Traffic reporting on a multi-site VPN network

T

to0kenZA

Expert Member
Joined
Jan 14, 2010
Messages
2,351
Hi guys,

I'm looking for some advice from people who deal with multi-site VPNs.

What is the best way to gather traffic reports in such a network?

For example, you have your HQ with a VPN router, getting breakout via DSL. Then you have say 15 or so branches terminating VPNs onto the main router, also via DSL.

If you were to come up with a solution to monitor traffic on this network, what would be the best way to do it? A main monitor at the head office, or a proxy server or something at each of the branches?

Any advice would be appreciated!

Thanks
 
S

syntax

Executive Member
Joined
May 16, 2008
Messages
8,656
What statistics do you want to know?
Purely bandwidth related?
Traffic split between different protocols?

Whats your budget?
What routers / vpn devices are you using?
 
T

to0kenZA

Expert Member
Joined
Jan 14, 2010
Messages
2,351
tau1z said:
What statistics do you want to know?
Purely bandwidth related?
Traffic split between different protocols?

Whats your budget?
What routers / vpn devices are you using?
Click to expand...

The router at the head office is a Juniper SSG140, given breakout by a line bonder with 4 DSL lines. Then at all the branches, there's a Juniper SSG20, each with a DSL line for break-out. VPNs are IPSec tunnels.

The client needs reporting on bandwidth usage and protocol based statistics will be good as well.

He will have to decide on the budget, but right now I'm just looking into any solution.
 
S

syntax

Executive Member
Joined
May 16, 2008
Messages
8,656
I know squat about juniper,
but i know u can use mrtg to monitor bandwidth and protocol usage.
 
T

to0kenZA

Expert Member
Joined
Jan 14, 2010
Messages
2,351
Cool thanks for the reply man. I'll see if I can configure SNMP on the Junipers. I should be able to. I see MRTG is free as well. Shot dude.
 
S

syntax

Executive Member
Joined
May 16, 2008
Messages
8,656
to0kenZA said:
Cool thanks for the reply man. I'll see if I can configure SNMP on the Junipers. I should be able to. I see MRTG is free as well. Shot dude.
Click to expand...

indeed, you can tweak it to show bandwidth and protocol usage.
I am not sure where in the process the juniper encrypts traffic and where the snmp's are generated with regards to the interfaces, so you may need to configure on the correct interfaces in order to get protocol data, instead of getting encrypted traffic
 
T

to0kenZA

Expert Member
Joined
Jan 14, 2010
Messages
2,351
tau1z said:
indeed, you can tweak it to show bandwidth and protocol usage.
I am not sure where in the process the juniper encrypts traffic and where the snmp's are generated with regards to the interfaces, so you may need to configure on the correct interfaces in order to get protocol data, instead of getting encrypted traffic
Click to expand...

I found out that mrtg can poll the DSL ips if snmp is setup on the Junipers. The snmp on the Juniper is not interface specific. But now I just realized another big problem. The remote sites' Juniper all have DYNDNS assigned to them. I can't find a single hint of mrtg supporting DYNDNS. Trying to find a confirmation of that, but with no luck...
 
S

syntax

Executive Member
Joined
May 16, 2008
Messages
8,656
to0kenZA said:
I found out that mrtg can poll the DSL ips if snmp is setup on the Junipers. The snmp on the Juniper is not interface specific. But now I just realized another big problem. The remote sites' Juniper all have DYNDNS assigned to them. I can't find a single hint of mrtg supporting DYNDNS. Trying to find a confirmation of that, but with no luck...
Click to expand...

Im not following, why would you monitor the DSL ip instead of the traffic leaving the junipers?
As for trying to monitor the junipers through a dyndns ip, why not monitor it through the vpn on the junipers inside ip?
 
T

to0kenZA

Expert Member
Joined
Jan 14, 2010
Messages
2,351
tau1z said:
Im not following, why would you monitor the DSL ip instead of the traffic leaving the junipers?
As for trying to monitor the junipers through a dyndns ip, why not monitor it through the vpn on the junipers inside ip?
Click to expand...

I was trying to find a way to monitor each branch independently. If you only monitor the one at the head office, you will only see traffic on that one interface. The client want's the bandwidth usage at all his branches. So in other words, traffic from each branch destined for the VPN, as well as break-out traffic not going through the VPN.

I found another solution though. We're going to build a cacti server. It's another free program, but it supports using DNS and IP for SNMP monitoring.
 
ponder

ponder

Honorary Master
Joined
Jan 22, 2005
Messages
92,825
The VPNs coming in from the branches are they not seen as VPN1, VPN2 etc? If they are you could just measure each one at the HO location.
 
G

Grep

Senior Member
Joined
Nov 21, 2006
Messages
958
Jupiter?! Oh good luck buddy. There is pretty much ZERO reporting available on those bluddy Jupiter SSG's. I have installed enough of them to know and we deal directly with Fran and the boys. Oh, I wish you luck with enabling SNMP on those bluddy things, its not just a checkbox. You have to create policies and all sorts of crap to get it to work, and if you do come right, rather use PRTG or nagios as opposed to MRTG. Good luck :)

btw: If and when you do get your graphing working and protocols working it still won't give you what you need. What I do on sites is install a dumb hub thinking its a switch, plug all the interfaces into it and run Colasoft. This will break down your protocols and you will have the info you need.
 
You must log in or register to reply here.
Top