Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2661
  • Last Modified:

How can i determine who's using all my bandwidth?

I have one T1 Internet connection which goes through a Cisco 2600 to a Cisco ASA 5520, with user connected to a Cisco 4503 switch.  Someone is using all my 1.5 Mb of bandwidth!  

My question is:
1.  Is there a way that I can tell who is using how much bandwidth?
2.  Is there a way to dymanically view this infomation?
3.  Can you give me detailed instructions?

It would be nice to get the user and/or computer name, but it not neccessary.  Our computer names have port numbers in them, so I could easy find the offender if knew what port was using the bandwidth.  (I know I could also find it from IP address, just trying to give as much info as I can)

I'm familar with setting up and configuring routers for T1's, Frame, and the basics on routers, but port spanning, trunking, syslogging etc, is beyond me.  I would gladly give 500 point for detailed instruction that go beyond "conf t" and the basics.
0
FSYR
Asked:
FSYR
  • 4
  • 2
  • 2
  • +1
1 Solution
 
pjtemplinCommented:
There isn't a good on-router or on-switch solution.  NetFlow tools would likely work well, but that involves downloading software onto a server and customizing it for your application, etc.

A crude and dirty method would be, assuming you're doing NAT on the router, writing a permit access list that you'd use to "divide and conquer" your subnet(s) and find the high packet rate (you'd have to hope that the offender is consistently "winning" the packet races as well as the bandwidth races; no easy way to directly measure bandwidth).  Assuming your LAN was 192.168.1.0/24, you'd apply ACL 101 to your router's internal interface in the outbound direction:

access-list 101 permit ip any 192.168.1.0 0.0.0.127
access-list 101 permit ip any 192.168.1.128 0.0.0.127
access-list 101 permit ip any any

The third line is optional for now, but you want to see which half of your subnet had a higher packet rate of matches.  Assuming it was the upper half, write ACL 102 and then apply it to the internal interface in the outbound direction (overriding the setting to use ACL 101):

access-list 102 permit ip any 192.168.1.128 0.0.0.63
access-list 102 permit ip any 192.168.1.192 0.0.0.63
access-list 102 permit ip any any

Figure out which quarter of the subnet had the higher packet rate, then kill and replace ACL 101:

no access-list 101
access-list 101 permit ip any 192.168.1.128 0.0.0.31
access-list 101 permit ip any 192.168.1.160 0.0.0.31
access-list 101 permit ip any any

Once rewritten, apply ACL 101 to the internal interface in the outbound direction.  Continue the divide and conquer until you've narrowed it down.
0
 
lrmooreCommented:
I would also install NTOP to find the little buggers...
http://www.ntop.org

Win32 version if you don't use linux
http://www.openxtra.co.uk/freestuff/ntop-xtra.php

The 4503 probably doesn't support netflow. The ASA does not. The router does, but it's already in front of the ASA and you only see the natted addresses.
Put the netflow in promiscuous mode with a hub between the PIX and the switch. Or on a span port of the switch.

It won't take long to figure out what's going on.

0
 
skylarktechCommented:
There's a cool tool out there call onlineeye It is free and quite easy to use Just download it and install it on a comp on the network and you can see just what everyone is doing on the network. or like lrmoore said above NTOP is a great tool also.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
lrmooreCommented:
Hello???
0
 
pjtemplinCommented:
Oh, you wanted the OP to follow up?  Ha...
0
 
FSYRDirector of ITAuthor Commented:
I found this out about netflow:
NetFlow on Cisco 4000/4500 switches
The 4000 and 4500 series switches require a Supervisor IV with a Netflow Services daughter card (WS-F4531) and IOS version 12.1(19)EW or above to support NetFlow.

Can I span a port on the switch, and direct it to a second card on my workstation?  Then I guess I would use NTop-XTRA on that same workstation?

0
 
lrmooreCommented:
Yes, you can do that easily since the 4500 does not support netflow with the configuration you have.
0
 
FSYRDirector of ITAuthor Commented:
I downloaded the NTOP software from above.

Can you give a brief run down on how to set this up to do what I need? Do I need to span the port that goes to ASA?  
0
 
lrmooreCommented:
Yes, span the port that goes to the ASA, connect the NTOP box in promiscuous mode to the span destination interface. That's about all there is to it.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now