Here are some suggestions: -Use Cacti to monitor interface in/out bandwidth on all ports in your core. -You could create rules for each subnet on your network to allow access in and out on your firewall. This could be managerially time intensive depending on what you do or do not allow. Then just disable rules one by one when you see this occurring again to see which subnets are causing the problem. -You can do the same thing as the above with named access lists on your core as well. -NTop is a opensource tool to get a better view of who is doing what on your Internet connection or invest in a good mflow or sflow collector. -The painful way of tracking it down is to look at the is to look at the input and output rates on all of your interfaces working out from the core to the edge until you find the offending device(s). -If you haven't implemented QoS that incorporates mark down policies to scavenger class throughout your network I would highly recommend doing it. We mark any edge port's traffic down to scavenger class that exceeds 10Mbps incoming. -Take a look at the NetEqualizer or other bandwidth shapers for your Inet connection to ensure that one or a handful of clients cannot consume your entire pipe. You could use per-user microflow policing in your core on your Inet port to do something similar, but not as elegantly as the NetEqualizer.
-Brian -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Brian Helman Sent: Tuesday, December 18, 2012 8:47 AM To: [email protected] Subject: Re: How to locate the source of problematic traffic Were you able to identify if it was on-campus or off (Internet)? A good IPS/IDS at the border (or preferrably, at the core*) would help. Was it only your wireless network that was impacted, or both (since you posted to the wireless group)? *There is a concept that (I think) Forrester Research published a paper on like 5 or so years ago called Zero Trust Networking. The idea is to place the firewall/IDS/IPS at the core instead of the edge, and monitor all traffic. 10 years ago, security devices weren't robust enough to really do this economically. The situation is much different now. We've been doing this for quite a while. Most of the time now, if we have network-wide problems, it's usually because of human error rather than something intentional. If you haven't posted this to the network group and the problem is network-wide, you may want to move the discussion there. -Brian ________________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [[email protected]] on behalf of Joann Williamson [[email protected]] Sent: Wednesday, December 12, 2012 10:17 AM To: [email protected] Subject: Re: [WIRELESS-LAN] How to locate the source of problematic traffic I have found that if you pay for Smartnet on your core switch, then Cisco TAC will usually help you span ports there that go to the edge switches which may not all be covered under Smartnet, monitor them, use a packet capture such as Wireshark, and locate the culprit. That is our SOS plan when problematic traffic hits campus and isn't an obvious find. They can also assist your network engineer in implementing sticky port which causes users to have to call IT when they need to connect something new to the network if you don't have a NAC in place. They can help you with ACLs which can block certain traffic, too. To do an automatic lock, just shut down the ports on your core using the telnet interface going to the edge switches one by one, or more than one if you want to do vlan by vlan. If you are looking to monitor your Internet traffic and do some throttling of certain types of traffic, you may want to look into purchasing a packet shaping appliance. Hope this is the kind of advice you were looking for. +++++++++++++++++++++++++++++++++++++++++++++++ Joann L. Williamson Director of Network Systems, Architecture, & Infrastructure University of South Carolina Aiken phone: 803-641-3473 http://www.usca.edu<http://www.usca.edu/> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Hernán Badilla Sent: Wednesday, December 12, 2012 9:48 AM To: [email protected] Subject: [WIRELESS-LAN] How to locate the source of problematic traffic Recently suffered some kind of attack on our network, the internet connection was nearly 100% saturated. We disconnected several segments of our network and the symptom stopped. If the situation persists, we need options, software / hardware to help us identify and locate the origin and types of problematic traffic, an automatic lock is desirable. In our institution we have wired and wireless network, all devices Cisco brand. We appreciate any suggestions or experience you can share with us. Thanks, Hernan. INCAE Business School Alajuela, Costa Rica. office +506 24 37 22 75 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
