07-14-2007 03:06 AM - edited 03-03-2019 05:52 PM
I am trying to discern what destination addresses are being hit via an access list: For example, I would like an access list created to see all hits going to 170.40.0.0.
How do I go about creating this list without limiting traffic?
access-list 90 ---- Remark --Test------
access-list 90 permit 170.40.x.x.0.255.255
access-list 90 permit ip any any
Is this correct? I then want to see the flow so I would then "term mon" show access-list 90 to see the traffic?
thank you to whomever responds
07-14-2007 04:55 AM
hi
i cann't understand ur q? what u u want to do actually
but if u want to see how many ip packets this source address send to other ip address (network through router ) this will give u no of hits
regards
07-14-2007 05:00 AM
I am trying to see how many destination addresses within the 170.40.0.0/16 are being hit? I would like to setup an access-list that will allow all traffic to the 170.40.0.0 destination but I need to see what addresses within that range people are trying to access? soes that help?
07-14-2007 06:07 AM
Hi John.
Did you apply this access-list entry into the interface that the 170.x.x.0./16 network pass through?
As your requirement : Could you change the access-list entry for testing as follows:
access-list 90 permit 172.40.0.0 0.0.255.255 log
access-list 90 permit ip any any
!
\\There are packets from the 170.x.x.0./16 network that are source address of packets passing through the interface.
interface fastethernet 0/1
ip access-group 90 in
Hope this helps
Thot
07-14-2007 06:21 AM
John:
It is being routed via gigE0/3.
So I need to place access-list 90 within int ge0/3?
In other words, all 170.40.0.0/16 is beng routed to 10.1.25.1 which in int ge0/3, How do you apply it to the interface? thank you
07-14-2007 06:18 AM
If you are looking for a 'destination' match, you need to use extended ACL and log it.
access-list 190 ---- Remark --Test------
access-list 190 permit ip any 170.40.0.0 0.0.255.255 log-input
access-list 190 permit ip any any
and insert the following in the egress interface.
ip access-group 190 out.
If you are telnet into the router, you need to turn terminal monitoring "term mon" and you can see the hit count with "show ip access-list 190".
HTH,
07-14-2007 06:43 AM
The example given by Edison wil help you get the number of people trying to access the destinations in the range 170.40.0.0/16.
But if you want to know what exact destinations is being accessed from that range, then you need either ip accounting or Netflow
Netflow is preferred
for ip accounting
int fa 0/1
ip accounting output-packets
then use sh ip accounting
if your device supports netflow
int fa 0/1
ip route-cache flow
ip flow-export version 5
ip flow-export destination
you can then use sh ip flow cache to see the traffic statistics.
Its better to use a software like netflow analyser by adventnet
http://manageengine.adventnet.com/products/netflow/index.html
HTH
Narayan
07-14-2007 08:50 AM
Narayan
The show access-list command will show only the number of hits not the individual destinations, as you point out. But the log-input in the access list will create records in syslog and these records will show the individual destination addresses. So the access-list as suggested by Edison will accomplish the objective.
I do agree with you that using NetFlow (preferred) or IP accounting would be alternatives to accomplish this with lower overhead on the router.
HTH
Rick
07-14-2007 03:51 PM
Thanks Rick for explaining my suggestion. While Netflow provides the information needed, let's not forget that feature is very new to IOS (12.3.(11)T and later), therefore we can't assume the OP is running the latest and greatest code out there :)
07-14-2007 04:27 PM
Edison
I am not sure where you came up with NetFlow being new and introduced in 12.3(11)T. For example I have a 1721 running 12.2 mainline which is successfully running NetFlow:
flow_1721#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-SY-M), Version 12.2(28), RELEASE SOFTWARE (fc5)
interface Serial0
ip route-cache flow
flow_1721#sh ip cache flow
IP packet size distribution (35312591 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .222 .028 .004 .108 .059 .006 .003 .002 .002 .000 .000 .001 .001 .001
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.001 .000 .000 .200 .351 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
0 active, 4096 inactive, 1615965 added
25277987 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
last clearing of statistics never
[edit]
I found this interesting quote:
Almost all Cisco devices support NetFlow since its introduction in the 11.1 train of Cisco IOS Software and because of this, NetFlow is most likely available in any devices in the network.
at this link:
http://www.cisco.com/en/US/products/ps6601/products_white_paper0900aecd80406232.shtml
HTH
Rick
07-14-2007 04:48 PM
Rick,
I was thinking mostly about ip flow egress which would help the OP tremendously and it says here:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hnf_r/nfl_a1h.htm#wp1304257
that was introduced on 12.3(11)T train.
Keep in mind, ip route-cache flow only examines incoming packets, not outgoing packets so it must be placed at the ingress interface, not the egress interface - in order to accomplish what the OP is after.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hisw_r/ips_a1h.htm#wp1160847
And as you stated correctly, the 'flow' option was added to ip route-cache on the 11.1 train.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: