Assume that you have a branch office reporting connectivity issues/slowness but your organization does not have realtime monitoring tools (such as SolarWinds NetFlow Analyzer) which can help you quickly narrow down the culprit. We will discuss how to identify which hosts are moving the most traffic and go over how (if desired) to locate a host on your network and disable or limit its connection.
First, to determine which hosts are consuming the largest amount of bandwidth on a connection, we will want to use IP accounting.
- On the outbound interface of the branch’s router or firewall:
- After allowing some time to gather statistics (5 minutes should suffice), view what has been captured:
As we can see in this example, the traffic between 22.214.171.124 and 192.168.30.64 is generating the highest utilization of the link. Now we will track down 192.168.30.64 and disable or limit its network connection.
- We first need to determine the MAC address of 192.168.30.64. This needs to be done from the gateway device for the host’s subnet (192.168.30.0 /24):
- Next we need to determine from which interface the MAC address was learned:
- Determine what the neighbor device is and then connect to it:
- From the neighbor device (in this case, Switch1), we perform Step 4. If necessary, we will also perform Step 5. We will repeat both of these steps until we have located the switch access port to which the host is connected.
- Once the host’s port is located, we can simply shut down the port or we can instead limit the port speed:
Please keep in mind any changes that were made in order to undo them once better mitigation is put in place (such as QoS and/or policing).