Solved

How can i determine who's using all my bandwidth?

Posted on 2006-10-25
9
2,651 Views
Last Modified: 2012-06-27
I have one T1 Internet connection which goes through a Cisco 2600 to a Cisco ASA 5520, with user connected to a Cisco 4503 switch.  Someone is using all my 1.5 Mb of bandwidth!  

My question is:
1.  Is there a way that I can tell who is using how much bandwidth?
2.  Is there a way to dymanically view this infomation?
3.  Can you give me detailed instructions?

It would be nice to get the user and/or computer name, but it not neccessary.  Our computer names have port numbers in them, so I could easy find the offender if knew what port was using the bandwidth.  (I know I could also find it from IP address, just trying to give as much info as I can)

I'm familar with setting up and configuring routers for T1's, Frame, and the basics on routers, but port spanning, trunking, syslogging etc, is beyond me.  I would gladly give 500 point for detailed instruction that go beyond "conf t" and the basics.
0
Comment
Question by:FSYR
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17808135
There isn't a good on-router or on-switch solution.  NetFlow tools would likely work well, but that involves downloading software onto a server and customizing it for your application, etc.

A crude and dirty method would be, assuming you're doing NAT on the router, writing a permit access list that you'd use to "divide and conquer" your subnet(s) and find the high packet rate (you'd have to hope that the offender is consistently "winning" the packet races as well as the bandwidth races; no easy way to directly measure bandwidth).  Assuming your LAN was 192.168.1.0/24, you'd apply ACL 101 to your router's internal interface in the outbound direction:

access-list 101 permit ip any 192.168.1.0 0.0.0.127
access-list 101 permit ip any 192.168.1.128 0.0.0.127
access-list 101 permit ip any any

The third line is optional for now, but you want to see which half of your subnet had a higher packet rate of matches.  Assuming it was the upper half, write ACL 102 and then apply it to the internal interface in the outbound direction (overriding the setting to use ACL 101):

access-list 102 permit ip any 192.168.1.128 0.0.0.63
access-list 102 permit ip any 192.168.1.192 0.0.0.63
access-list 102 permit ip any any

Figure out which quarter of the subnet had the higher packet rate, then kill and replace ACL 101:

no access-list 101
access-list 101 permit ip any 192.168.1.128 0.0.0.31
access-list 101 permit ip any 192.168.1.160 0.0.0.31
access-list 101 permit ip any any

Once rewritten, apply ACL 101 to the internal interface in the outbound direction.  Continue the divide and conquer until you've narrowed it down.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17810980
I would also install NTOP to find the little buggers...
http://www.ntop.org

Win32 version if you don't use linux
http://www.openxtra.co.uk/freestuff/ntop-xtra.php

The 4503 probably doesn't support netflow. The ASA does not. The router does, but it's already in front of the ASA and you only see the natted addresses.
Put the netflow in promiscuous mode with a hub between the PIX and the switch. Or on a span port of the switch.

It won't take long to figure out what's going on.

0
 
LVL 2

Expert Comment

by:skylarktech
ID: 17816532
There's a cool tool out there call onlineeye It is free and quite easy to use Just download it and install it on a comp on the network and you can see just what everyone is doing on the network. or like lrmoore said above NTOP is a great tool also.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17830867
Hello???
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 12

Expert Comment

by:pjtemplin
ID: 17831127
Oh, you wanted the OP to follow up?  Ha...
0
 
LVL 1

Author Comment

by:FSYR
ID: 17833671
I found this out about netflow:
NetFlow on Cisco 4000/4500 switches
The 4000 and 4500 series switches require a Supervisor IV with a Netflow Services daughter card (WS-F4531) and IOS version 12.1(19)EW or above to support NetFlow.

Can I span a port on the switch, and direct it to a second card on my workstation?  Then I guess I would use NTop-XTRA on that same workstation?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17836826
Yes, you can do that easily since the 4500 does not support netflow with the configuration you have.
0
 
LVL 1

Author Comment

by:FSYR
ID: 17857872
I downloaded the NTOP software from above.

Can you give a brief run down on how to set this up to do what I need? Do I need to span the port that goes to ASA?  
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 17862595
Yes, span the port that goes to the ASA, connect the NTOP box in promiscuous mode to the span destination interface. That's about all there is to it.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now