5 Replies Latest reply on Apr 7, 2009 7:44 AM by ecornwell

    Tracking user level NetFlow traffic

    kiwi

      Hello                                                 

      (( Internet))........(Router)---FW(NTA) ---- CoreSwitch-----Switch1------ User-2 

                                                      ISA Proxy___/     \________________ User-1 

      User-1 conncted directly to CoreSwitch. User-2 via a Switch1

      Q1:To be able to track users NetFlow traffic (Quicktime, HTTP ...) volume, where should we enable NetFlow ? (Netflow is currently enabled on the Internet Router only).

      Q2: Enabling NetFlow on the CoreSwitch would be enough to track user2 as well as User1?

      Thank you

        • Re: Tracking user level NetFlow traffic
          Yann

          It seems tricky for me to get both the Internet Traffic type and which end users is using that bandwidth.

          From the router perspective, the traffic is coming and going through the ISA Proxy, which leads NetFlow to believe there is only one end-user.

          If you enable NetFlow on the core switch, you will see traffic going on the port 8080 (or anything else) towards and from the ISA Proxy which means you will see which end user is using a lot of bandwidth but because data is encapsulated into another layer, it does not tell you which type of traffic it is.

          I will think about it but for the moment I do not know how to solve it. May be someone else could help there.

          Thanks,

          Yann

            • Re: Tracking user level NetFlow traffic
              ecornwell

              Yann is right...  We haven't enabled netflow on our core but we have on all our WAN Edge routers.  A great deal of our WAN traffic is traffic to our Proxy.  We can't see where people are going or what they are doing but we do see who is using the most bandwidth.  It has come in handy before.  I've worked with a few people to get the data but because of the proxy there isn't any way to get it.  (That we could figure out.)

                • Re: Tracking user level NetFlow traffic
                  bberry

                  We have netflow enabled on our core and pull the stats for a user through the VLAN they are on. We can then coorelate this traffic with the reports from our Proxy. It seems to make using the search by ip address or host easier.

                    • Re: Tracking user level NetFlow traffic
                      kiwi

                      Hi and thank you all (Yann, ecornwell and bberry).

                      Yes, that's what I expected, but the thing that during a Web session Presentation organised by Orion at a pre-sales phase, I remeber well, when we asked about tracking traffic by user << not to spy them but to warn whoever is miss-using the bandwidth with movie downloads...,our IT Mgr is still flexible, but not at peak times:) >>

                       and the presentation showed each user's traffic, top talkers by end-user (employee) unless the Orion Demo was based on a simplified setup without an ISA server where everyone is connected to the same CoreSwitch, including  NetFlow server :), of course in such setup we can see everything, sort of a Lab setup.

                      I would appreciate a definitive answer from Orion if it's possible.

                      Bert regards

                        • Re: Tracking user level NetFlow traffic
                          ecornwell

                          If you consider this critical information, I believe you can configure your ISA server to act in that fashion.  You would basically stop using it as a proxy per say but instead have your default route point towards the ISA server.  (You'd have to be able to look up public DNS addresses as well.)  The problem with this configuration is that you lose the ability to allow or deny someone internet access based on AD Group.  (I believe, I'm not an ISA expert.)