01-23-2006 09:31 AM - edited 03-03-2019 11:32 AM
Hi all - I have a WAN connection using a full T1 betwenn a 3640 running 11.1(7)AX and a 1721 running 12.2(8)YJ
When the T1 gets saturated, is there any simple way on the routers to find out who the big consumers are - by address or service?
Many thanks.
Dave
01-23-2006 10:03 AM
Hello,
you can use NBAR protocol discovery, which will give you byte and packet counters for each known or customer defined protocol. This will allow you to hunt down the applications/service causing the most load. You can even filter the output for the top-n talkers.
Have a look at "Network-Based Application Recognition" for a description, what NBAR is and can do for you.
The configuration in your case would look like this:
ip cef
interface Serial0/0
ip address ...
ip nbar protocol-discovery
To investigate the results use " show ip nbar protocol-discovery"
A full blown picture of what is going on can be obtained by NetFlow. It might just be a little too complex in your case.
Hope this helps! Please rate all posts.
Regards, Martin
01-23-2006 11:50 AM
I use IP accounting on the LAN interface to give me at least a running total by IP address. I to am trying to narrow down usage on a couple T1s. The only draw back is that I have cut and paste into notepad then open with excel to create a chart / graph of teh utilization. I am looking into the netwlof as recommended but one needs a server or something to process the netflow information from the router.
01-23-2006 03:23 PM
Hello Dave,
Another option is to enable netflow on your interface(s) for accounting as well.
Example:
int Eth0/0
ip address 10.1.3.0 255.255.255.0
ip route-cache flow
router#sh ip cache flow
IP Flow Switching Cache, 278544 bytes
64 active, 4032 inactive, 19738309 added
317365869 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 1237 0.0 57 45 0.0 14.5 11.9
TCP-FTP 21551 0.0 18 58 0.0 6.1 7.9
TCP-FTPD 10777 0.0 176 586 0.4 1.0 1.7
TCP-WWW 8797599 2.0 15 344 30.8 5.3 4.8
TCP-SMTP 533300 0.1 10 268 1.2 3.3 5.8
TCP-X 205 0.0 1 60 0.0 0.4 14.9
TCP-BGP 13 0.0 1 52 0.0 0.1 15.1
TCP-NNTP 12 0.0 1 53 0.0 0.7 15.3
TCP-other 6317209 1.4 22 293 33.8 3.8 7.4
UDP-DNS 472640 0.1 23 63 2.6 20.2 15.4
UDP-NTP 1192084 0.2 1 76 0.2 0.0 15.4
UDP-TFTP 24 0.0 43 101 0.0 418.9 13.8
UDP-Frag 4 0.0 255 430 0.0 111.5 15.4
UDP-other 2052162 0.4 16 104 7.8 9.0 15.4
ICMP 339428 0.0 2 110 0.1 1.7 15.4
Total: 19738245 4.5 16 286 77.3 5.1 7.8
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Et0/0 10.1.3.10 Mu1 216.239.124.140 06 04A3 0050 34
Et0/0 10.1.3.10 Mu1 216.239.124.140 06 04AD 0050 25
Et0/0 10.1.3.10 Mu1 216.239.124.140 06 04AC 0050 30
Et0/0 10.1.3.10 Mu1 216.239.124.140 06 04AB 0050 23
Et0/0 10.1.3.10 Mu1 216.239.124.151 06 04A2 0050 22
Et0/0 10.1.3.10 Mu1 216.239.124.151 06 04C2 0050 6
Et0/0 10.1.3.38 Mu1 24.10.137.83 11 0AFD 0540 1
Et0/0 10.1.3.15 Mu1 64.34.174.90 06 0CEC 01BB 1
Et0/0 10.1.3.5 Mu1 213.84.187.156 11 007B 007B 1
Et0/0 10.1.3.6 Mu1 216.239.57.83 06 09BB 0050 2
Et0/0 10.1.3.5 Mu1 209.190.247.151 11 007B 007B 1
Et0/0 10.1.3.5 Mu1 65.111.164.224 11 007B 007B 1
Check the documentation for your version of IOS on other options for configuring netflow.
-m2
01-23-2006 08:58 PM
Netflow is definitely the way to go. You'll get the most level of detail and won't sacrifice much CPU to get it like with NBAR.
One thing to keep in mind is in interpreting the results, you'll need to identify the protocol and port numbers in hex, and convert to decimal. One easy way to do this in windows is to open Calc and go into Scientific mode. Select Hex, input the number, and select Dec, it'll do the conversion for you.
For protocols, 6 TCP, 1 is ICMP, 17 (base 10) / 11 (base 8) is UDP. For others refer to:
01-24-2006 03:33 AM
I will combine NBAR and Netflow. After enable NBAR, you can use the following command to know the top protocols in use on the network.
sh ip nbar PROtocol-discovery top-n 5 (for the top 5)
Then you find out the port numbers of the protocols using
sh ip nbar port-map
Knowing the port number, the output of netflow can be filtered to know which ip addreses are using this protocol. Remember to convert the port numbers to hexadecimal
show ip cache flo | include
Hence you have both the top protocols and the top ip addresses.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide