How can I view bandwidth use by ip/host on a Cisco router?

Question

My company has a 100mbps Internet connection and we have recently experienced extreme slowness when using the Internet (our provider's speedtest page indicated .25 Mbps download speed). When we contacted them about it, they said it's because our circuit is getting maxed out.

We recently has a CCTV system installed and the DVR for that system is outside our firewall connected directly to the Internet with a public IP. My suspicion is that this system is the cause of this problem.

I cannot disconnect this system for internal political reasons, so I am trying to determine how I can otherwise determine if this system is indeed the one using tons of bandwidth.

Here is our network layout - from our provider we have fiber coming into a media converter, from the media converter we have ethernet to a Cisco 2800 series router (the router peers with our provider via BGP to announce our /24) and then from the router there is ethernet to a switch, and that switch then connects to the DVR as well as our firewall.

I am trying to find a way to get info out of the Cisco router that will help me figure out if it's the DVR or our firewall that is using all of the available bandwidth. Typically we only average around 15 Mbps, so I would expect to see that the DVR is constantly using 90-100 Mbps. I just need to know how I can show that to someone in black and white so I can get them to let me unplug it.

a DVR using 90 mbps across a WAN link is pretty unrealistic but not impossible. What model switch is the DVR connected to? It would be easier to see the traffic speed on the switchport but the BEST way would be to setup netflow on the router — John Kennedy, Dec 11 '13 at 14:46
@fredwatson, if your DVR is attached to a managed switch, just poll ifHCInOctets / ifHCOutOctets for an hour or so and graph appropriately. Keep in mind those OIDs give you total octets, so you have to do the math between polls. More hints on [this question](http://networkengineering.stackexchange.com/q/2141/775) — Mike Pennington, Dec 11 '13 at 15:31
Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can post and accept your own answer. — Ron Maupin, Jan 04 '21 at 22:16

score 8 · Answer 1 · answered Dec 11 '13 at 16:02

Traditional way to monitor usage by host is to use NetFlow. Most enterprise Cisco gear supports exporting NetFlow records.

Configure your Cisco router to export flow data to a NetFlow Collector. There are many different NetFlow Collector software packages out there ranging in cost from "free" to "an arm and a leg".

PRTG is one such NetFlow Collector and its free version will accept NetFlow from up to 10 different routers/switches.

score 5 · Answer 2 · edited Apr 13 '17 at 12:57

In addition to Michael's answer, Cisco's top-talkers feature can use NetFlow data to quickly give you a list of the highest consuming devices on your network.

If you're not already using NetFlow in some fashion, it may be the quickest and easiest way for you to examine the data, as it doesn't rely on third-party functionality.

The summary will also show you the destination interface, so it's easy to differentiate internal from external traffic.

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Bytes
Vl1           192.168.1.141   Di0           XXX.XXX.XXX.XXX 06 CF9A 2710   380K
Vl1           192.168.1.141   Null          XXX.XXX.XXX.XXX 11 EEE6 076C    84K
Vl1           192.168.1.140   Di0           XXX.XXX.XXX.XXX 06 CDE1 0D3D    28K
Vl1           192.168.1.140   Di0           XXX.XXX.XXX.XXX 2F 0000 0000    10K
Vl1           192.168.1.142   Di0           XXX.XXX.XXX.XXX 06 EB78 0D3D  9534

Configuration

You can configure it like so:

! Configure top-talkers
ip flow-top-talkers
 top 100
 sort-by bytes

! Configure NetFlow on the appropriate interface on the router
interface Vlan1
 ip flow ingress
 ip flow egress

I answered a similar question here:

Simple Question: Does High Bandwidth usage affect Speedtest.net Results?

score 2 · Answer 3 · answered Dec 11 '13 at 20:44

2

If it's a managed switch (you didn't say anything about it), MRTG (etc.) can monitor the traffic counters for any/all ports. Or you can look at the interface counters directly during any slow downs. (on a cisco switch, you may want to set the load-interval to something low instead of the default 5 minutes.)

On the router itself, there's not much you can do to localize what's using all the bandwidth. If it's not doing NAT or IPS/IDS, then it's not normally maintaining any session state. Enabling netflow, even without export to a collector, will provide some idea of where traffic is going, but it's a lot of information to sift through. (eg. my home network with 2 computers and numerous gadgets (dvr, tv, etc.) currently has 4024 ACTIVE flows.)

answered Dec 11 '13 at 20:44

Ricky

31,438
2
43
84

Any netflow collector worth mentioning will have a means of filtering the data. For instance, to prove/disprove the video camera, you can filter to flows to/from a device. Most collectors will also provide some sort of "top talkers" report as well, and if the traffic is up 80-90Mbps above normal, the offender will show up as a top talker. – YLearn Dec 11 '13 at 21:06
I said **without a collector**. From the router cli *alone* it's not so easy. – Ricky Dec 11 '13 at 21:17
I apologize, I read that as "with" instead of "without". I should have learned by now to hold back more when low on sleep. However, with your correction, I would look to see if the router supports top talkers/match rules for netflow in IOS. If so, you can find details of configuring it on Cisco's site, for example [this document](http://www.cisco.com/en/US/docs/ios-xml/ios/netflow/configuration/12-4/cfg-nflow-top-talk.html#GUID-824723EE-2551-4D64-9E0B-F5DF065C83B9). – YLearn Dec 11 '13 at 21:52
I should add, unless you have the resources to spare, I would not suggest running top talkers on the router for any great length of time. Run it for the troubleshooting, but then disable it afterwards. – YLearn Dec 11 '13 at 21:57
It will do top-talkers (and a 2801 @ 100M shouldn't have any issues), however that's a volume not a *rate*. For example, the top-talker on my 3745 is the sslvpn connection from my laptop to work; it's been up for days. A flow-export would show a rate as it's forced to report the flow periodically. – Ricky Dec 11 '13 at 22:53
But volume in this case should be sufficient to identify the source of the traffic. If normal traffic is <20Mbps and they are now fully utilizing a 100Mbps link, the offender should have significantly higher volume than anything else. – YLearn Dec 11 '13 at 23:52

score 0 · Answer 4 · answered Dec 11 '13 at 16:06

0

You could also calculate how much bandwidth your CCTV camera is sending. The manual for the camera most likely has this information.

I also found a calculator you can play with here: http://www.stardot.com/bandwidth-and-storage-calculator

HD video takes up a LOT of bandwidth.

answered Dec 11 '13 at 16:06

Michael

166
1

FYI, for readers: Stack Exchange [permits more than one answer to a question](http://meta.stackexchange.com/questions/114653/double-answer-posts-why-are-they-allowed) as long as it really is a different answer – Mike Pennington Dec 11 '13 at 17:32

How can I view bandwidth use by ip/host on a Cisco router?

4 Answers4

Configuration