Assume that you have a branch office reporting connectivity issues/slowness but your organization does not have realtime monitoring tools (such as SolarWinds NetFlow Analyzer) which can help you quickly narrow down the culprit. We will discuss how to identify which hosts are moving the most traffic and go over how (if desired) to locate a host on your network and disable or limit its connection.
First, to determine which hosts are consuming the largest amount of bandwidth on a connection, we will want to use IP accounting.
- On the outbound interface of the branch’s router or firewall:
Router1(config)# interface Gi0/1
Router1(config-if)# ip accounting output-packets
- After allowing some time to gather statistics (5 minutes should suffice), view what has been captured:
Router1# show ip accounting
Source Destination Packets Bytes
23.207.35.140 192.168.30.64 2 80
192.168.60.51 192.168.4.11 27 2782
192.168.60.51 192.168.40.39 28 2822
192.168.2.93 192.168.40.157 13 7053
54.241.144.188 192.168.30.64 1996 1239889
192.168.102.101 192.168.101.101 2 80
50.116.55.65 192.168.30.6 4 848
As we can see in this example, the traffic between 54.241.144.188 and 192.168.30.64 is generating the highest utilization of the link. Now we will track down 192.168.30.64 and disable or limit its network connection.
- We first need to determine the MAC address of 192.168.30.64. This needs to be done from the gateway device for the host’s subnet (192.168.30.0 /24):
Router2# show arp | include 192.168.30.64
Internet 192.168.30.64 0 7071.bcab.7091 ARPA Vlan3
- Next we need to determine from which interface the MAC address was learned:
Router2# show mac address-table address 7071.bcab.7091
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
3 7071.bcab.7091 DYNAMIC Gi0/2
Total Mac Addresses for this criterion: 1
- Determine what the neighbor device is and then connect to it:
Router2# show cdp neighbors Gi0/2 detail
-------------------------
Device ID: Switch1.example.com
Entry address(es):
IP address: 192.168.30.2
------output omitted-----
- From the neighbor device (in this case, Switch1), we perform Step 4. If necessary, we will also perform Step 5. We will repeat both of these steps until we have located the switch access port to which the host is connected.
- Once the host’s port is located, we can simply shut down the port or we can instead limit the port speed:
Switch3# interface Gi0/23
Switch3(config-if)# shutdown
---or---
Switch3# interface Gi0/23
Switch3(config-if)# bandwidth 5000
Please keep in mind any changes that were made in order to undo them once better mitigation is put in place (such as QoS and/or policing).