Measuring Bandwidth Utilization on Cisco Switch Ports

Yesterday I spoke at the third Net Optics Think Tank in Santa Clara, CA. During the event one of the Net Optics product managers asked me about measuring bandwidth utilization on switch ports. I did not have an answer for him... until I took a look at the latest Packet magazine. The Q305 (.pdf) edition features a tip from Aurelio DeSimone on p. 13 mentioning the show controllers utilization command.

If anyone knows of a similar set of information via SNMP, please let me know via a comment here.

Here is sample output:

Switch> show controllers utilization
Port       Receive Utilization  Transmit Utilization
Fa0/1              0                    0
Fa0/2              0                    0
...truncated...
Total Ports : 12
Switch Receive Bandwidth Percentage Utilization  : 0
Switch Transmit Bandwidth Percentage Utilization : 0
Switch Fabric Percentage Utilization : 0

This is just the sort of data I would like to see for SPAN ports. You can specify the SPAN port in your syntax (e.g., show controllers fastethernet0/1 utilization) to see how much traffic it is carrying to your sensor.

The current Packet issue also features excellent articles on new modularity features of Cisco IOS and an overview of 10 GB Ethernet and its seven (yes, seven) variants. (There appear to be more, actually.) That sort of information reminds me of my "second law of information technology," which is "complexity increases." The second law of IT is constantly fighting the second law of thermodynamics, which is "entropy increases."

Comments

Anonymous said…
...measuring bandwidth utilization on switch ports

I don't know about switch ports, but back in '95/'96 when I was doing my master's thesis, I collected SNMP data from routers using octets-in and octets-out from the standard MIBII. Plotting those over time gave me utilitzation quite nicely.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
6:35 AM
Anonymous said…
On layer 3 switches such as the 3550 series, "show int summ" shows you the same data that is used for updating the inbound and outbound octets stats in mib2. Show int summ also works on just about every IOS router.

The OID that can be used from a 3550 switch (as an example, should be the same for a 3548/3524/etc) for octets in/out:

Inbound:
1.3.6.1.2.1.2.2.1.10.x
Outbound:
1.3.6.1.2.1.2.2.1.16.x

The x is where the ifIndex id goes for that particular interface. A mibwalker will help you find this.

And of course tools like MRTG, RTG, Cacti, etc make it all nice and easy to produce historical graphs.
8:19 AM
Richard Bejtlich said…
When I posted the original story I did not make it clear that I was most interested in measures of backplane performance, perhaps best represented by the "Switch Fabric Percentage Utilization" figures. Does that make sense?
9:59 PM
Anonymous said…
Check the Cisco MIB explorer online. A good place to start is:
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.4.1.9
12:57 PM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more