Most, if not all, of the network administrators have been tasked at least once to check why the internet performance is slow?, or identifying which users/hosts are consuming internet bandwidth.
Not all businesses have network security solutions that can monitor and report internet usage. According to Howden group, only 55% of the businesses in the UK utilize network firewalls [1], and as per a study conducted by StrongDM, 22. 51% of small businesses in the US and in the UK lack any cybersecurity measures at all, let alone cybersecurity solutions [2]. Without a traffic monitoring solution, gaining visibility into your network traffic can be challenging. However, if your infrastructure includes Cisco IOS devices, this article highlights the most effective Cisco IOS network monitoring tools to help you monitor internet connectivity."
Cisco IOS Traffic Monitoring Tools
Cisco IOS can provide you plenty of tools that can give you an insight on network traffic. This article will will demonstrate these tools, explain how to use them, and how interpret the data to answer the question why the internet is slow today.
A- Show Interface Command
Before investigating a network issue, it’s essential to confirm its existence. Begin by comparing your internet subscription’s maximum bandwidth with your current usage. If the current usage equals, approaches or exceeds the subscription limit, then your connection is likely congested.
The show interface command shows the current bandwidth utilization at anytime, “current and anytime” terms will be explained shortly.
Identify the appropriate interface, make sure to chose the interface that carries only the internet traffic, not an interface involves local traffic — typically the outside interface connecting your network to the ISP— and run show interface <interface_number>. You will get an output similar to the below.
Pay attention to the input rate (download) and output rate (upload). Understanding which rate corresponds to upload or download requires visualizing how the router interfaces connect.
The 5- Minute Average
The displayed rates, in our example: (5 Minute input rate 48067000 bit/sec), represent average over the last five minutes rather than real-time values. This interval can be adjusted using the load-interval command.
If traffic changes suddenly, the displayed rates won't immediately reflect the new values. It takes five minutes for the rates to adjust and display the updated average. This default 5-minute interval applies to all values in the show interface command. For our purpose of more accurate, near real-time averages, we can reduce the interval using the load-interval command, with 30 seconds is the which Cisco's minimum.
Assuming the ~48 Mbps from the example is congesting our network, let's move on to next steps
B- Show IP NAT translations Command
The show ip nat translations command, available on routers performing NAT, displays the source and destination IPs and ports for each connection, along with their translations. I chose this command because it presents each connection on a separate line.
Example output:
In large corporate networks, this output may be extensive. To manage it effectively:
- Export the output to a text editor like Notepad++.
- Replace spaces/tabs with commas, then save as a .csv file.
By sorting the "Inside Local" column, you can identify IPs generating the most sessions—although it doesn't show how many bytes each session consumed. Unusually high number of sessions from a user PC could indicate a worm or that users are running peer-to-peer filing sharing apps within the corporate network.
C- Show IP Accounting
The show ip accounting command provides another perspective by listing source-destination IP pairs along with the total packets and bytes exchanged. This command offers a view of the data exchanged between IP pairs regardless of how many sessions between them.
Example output:
To use this feature, enable it on the relevant interface using the command IP accounting output.
D- Combining the Generated Data for Enhanced Analysis
Both show ip nat translations and show ip accounting commands provide different views but complement each other to help you understand network activity and identify bandwidth-hogging culprits. The show ip nat translations command reveals the number of sessions going to the internet and it helps you to highlights IPs with an unusually high number of sessions, IP accounting provides data on how much traffic each IP has consumed.
You may combine the output of both outputs into a single document using the following steps:
1- Export both outputs to two spread sheet workbooks.
2- Use COUNTIF function to count how many sessions per source IP in the show IP NAT translation part.
3- Apply VLOOKUP function to retrieve the session counts in the step 2 into the source IPs into IP addresses of the IP accounting output .
This approach creates a detailed table showing source IP, destination IP, session count, packet count, and byte usage—offering insights comparable to reports from high-cost network security solutions.
E- Conclusion
By leveraging Cisco IOS commands such as show interface, show ip nat translations, and show ip accounting, network administrators can achieve visibility comparable to that of top network security solutions using simple Cisco IOS tools.
References:
[1] Howden Group Cyber Insurance Report 2024: Howden Group
[2] StrongDM Small Business Cybersecurity Statistics: StrongDM