Solved

How can i determine who's using all my bandwidth?

Posted on 2006-10-25
9
2,655 Views
Last Modified: 2012-06-27
I have one T1 Internet connection which goes through a Cisco 2600 to a Cisco ASA 5520, with user connected to a Cisco 4503 switch.  Someone is using all my 1.5 Mb of bandwidth!  

My question is:
1.  Is there a way that I can tell who is using how much bandwidth?
2.  Is there a way to dymanically view this infomation?
3.  Can you give me detailed instructions?

It would be nice to get the user and/or computer name, but it not neccessary.  Our computer names have port numbers in them, so I could easy find the offender if knew what port was using the bandwidth.  (I know I could also find it from IP address, just trying to give as much info as I can)

I'm familar with setting up and configuring routers for T1's, Frame, and the basics on routers, but port spanning, trunking, syslogging etc, is beyond me.  I would gladly give 500 point for detailed instruction that go beyond "conf t" and the basics.
0
Comment
Question by:FSYR
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17808135
There isn't a good on-router or on-switch solution.  NetFlow tools would likely work well, but that involves downloading software onto a server and customizing it for your application, etc.

A crude and dirty method would be, assuming you're doing NAT on the router, writing a permit access list that you'd use to "divide and conquer" your subnet(s) and find the high packet rate (you'd have to hope that the offender is consistently "winning" the packet races as well as the bandwidth races; no easy way to directly measure bandwidth).  Assuming your LAN was 192.168.1.0/24, you'd apply ACL 101 to your router's internal interface in the outbound direction:

access-list 101 permit ip any 192.168.1.0 0.0.0.127
access-list 101 permit ip any 192.168.1.128 0.0.0.127
access-list 101 permit ip any any

The third line is optional for now, but you want to see which half of your subnet had a higher packet rate of matches.  Assuming it was the upper half, write ACL 102 and then apply it to the internal interface in the outbound direction (overriding the setting to use ACL 101):

access-list 102 permit ip any 192.168.1.128 0.0.0.63
access-list 102 permit ip any 192.168.1.192 0.0.0.63
access-list 102 permit ip any any

Figure out which quarter of the subnet had the higher packet rate, then kill and replace ACL 101:

no access-list 101
access-list 101 permit ip any 192.168.1.128 0.0.0.31
access-list 101 permit ip any 192.168.1.160 0.0.0.31
access-list 101 permit ip any any

Once rewritten, apply ACL 101 to the internal interface in the outbound direction.  Continue the divide and conquer until you've narrowed it down.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17810980
I would also install NTOP to find the little buggers...
http://www.ntop.org

Win32 version if you don't use linux
http://www.openxtra.co.uk/freestuff/ntop-xtra.php

The 4503 probably doesn't support netflow. The ASA does not. The router does, but it's already in front of the ASA and you only see the natted addresses.
Put the netflow in promiscuous mode with a hub between the PIX and the switch. Or on a span port of the switch.

It won't take long to figure out what's going on.

0
 
LVL 2

Expert Comment

by:skylarktech
ID: 17816532
There's a cool tool out there call onlineeye It is free and quite easy to use Just download it and install it on a comp on the network and you can see just what everyone is doing on the network. or like lrmoore said above NTOP is a great tool also.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 79

Expert Comment

by:lrmoore
ID: 17830867
Hello???
0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17831127
Oh, you wanted the OP to follow up?  Ha...
0
 
LVL 1

Author Comment

by:FSYR
ID: 17833671
I found this out about netflow:
NetFlow on Cisco 4000/4500 switches
The 4000 and 4500 series switches require a Supervisor IV with a Netflow Services daughter card (WS-F4531) and IOS version 12.1(19)EW or above to support NetFlow.

Can I span a port on the switch, and direct it to a second card on my workstation?  Then I guess I would use NTop-XTRA on that same workstation?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17836826
Yes, you can do that easily since the 4500 does not support netflow with the configuration you have.
0
 
LVL 1

Author Comment

by:FSYR
ID: 17857872
I downloaded the NTOP software from above.

Can you give a brief run down on how to set this up to do what I need? Do I need to span the port that goes to ASA?  
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 17862595
Yes, span the port that goes to the ASA, connect the NTOP box in promiscuous mode to the span destination interface. That's about all there is to it.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
using BGP Attributes 2 118
Cost effective dual wan w/ qos 5 55
Cisco RV 130 - No internet on wired connections, wireless clients ok 32 103
Show IP BGP Information 10 47
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question