Syslog and Netflow - Non Networking Person Help

Started by owensit, February 04, 2017, 09:38:56 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

owensit

February 04, 2017, 09:38:56 AM
 Hi

We are desperate for some help as we don't have specialist networking expertise in-house and no-one else seems willing to help us.

Since switching to a new lease line 10/100 and running on the MPLS, we are maxing out on bandwidth.  Our old line was also 10/100.  One PC/Laptop or phone can simply eat up all the bandwidth which means we are not operational and our 10 sites cannot RDP in nor can anyone access our web server.  I will probably get fired shortly if this is not resolved  :-\ by Monday.  The MPLS provider has put QOS 4MB on HTTP & HTTPS (cisco router) but we still have no operations for 90% of the day.  Previously our line would slow down but remain operational.

We have a MPLS with Cisco routers at each site and our MPLS company has said it can make netflow logs and sylogs available to us if we provide server IP and port for each.  That is the easy part (we have a Windows server) but we have no network expertise and have no idea what software we need and have no guidance.  They refuse to help us any further than that.  They will not even advise us what software we need.   

HQ - We run web, e-mail, RDP on internal network, printing to Sites, FTP in & out, hardware VPN and a little CCTV.
Each site - We run web, e-mail, RDP into HQ, FTP in & out, printing via HQ, hardware VPN and a little CCTV.

Once initial crisis is over we will give them notice!   In the interim ...

A. What can we do on firewall/routers to stabilise the connection and prevent a PC/laptop/Phone from taking up all the bandwidth.

B. Can someone please advise us on what software we need to pick up these Netflow logs and what we need to interpret the Netflow logs.  It must be windows based and must help us identify what is causing the issues in an easy way.  Ideally a free/cheap/open source system would be great.  We have 10 sites, all with Cisco routers and 3 sites with hardware VPN.  We have looked a nprobe but don't know where to start and cost options are really confusing.  i.e. HTTP is extra, etc.  Also advise the same re. syslogs.

In layman's terms we need to identify traffic problems (ideally at each site, especially HQ) and be able to also identify web usage statistics (ideally at each site) by machine/user.  We need the machine name, device type (and/or user) and what on that machine is causing problems.

We would also be willing to pay someone to help us out here both with syslogs and netflow software.  i.e. Let us know what we need, and then guide us through installation. 

Help and guidance really appreciated.


deanwebb

#1
February 04, 2017, 10:30:20 AM
A. Routers can do traffic shaping and policing. I prefer policing, where bulk traffic gets dropped when voice traffic needs the room. Get a proxy server and use it to block Facebook and YouTube and DailyMotion and Twitter and Instagram. Then block Netflix, Amazon, Hulu, and any other streaming video.

B. Free and easy is the SolarWinds Netflow monitoring package, which you can turn on for 30 days and get a look at your top talkers once you set up your firewalls and routers to send it your Netflow information. After 30 days, you need to buy it to keep it, but it is very good for people that have limited skills in the area. It's cheaper than hiring a network security specialist, that's one way to look at it. But it will give you the top talkers, source and destination, and that lets you know which sites to block or which traffic to move around. For example, you may find a backup job running at noon every day because the guy that set it up got confused about 12 AM and 12 PM.

Provisioning is another thing. How many users in total are we looking at here? At HQ and each site? Is Internet usage at a remote site going through a local Internet breakout or is it backhauled to the HQ to use the Internet connection there?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

SimonV

#2
February 04, 2017, 10:50:48 AM
Sounds like your physical circuit can not handle the capacity you are putting on it. I've had a similar issue recently where everything above 3Mbps completely killed the line and the solution was to implement a traffic policer which limited outbound upload speed. Can you try running some ping tests across the circuit when it's saturated? You should see extreme amounts of latency.

Also, if you want to identify top talkers/protocols and Netflow is above your head right now, you can try mirroring the router port to a PC running  this software. The trial version should do fine...
Print
Go Up Pages1
User actions