Meraki

Community

Real time high usage

AndyWettersten
Here to help
‎Oct 12 2021 11:44 AM
‎Oct 12 2021 11:44 AM

Real time high usage

So I had an interesting situation today and was wondering what more could be done.

 

I have an MX 100 and a 200/200 fiber connection coming in.

 

I noticed our Internet lagging, so I started a continuous ping to 8.8.8.8 and was getting maybe 30% loss.  I checked the dashboard and there was a spike in the "Live data" section of the appliance.  I ran a speed test and my downloads were testing around 10-15MB but my uploads were still l180-190.  It lasted maybe 15 minutes and then subsided and all went back to normal.

 

What I'm wondering is this - how can you detect a client with high usage in real time?  I can check the client list, filter by usage, and set it to the last two hours, but this isn't helpful with a real-time problem.  Furthermore, we have a lot of devices on network that view security cameras, so total usage for many clients is always excessively high, thus making identifying a new additions somewhat problematic.

 

Thoughts?

 

 

 

 

Screenshot 2021-10-12 145025.pngScreenshot 2021-10-12 144827.png

0 Kudos
8 Replies 8
BrandonS
Kind of a big deal
‎Oct 12 2021 12:14 PM
‎Oct 12 2021 12:14 PM

To get closer to real time or live analysis I think you will need to employ netflow and/or send network flows to a syslog server for further analysis with another tool.  I have not done it myself, but understand generally it should be possible and maybe someone else can chime in with preferred tools for the analysis and monitoring.

 

 

- Ex community all-star (⌐⊙_⊙)
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 12 2021 12:43 PM
‎Oct 12 2021 12:43 PM

I do a packet capture of the Internet port for a couple of minutes.  Then load it into Wireshark.  Then go Analyse/Conversations and click on TCP.  Sort by the bytes column.

In response to PhilipDAth
AndyWettersten
Here to help
‎Oct 13 2021 5:56 AM
‎Oct 13 2021 5:56 AM

Oooooh, good idea.  But won't capturing the WAN port just give you destinations of the traffic, not the client that's originating it?  Would it be better to packet capture the LAN port instead?

0 Kudos
In response to AndyWettersten
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 13 2021 12:06 PM
‎Oct 13 2021 12:06 PM

Capturing on the LAN port works well as long as most of your traffic is going to the Internet.  If you do a lot of inter-vlan routing then it gets swamped by that traffic.

0 Kudos
In response to PhilipDAth
AndyWettersten
Here to help
‎Oct 14 2021 5:06 AM
‎Oct 14 2021 5:06 AM

Most traffic is headed out.  If you're capturing on the WAN port, how can you identify an individual LAN client though?  All I was seeing in the packet capture was the Internet destination, but not the client that initiated the traffic.

0 Kudos
lpopejoy
A model citizen
‎Dec 28 2023 8:15 AM
‎Dec 28 2023 8:15 AM

I agree, this is one of the biggest weaknesses of the MX.  A better real time view of conversations (without a packet capture) would be extremely helpful.

0 Kudos
In response to lpopejoy
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Jan 2 2024 3:04 AM
‎Jan 2 2024 3:04 AM

NetFlow to the rescue! I know it's only a workaround, but MX is able to export NetFlow and you could have (even Open Source) systems that will do that job just perfectly for you.

0 Kudos
In response to CptnCrnch
lpopejoy
A model citizen
‎Jan 2 2024 6:43 AM
‎Jan 2 2024 6:43 AM

But then we are left with a requirement of being able to setup some type of infrastructure to consume the netflows inside the network.  There are so many edge cases, branch sites, etc - Netflow doesn't really help me.

 

I have over 150 networks - I need a scalable solution to quickly and effectively answer the question:  "Where is bandwidth going RIGHT NOW".  It would be dead simple for Meraki to have better real time visibility, but they have chosen not to fix this for reasons that escape me. 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.