I'm seeing high utilization on a specific node, with not a lot of subscribers (88), using ATDMA, QAM64, 4 mini-slots, any recommendations on how I can lower this? Not sure what's causing it, could it be a user? Have 6 upstreams and they are all constantly over 90% and I have reports from time to time of voice problems in the upstream direction.
What platform is this Cisco/Casa/Arris/Other?
It could be a myriad of things, most likely is a customer with a virus that is trying to infect the world, could also be misbehaving modem, or customer(s) who are legitimately uploading a ton of data.
you need to look at QOS usage, usually this is enough to narrow down the offender.
something like show cable modem qos | in "interface the modem is on"
or
show cable modem verbose | in "interface modem is on|us bandwidth field"
this should show you the cable modems and their upstream throughput. Most likely if it is one of the problems mentioned above it should be immediately apparent who the culprit is they will have way more bandwidth in use than anyone else.
If your still having trouble you will need to look at minislot usage, in this case whatever is causing the issue is not using lots of bandwidth, but is instead making tons of connections to most likely to different destinations (think port scanner). This traffic is small packets < 64 bytes and lot's of them, and basically requests minislots to transmit on all day and has high minislot usage and low bandwidth usage.
Cisco UBR10012, is there any easy way to track down the offending user?
Sorry, didn't read the whole message, I already did go through the QOS thing and shut down the highest users to test and it didn't have an impact.
Some random ideas
-----
check qos for heavy users
show int cable 5/0/0 service-flow qos us
-----
Check show cable modem verbose for heavy packets per second
show cable modem cable 5/0/0 verbose | incl MAC Address|packets/sec
-----
check interface traffic counters
clear counters cable 5/0/0
show cable modem cable 5/0/0 counters
look for high packets per second
------
check netflow data
conf t
int bundle1
ip flow ingress
show ip flow top-talkers
look for high numbers
show ip cache flow
look for customer IP doing heavy transfer, or with tons of connections / scanning.
------------
Have a look in the punt protection lists
clear pxf statistics drl all
show pxf cpu statistics drl us-cable
look for top talkers on the interface in question
-----
Have a look for ARP flood
show cable arp-filter bundle1
Are the numbers increasing rapidly?
Try looking for top talkers
show cable arp-filter bundle1 requests-filtered 10000
show cable arp-filter bundle1 replies-filtered 1000
-----
Minislots
My recommendation is to use double the default
eg for 6.4 width, use 2 mini slot
for 3.2 width, use 4 mini slot