CCIE or Null!

My journey to CCIE!

Who’s congesting my network?

with 6 comments

I figured I would write a post concerning some features built-in to most Cisco routers nowadays that can be lifesavers in identifying network congestion and who/what is causing it.

The first feature I want to mention is NetFlow, this nifty little feature will identify network traffic by the protocol as well as determine how much throughput each protocol is using giving you a clear view of the traffic traveling your network. You configre it on a per interface basis, specify the address you want the Netflow information sent to, and also the port you want it sent out on. 2055 is the default port used by the SolarWinds Netflow Analyzer in this case (Free Tool)

You can issue the sh ip cache flow command to see the output. While this output can be duanting at first it is actually fairly simply to understand once you realize what each column signifies. A nice shortcut for analyzing netflow is to find a free tool that will do it for you.

Their is more information displayed but from this point it looks almost identical to the sh ip flow top-talkers command shown below, the important thing here is the breakdown of the major protocols.

The next really cool feature is called top talkers after you configure this you can quickly see which end devces on your network are taking up the most bandwidth.

The configuration is as follows:

A fairly straight forward configuration, first you enable top top talkers and then configure the parameters you want. You can set top-talkers to sort by the amount of bytes from each end device or by the amount of packets. You can also configure the amount of devices you want to see, anything from 1 device to 200 device I usually prefer to simply see the top 10 devices (well 8 in this case)

You view the top talkers with the sh ip flow top-talkers command:

As you can see the output is placed nicely in a few columns, identifying the source interface and IP address, the destination interface and IP address,  the protocol number (Pr column), the source and destination ports (keep in mind these are in hex format and need to be converted to decimal), and lastly the amount of bytes transferred in this case.

So whether someone has introduced a new program, or a users decides to try and download the entire internet you should be able to easily identify it. Those two built-in features alone can help you troubleshoot any network congestion your network experiences with your Cisco devices.

Written by Stephen J. Occhiogrosso

January 13, 2011 at 1:13 PM

6 Responses

Subscribe to comments with RSS.

  1. Good stuff..does this consume much processor power and how do you turn it back off, with the no ip flow talk takers command on that interface?


    December 15, 2011 at 3:48 PM

    • I’ve used this feature on 2600’s/1841’s and up and really did not notice much (if any) addition CPU overhead. I usually leave this running but it can be disabled by removing the ip route-cache flow commands from the interfaces, with no ip route-cache flow


      December 15, 2011 at 3:57 PM

  2. Hey Stephen, I’m trying to figure out how you would determine the link speed needed for a network connection. How does information travel on a line? With Cat5 does 1 packet of information utilize the entire link for that split second or can multiple packets be transmitted at the same time? I’ve read that with fiber optic there are multiple strands of fiber (glass) which allows for multiple packets to be sent at once, is this correct?
    Why is a T1 line which costs around $1,000 a month that has a maximum bandwidth of 1.544Mbps chosen over say, a FIOS connection that costs around 50-100 a month and has the maximum capable bandwidth of 50Mbps? Doesn’t FIOS have 32xs greater bandwidth than a T1 would?

    Now in response to this post, would NetFlow be a good utility to analyze links to determine if a larger amount of bandwidth is needed? How would you determine the amount of bandwidth needed for a new network, by estimating what will be used on the network and the amount of users? Also how do you determine what model or type of router would be needed to handle the bandwidth requirement? Thanks for helping me understand this! -Mark

    Mark M.

    April 18, 2012 at 10:31 AM

    • I should probably rephrase my terminology. I know information doesn’t travel by packets but by binary 1s and 0s, the signal is either there or it’s not. If I recall correctly only 8 bits can be sent at once over a 4 wire pair Cat cable. I’m wondering if the entire Cat cable is utilized when transmitting a frame that could be up to 1500bits in size. And if it is being completely utilized how does the link’s bandwidth get determined, I would assume by the speed that it can send the 1500bit frame in order to start the next frame.

      Mark M.

      April 18, 2012 at 10:46 AM

    • NetFlow is a great tool for measuring bandwidth. Along with NBAR, both NetFlow and NBAR will give you user and protocol statistics.

      Determining bandwidth for a new network depends on many different things number of users, type of applications, and whatever requirements the business has (High availability/Security/etc). Do keep in mind there is no fool proof way to determine how much bandwidth a new network needs. Cisco has a PPDIOO network life cycle, the last 2 phases are operate and optimize this is where the network is live and you make changes appropriately to improve performance whether that means providing additional bandwidth or a secondary connection.

      As far as picking the right router for a site, you want to check router performance and how many PPS (Packets Per Second) a router can forward. You also need to take into account any services running on the router. IE: if we are talking about a WAN router you want to check the IPSec throughput and make sure you have VPN module to off load the encryption process from the CPU, or if it’s running content filtering/IPS/BGP and make sure you have physical memory in the router.

      Back the T-1 vs a broadband circuit, T-1’s will typically come with some type of SLA while a broadband circuit will not have an SLA maybe a business class broadband might have an SLA but it won’t be as good as the SLA from a T-1 circuit, which will make all the difference when the circuit is down. T-1’s will also provide dedicated bandwidth where as the performance of a broadband circuit will be hit or miss and not as persistent as a T-1 circuit.

      Stephen J. Occhiogrosso

      April 28, 2012 at 9:19 PM

  3. Thanks for finally writing about >Whos congesting my network?

    | CCIE or Null! <Liked it!

    April 20, 2013 at 4:46 AM

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: