07-11-2006 02:28 PM - edited 03-09-2019 03:33 PM
I wanted to find out if there is any way to indentify which clients on a particular network interface are using a certain amount of bandwidth. We have an ASA 5510 with four interfaces including the internet and one network is generating an excessive amount of inbound traffic from the internet and I want to determine which client system on that network is generating the traffic. Is there a log or a setting to allow me to identify that client system by IP or Mac address?
07-11-2006 03:01 PM
There is a painfull way.
See the amount of encrypted or decrypted traffic in the IPSEC SA. Hope this helps.
07-11-2006 03:15 PM
Hi,
You could setup a rate limit using police within a policy-map and see when its triggered. This would allow you to control the amount of bandwidth used, and to log when the threshold is breached. However police is only applicable to egress traffic, and would affect all traffic defined by the match specified within the appropriate class-map, so I guess theres no way to narrow this down without knowing the culprit.
Hope this helps,
Glen
07-11-2006 10:04 PM
Hi ..
In this scenario I suggest you to use a packet analyzer such ethereal ot packetizer .. you can get them from the web just google it. You could mirror the port connected to the ASA's interface that links to te network having the problem. This will give you an good idea of top ten connections etc... Also there is another tool statseeker .. you could get a trial version for 30 days.
I hope it helps .. please rate if it it does !!!
07-12-2006 03:14 AM
also...
Instead of setting up a port mirror simply perform a local capture on the ASA and export it to ethereal. (via a copy /pcap). If you make it a circular capture you could leave it running to have the data always available whenever you need it.
Another option (more long-winded though) would be to put an access-list on one of the interfaces with a separate line for each IP. A "show access-list" would then give you a quick overview of IP address activity.
HTH
Andrew.
07-12-2006 07:44 AM
Not a cisco answer, but an easy one. If you have a span port of the traffic, connect a linux box and use ipaudit (http://sourceforge.net/projects/ipaudit). Very lightweight and passive. Web-based 'top-20' reports to give you exactly what you are asking.
Option #2: Netflow from border/edge router.
07-12-2006 09:30 AM
Thanks for all the suggestions, so far we have applied a policy map to limit bandwidth on that interface to 256k which doesn't answer the queston but stops these clients from eating up the T1. I'm going to try a couple of the non-cisco suggestions using a linux box on that network to monitor activity more closely. Again thank you all for some very useful and interesting suggestions.
07-12-2006 04:45 PM
Another App you could use is N-top www.ntop.org. Very good web reporting in combination with a span port. It has linux and windows versions.
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide