I recently received notice that there was a large amount of ingress traffic (in bytes per second, not packets per second) inbound to my network port. I realized that, while I had MRTGs setup on a handful of devices, I have no way to see over-all where most of the traffic and packets are both going into the network and originating from (destination IP and source IP). I'd like to configure something that will allow me to view all network traffic, both within the LAN and going in and out of the network, and graph it as well as be able to break down the largest amounts of traffic both in throughput and PPS, inbound and outbound, so I can determine what is going on.
I have the following setup:
Router: Cisco 2911 with two active interfaces; one is the port connected to the provider (BGP peer), the other is connected to the network switch;
Switch: Nortel Baystack 5510-48T (Avaya firmware) managed gigabit switch; CLI interface very similar to Cisco iOS
The switch is broken into several groups of ports; group 1 is connected to the router and is for interfaces routing out to the Internet using public IPs; group 2 is LAN only, for internal IPs intra-LAN communication; group 3 is a secondary LAN, its basically a secured group with strict routing in that contains IPMI/Dell BMC/iLO/etc. and other potentially insecure devices and is kept isolated.
I'd like to setup a server that will be able to see all traffic coming in and out of the router on that WAN port (which all concentrates to a single port on the switch, the port the router is connected to, so that port could be mirrored) and, secondarily, also be able to see all traffic within the LAN ports group and the third "isolated" port group. The main concern is the WAN traffic, however, so that I can determine who is sending most of the traffic to the network and outbound as well, in both packets-per-second and bandwidth/throughput.
What would you all recommend for this setup? I assume I need to configure various SPAN trunk ports, with the traffic from the WAN/router port going to the SPAN trunk port; the whole group of LAN ports mirroring to it; and the group of IPMI ports mirrored to it. I am not entirely sure how I do this, I assume it's in the manual in the SPAN documentation unless anyone else is aware of anything else. Next, what software and platform is recommended? Linux with some kind of open-source monitoring software, watching the interface that is connected to the SPAN trunk port? What software is recommended for my particular needs?
Thanks in advance,
dataslanger
No comments:
Post a Comment