff_rxbytes=$(($RXBYTES - $old_rxbytes))
else
   diff_rxbytes=0
fi
if [ $old_txbytes > 0 ]; then
   diff_txbytes=$(($TXBYTES - $old_txbytes))
else
   diff_txbytes=0
fi
echo "$timestamp,RXbytes:$diff_rxbytes,TXbytes:$diff_txbytes" >> $logfileI created the new program you gave me (eth0stat.sh) and called it from cron every our, but I got this result:
11/01/10 15:00:07,RXbytes:0,TXbytes:0
11/01/10 16:00:07,RXbytes:0,TXbytes:0
11/01/10 17:00:07,RXbytes:0,TXbytes:0
11/01/10 18:00:07,RXbytes:0,TXbytes:0
11/01/10 19:00:07,RXbytes:0,TXbytes:0
11/01/10 20:00:07,RXbytes:0,TXbytes:0
11/01/10 21:00:07,RXbytes:0,TXbytes:0
11/01/10 22:00:08,RXbytes:0,TXbytes:0
11/01/10 23:00:07,RXbytes:0,TXbytes:0
11/02/10 00:00:07,RXbytes:0,TXbytes:0
11/02/10 01:00:08,RXbytes:0,TXbytes:0
11/02/10 02:00:08,RXbytes:0,TXbytes:0
11/02/10 03:00:07,RXbytes:0,TXbytes:0
11/02/10 04:00:07,RXbytes:0,TXbytes:0
11/02/10 05:00:07,RXbytes:0,TXbytes:0
11/02/10 06:00:08,RXbytes:0,TXbytes:0
11/02/10 07:00:08,RXbytes:0,TXbytes:0
11/02/10 08:00:07,RXbytes:0,TXbytes:0
11/02/10 09:00:08,RXbytes:0,TXbytes:0
11/02/10 10:00:08,RXbytes:0,TXbytes:0The output has all 0 bytes :( . Is there something I missed out?
I compared it to the other one I got:
1-Nov-2010 15:00:07     RXbytes = 10 Kb TXbytes = 9 Kb
1-Nov-2010 16:00:07     RXbytes = 10 Kb TXbytes = 9 Kb
1-Nov-2010 17:00:07     RXbytes = 10 Kb TXbytes = 9 Kb
1-Nov-2010 18:00:07     RXbytes = 10 Kb TXbytes = 9 Kb
1-Nov-2010 19:00:07     RXbytes = 10 Kb TXbytes = 9 Kb
1-Nov-2010 20:00:07     RXbytes = 10 Kb TXbytes = 9 Kb
1-Nov-2010 21:00:07     RXbytes = 10 Kb TXbytes = 9 Kb
1-Nov-2010 22:00:08     RXbytes = 10 Kb TXbytes = 9 Kb
1-Nov-2010 23:00:07     RXbytes = 11 Kb TXbytes = 9 Kb
2-Nov-2010 00:00:07     RXbytes = 10 Kb TXbytes = 9 Kb
2-Nov-2010 01:00:08     RXbytes = 10 Kb TXbytes = 9 Kb
2-Nov-2010 02:00:08     RXbytes = 10 Kb TXbytes = 9 Kb
2-Nov-2010 03:00:07     RXbytes = 7 Kb TXbytes = 6 Kb
2-Nov-2010 04:00:07     RXbytes = 256 b TXbytes = 0 b
2-Nov-2010 05:00:07     RXbytes = 320 b TXbytes = 0 b
2-Nov-2010 06:00:08     RXbytes = 0 b TXbytes = 0 b
2-Nov-2010 07:00:08     RXbytes = 466 b TXbytes = 0 b
2-Nov-2010 08:00:07     RXbytes = 1 Mb TXbytes = 19 Mb
2-Nov-2010 09:00:08     RXbytes = 1 Mb TXbytes = 22 Mb
2-Nov-2010 10:00:08     RXbytes = 12 Kb TXbytes = 91 KbThe is seem to be movement starting at 8am Nov 2, 2010.
Please help me debug the eth0stat.sh.
Thanks again so much

VLAN Traffic Monitoring

Similar Messages

Maybe you are looking for