cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1304
Views
8
Helpful
6
Replies

Identify high usage machines on 837 router

heidi.hendry
Level 1
Level 1

Hi,

My client has asked for assistance with their Cisco 800a series router. I am very new to Cisco IOS, but have been thrown in the deep end with this one.

Router is an 837 ADSL router (I think) based on show version

iOS seems to be 12.3

There is no CRWS, and SDM is not functioning.

The symptom that the client is seeing is excessive downloads and uploads on their ISP usage statistics. (100 times the normal).

Their history is that they told me that previously there was an issue with the router where it was repeatedly trying to download something.

My first port of call is to check that the entire network's AV is up to date.

What I would like to be able to do is somehow identify which machine  is making heavy use of the router.

I have been trying to do this myself, and have managed to enable logging at debugging level on iOS following instructions elsewhere. However I don't seem to be able to view the logs:

show logging

only shows what the logging settings are.

And I'm not 100% sure that logging is going to give me the answer that I want.

The client is planning to change routers soon, but while waiting for the new hardware they are racking up excessive charges with their ISP.

Could anyone assist me?

(Located in Broken Hill, Australia, very isolated, and not much high level IT support)

6 Replies 6

garapoglou
Level 3
Level 3

Hi,

Unfortunately, logging won't help you on that. To identify which client is creating traffic, you need to enable the netflow protocol on the router and check the top-talkers. Before going into the configuration, could you please tell me how many clients connect to that router? The reason I'm asking you has nothing to do with the configuration.

Best regards,

Giorgos

Antonio Knox
Level 7
Level 7

You can monitor Netflow traffic.  Enable netflow as such (interface config mode)

Router(config)# int e0

Router(config-if)# description WAN interface

Router(config-if)# ip route-cache flow

With an idea of peak times you can actively monitor traffic.  Granted, depending on the amounts of traffic that you have going through that internet link, it would make your life a lot easier if you had a Netflow collector (ie. ntop, Networ Scrutinizer, etc), but I'm going with the assumption that you don't have one.

When you're ready to view the traffic on the link, simply run this command:

Router# show ip cache flow

You want to keep an eye on the last column.  This shows the number of packets transmitted in a conversation.  Should help you get a feel for your 'troublemakers'.

For more info:

http://www.cisco.com/en/US/docs/ios/12_1/switch/configuration/guide/xcdnfc.html

Please rate helpful posts.

garapoglou
Level 3
Level 3

As mentioned, if you enable netflow you can either check the top-talkers directly from the router or use a netflow collector to create and save reports and statistics.

ManageEngine Netflow Analyzer would also do the job.

Here's a demo screenshot of the program:

http://demo.netflowanalyzer.com/netflow/jspui/NetworkSnapShot.jsp

Here's how to configure top-talkers:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080259533.html#wp1131762

Giorgos

There's about 20 workstations in the office. I've now enabled netflow.

I think the iOS might be too old for the top-talkers, as I got an "Invalid Input" response.

Ideally I would upgrade it, but it looks like their Cisco support is out of date and the client has no interest in renewing as they are replacing them soon.

Thanks for such a quick response.

One of the technicians here said that there had been previous problems with that router, something to do with "a loop". They couldn't remember the details and the tech that actually worked on the issue has since left.

I've arranged for a reboot of the router, on the assumption that if it is stuck in a loop perhaps a reboot will solve that.

Any other ideas?

Hi,

It depends on the network topology. Are there any other routers or switches connected to the router?

A routing loop is a condition when a packet is constantly transmitted within connected routers but never reaches its intended destination.

You shouldn't worry about the traffic Netflow is going to generate. It won't affect anything.

837 is old indeed. Since it is going to be replaced, I wouldn't spend much time about the "loop rumor" provided that everything works smoothly.

If you need more help, just tell us.

Best regards,

Giorgos

Roman Rodichev
Level 7
Level 7

enable "ip accounting output-packets" on your LAN interface (not WAN), and check with show ip accounting output-packets

Review Cisco Networking for a $25 gift card