Solved

How can i determine who's using all my bandwidth?

Posted on 2006-10-25
9
2,657 Views
Last Modified: 2012-06-27
I have one T1 Internet connection which goes through a Cisco 2600 to a Cisco ASA 5520, with user connected to a Cisco 4503 switch.  Someone is using all my 1.5 Mb of bandwidth!  

My question is:
1.  Is there a way that I can tell who is using how much bandwidth?
2.  Is there a way to dymanically view this infomation?
3.  Can you give me detailed instructions?

It would be nice to get the user and/or computer name, but it not neccessary.  Our computer names have port numbers in them, so I could easy find the offender if knew what port was using the bandwidth.  (I know I could also find it from IP address, just trying to give as much info as I can)

I'm familar with setting up and configuring routers for T1's, Frame, and the basics on routers, but port spanning, trunking, syslogging etc, is beyond me.  I would gladly give 500 point for detailed instruction that go beyond "conf t" and the basics.
0
Comment
Question by:FSYR
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17808135
There isn't a good on-router or on-switch solution.  NetFlow tools would likely work well, but that involves downloading software onto a server and customizing it for your application, etc.

A crude and dirty method would be, assuming you're doing NAT on the router, writing a permit access list that you'd use to "divide and conquer" your subnet(s) and find the high packet rate (you'd have to hope that the offender is consistently "winning" the packet races as well as the bandwidth races; no easy way to directly measure bandwidth).  Assuming your LAN was 192.168.1.0/24, you'd apply ACL 101 to your router's internal interface in the outbound direction:

access-list 101 permit ip any 192.168.1.0 0.0.0.127
access-list 101 permit ip any 192.168.1.128 0.0.0.127
access-list 101 permit ip any any

The third line is optional for now, but you want to see which half of your subnet had a higher packet rate of matches.  Assuming it was the upper half, write ACL 102 and then apply it to the internal interface in the outbound direction (overriding the setting to use ACL 101):

access-list 102 permit ip any 192.168.1.128 0.0.0.63
access-list 102 permit ip any 192.168.1.192 0.0.0.63
access-list 102 permit ip any any

Figure out which quarter of the subnet had the higher packet rate, then kill and replace ACL 101:

no access-list 101
access-list 101 permit ip any 192.168.1.128 0.0.0.31
access-list 101 permit ip any 192.168.1.160 0.0.0.31
access-list 101 permit ip any any

Once rewritten, apply ACL 101 to the internal interface in the outbound direction.  Continue the divide and conquer until you've narrowed it down.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17810980
I would also install NTOP to find the little buggers...
http://www.ntop.org

Win32 version if you don't use linux
http://www.openxtra.co.uk/freestuff/ntop-xtra.php

The 4503 probably doesn't support netflow. The ASA does not. The router does, but it's already in front of the ASA and you only see the natted addresses.
Put the netflow in promiscuous mode with a hub between the PIX and the switch. Or on a span port of the switch.

It won't take long to figure out what's going on.

0
 
LVL 2

Expert Comment

by:skylarktech
ID: 17816532
There's a cool tool out there call onlineeye It is free and quite easy to use Just download it and install it on a comp on the network and you can see just what everyone is doing on the network. or like lrmoore said above NTOP is a great tool also.
0
Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

 
LVL 79

Expert Comment

by:lrmoore
ID: 17830867
Hello???
0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17831127
Oh, you wanted the OP to follow up?  Ha...
0
 
LVL 1

Author Comment

by:FSYR
ID: 17833671
I found this out about netflow:
NetFlow on Cisco 4000/4500 switches
The 4000 and 4500 series switches require a Supervisor IV with a Netflow Services daughter card (WS-F4531) and IOS version 12.1(19)EW or above to support NetFlow.

Can I span a port on the switch, and direct it to a second card on my workstation?  Then I guess I would use NTop-XTRA on that same workstation?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17836826
Yes, you can do that easily since the 4500 does not support netflow with the configuration you have.
0
 
LVL 1

Author Comment

by:FSYR
ID: 17857872
I downloaded the NTOP software from above.

Can you give a brief run down on how to set this up to do what I need? Do I need to span the port that goes to ASA?  
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 17862595
Yes, span the port that goes to the ASA, connect the NTOP box in promiscuous mode to the span destination interface. That's about all there is to it.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month11 days, 7 hours left to enroll

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question