Identify and Control High Bandwidth Hosts

The High Bandwidth Host agent tracks the bandwidth usage of individual hosts on your network. If a single host's traffic exceeds a certain percent of the link size, the adaptive response feature will alert you that a threshold has been exceeded. The standard alert is a red indicator on the info tab (PacketWise) or configuration tab (PolicyCenter). In addition, you can have an email, SNMP trap, or syslog message sent when a bandwidth abusing host has been found; this method requires that you create an action file — a text file of PacketWise commands. Taking it a few steps further, you can have the action file automatically create a traffic class for the offending host so that you can track and monitor it more closely. The action file can include any CLI command that can run without additional user input. See Action File Overviews for more information.

In order to use this feature, adaptive response must be enabled and you must create an agent based on the High Bandwidth Host template.

Create a High Bandwidth Host Agent

To create a High Bandwidth Host agent:

1. On the setup tab, click the Adaptive Response Settings link.
   
   
2. Click add. The Add Agent Entry window will open.
   
   
3. In the create a new agent from this agent template drop-down list, choose High Bandwidth Host.
   
   
4. Enter a unique identifying name for the new agent in the Name field.
   
   
5. If desired, change the evaluation interval, in minutes (how often the agent should measure its target).
   
   
6. Click OK and Edit Parms. This will open the Edit Agent Entry window where you can define the parameter values for your new agent.
   
   
7. If desired, modify the threshold values:
   
   
   RedThreshold — The value at which the status of the agent turns red, and a red action file is triggered, if present. For the High Bandwidth Host agent, this number represents the percentage at which a single host is considered to be using too much bandwidth. For instance, if the RedThreshold is set to 10, the agent's status will change to red when the utilization of a single host is more than 10 percent of the link size.
   
   GreenThreshold — The value at which the status of the agent turns green, and a green action file is triggered, if present. For instance, if the GreenThreshold is set to 5, the agent's status will be green when no single host has more than five percent utilization of the link.
   
   
8. Click OK to save your changes.

Check the Agent Status

To check the status of the High Bandwidth Host agent:

1. Click the info tab. The PacketShaper’s info tab shows an icon for each agent category, and a colored status indicator for each. The High Bandwidth Host agent is in the Hosts category.
   
   
2. To see the status of the High Bandwidth Host agent, hover your mouse over the Hosts colored status indicator, as shown below.
   
   
   
   
3. In the pop-up window, observe the color of the High Bandwidth Host agent's status indicator.
   
   Green — During the last evaluation interval, usage of any single host did not exceed the red threshold you defined. That is, no single host used a disproportionate share of the link's bandwidth during the interval.
   Yellow — During the last evaluation interval, usage was approaching the red threshold (yellow is the range between the red and green thresholds).
   Red — During the last evaluation interval, usage exceeded the defined red threshold. In other words, at least one host was using too much bandwidth. If the status indicator is red, you should look at the incident report for details.
   
   If the agent has ever changed status (from green/yellow to red or from red/yellow to green), a report icon with a link to a detailed report will be available for the agent.
   
   
4. If there is a report for the High Bandwidth Host agent, click the report icon. The incident report lists all the hosts for the interval, with the host using the most bandwidth at the top of the list.
   
   
   
   

Create an Action File

There are different actions you might want to take if a high bandwidth host is found on your network. Perhaps you just want an email notification that indicates the IP address of the host that is consuming excessive bandwidth. Or perhaps you want to create a class based on the IP address of the bandwidth abuser so that you can track statistics on the host and closely monitor its usage.

Note: In order to send email notification, you must configure an SMTP server in PacketWise.

To create an action file:

1. If the info tab is currently displayed, click the Settings link; otherwise, go to the setup tab and click the Adaptive Response Settings link.

2. Click the edit button next to the High Bandwidth Host agent.

3. Click the browse files button. The File Browser window opens and shows the contents of the 9.258/agent/cmd directory (where action files need to be stored).

4. Click the new cmd file button. A command file window opens.

5. In the File Name field, enter a unique name for your action file up to eight characters long, including 0-9, a-z, A-Z, -,_, and . (period). Spaces are not allowed. Example: red-host

6. In the Contents area, enter the following commands:

#Title: red action file for High Bandwidth Host agent
class new $direction $host-ip outside host:$host-ip
class rule add $direction/$host-ip inside host:$host-ip
send email <address> "High Bandwidth Host found" "Host $host-ip recently used $avg-bps bps, which is more than the Red Threshold ($RedThreshold percent). Class $direction/$host-ip was created."

where <address> is the email address of the recipient. The $host-ip variable represents the IP address of the host that is using the most bandwidth in the interval. The $direction variable represents the ip-host's direction: Inbound or Outbound. The $avg-bps variable is the host's utilization, in bits per second. To summarize, this action file will create a class for the host that is using the most bandwidth; the name of the class will be the host's IP address. You will then be sent an email notifying that these actions have been taken.

Note: If you want to send an email notification to more than one recipient, repeat the send email command for each email address.

When the message is sent, the body of the email message would look something like this:

Host 65.174.190.201 recently used 762744 bps, which is more than the Red Threshold (10 percent). Class inbound/65.174.190.201 was created.

If you simply want to receive an email notification that a host is using excessive bandwidth, the action file would look like this:

#Title: red action file for High Bandwidth Host agent
send email <address> "High Bandwidth Host found" "Host $host-ip recently used $avg-bps bps, which is more than the Red Threshold ($RedThreshold percent)."

7. Click save.

8. Enter the name of your action file in the Red Action File field (for example, red-host.cmd).

9. Click OK.

After the next evaluation interval, an email will be sent if and when the agent's red threshold is crossed.

See also:

Quarantine Bandwidth Abusers