yea what marc said.
I still use netflow on the routers to narrow it down to the ip address of
the host which is sending or receiving traffic. I also look at the nat
translations (show ip nat trans command)... usually infected PCs tend to
have A LOT of connections, and then reestablish those connections quickly
when you clear the nat (clear ip nat trans * command).
you may have to use other methods for VLAN/inter vlan traffic.
on a switch commands like "*show int | inc input|output*" help to isolate
hosts as well, usually very high statistics give you an idea which port on
the switch post is generating traffic.
try *show interfaces | include Gigabit|input *< would give you interface
name and 5 minute input rate
or *show interfaces | include Gigabit|5 minute* < would give you interface
name and 5 minute input and output rates
if you work for a rich employer they can probably invest in some fancy
software but above is what i use often.
On Fri, May 25, 2012 at 12:31 PM, marc edwards <renorider_at_gmail.com> wrote:
> What is version of L3 switch. Keep in mind that many catalyst models don't
> support netflow natively.
>
> On Fri, May 25, 2012 at 8:21 AM, Joe Sanchez <marco207p_at_gmail.com> wrote:
>
> > I would have to agree with Jay. Using Netflow is your best bet, no to
> > mention that if you are not using Netflow today as part of your NOC or
> > Control Center applications you should be. There are many free solutions
> > that would help with this issue in a few hours. Using your storm-control
> > features would also help out with these types of issues.
> >
> > HTH.
> > Joe
> >
> > On Thu, May 24, 2012 at 11:59 PM, Lucky <iamreallylucky_at_gmail.com>
> wrote:
> >
> > > Hi guys,
> > >
> > > in my network couple of users are flooding the network.
> > >
> > > how to find out from l3 cicso switch who is causing this issue.
> > >
> > > how does the ip logging feature work and how to configure and remove
> the
> > > pcs from netwrk.
> > >
> > > our bandwidth is 10mbps and showing the 560kbps and upload showing
> > 1600kbps
> > >
> > > from singtel they are saying bandwidth is fine from their end
> > > quick reply will really help
> > >
> > > thanks
> > > lucky
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri May 25 2012 - 16:32:12 ART
This archive was generated by hypermail 2.2.0 : Sun Jun 17 2012 - 09:04:20 ART