Network manager is asking why there is a difference between live traffic counts on outside interface and inside and dmz interface. She believes the inside+dmz traffic counts should equal the outside traffic counts (inbound and outbound). She wants metrics on who is using Internet bandwidth. We are using snmp to monitor interface traffic. Is there a logical explanation for this? Are "denied" connections counted as traffic on the outside interface?
4 Replies
Hello,
to see how is using internet bandwidth you would need to use Netflow for Traffic Monitoring, which is possible with an Cisco ASA.
best regards
While Netflow will breakdown the type of traffic and SNMP does not, my experience has shown a large disparity in the total traffic indicated by each. And not just in the short term. 30 day period = 1.72:1, snmp is greater. 365 day period = 1.70:1, snmp is greater. I cannot find the reason for the disparity, and this, therefore, reduces the confidence factor in either, in my opinion. REF: https://kb.paessler.com/knowledgebase/en/topic/31573-prtg-netflow https://kb.paessler.com/knowledgebase/en/topic/12133-comparing-netflow-and-snmp-traffic-sensors
regards...
Huge discrepancies between different "monitoring protocols" that should monitor the same are almost always configuration errors where then not the exact same is monitored. Of course Netflow and SNMP will likely never show 100% same values for the same interface and the same period of time, just simply probably due to the fact that the Netflow Packages do not account any traffic for themselves, while they are likely accounted in the SNMP Counters.
The issue we are trying to resolve is only about snmp on a Cisco ASA 5550 firewall. For a given period of time, shouldn't the total traffic seen on the outside interface be the sum of the traffic seen on the inside and dmz interface? The totals never equal so trying to determine if dropped traffic via ACL will cause the unequal counts. For example denied traffic on the outside interface, does this count for SNMP traffic or does SNMP only count "allowed" traffic on outside interface? Same is true for inside traffic, if outbound ACL drops traffic is this still counted as SNMP traffic or is only what is allowed through counted in SNMP traffic?
Add comment