access-list capturing packets

ltosi · ‎07-14-2007

I am trying to discern what destination addresses are being hit via an access list: For example, I would like an access list created to see all hits going to 170.40.0.0.

How do I go about creating this list without limiting traffic?

access-list 90 ---- Remark --Test------

access-list 90 permit 170.40.x.x.0.255.255

access-list 90 permit ip any any

Is this correct? I then want to see the flow so I would then "term mon" show access-list 90 to see the traffic?

thank you to whomever responds

vinay_verma80 · ‎07-14-2007

hi

i cann't understand ur q? what u u want to do actually

but if u want to see how many ip packets this source address send to other ip address (network through router ) this will give u no of hits

regards

ltosi · ‎07-14-2007

I am trying to see how many destination addresses within the 170.40.0.0/16 are being hit? I would like to setup an access-list that will allow all traffic to the 170.40.0.0 destination but I need to see what addresses within that range people are trying to access? soes that help?

Thotsaphon Lueangwattanaphong · ‎07-14-2007

Hi John.

Did you apply this access-list entry into the interface that the 170.x.x.0./16 network pass through?

As your requirement : Could you change the access-list entry for testing as follows:

access-list 90 permit 172.40.0.0 0.0.255.255 log

access-list 90 permit ip any any

!

\\There are packets from the 170.x.x.0./16 network that are source address of packets passing through the interface.

interface fastethernet 0/1

ip access-group 90 in

Hope this helps

Thot

ltosi · ‎07-14-2007

John:

It is being routed via gigE0/3.

So I need to place access-list 90 within int ge0/3?

In other words, all 170.40.0.0/16 is beng routed to 10.1.25.1 which in int ge0/3, How do you apply it to the interface? thank you

Edison Ortiz · ‎07-14-2007

If you are looking for a 'destination' match, you need to use extended ACL and log it.

access-list 190 ---- Remark --Test------

access-list 190 permit ip any 170.40.0.0 0.0.255.255 log-input

access-list 190 permit ip any any

and insert the following in the egress interface.

ip access-group 190 out.

If you are telnet into the router, you need to turn terminal monitoring "term mon" and you can see the hit count with "show ip access-list 190".

HTH,

royalblues · ‎07-14-2007

The example given by Edison wil help you get the number of people trying to access the destinations in the range 170.40.0.0/16.

But if you want to know what exact destinations is being accessed from that range, then you need either ip accounting or Netflow

Netflow is preferred

for ip accounting

int fa 0/1

ip accounting output-packets

then use sh ip accounting

if your device supports netflow

int fa 0/1

ip route-cache flow

ip flow-export version 5

ip flow-export destination

you can then use sh ip flow cache to see the traffic statistics.

Its better to use a software like netflow analyser by adventnet

http://manageengine.adventnet.com/products/netflow/index.html

HTH

Narayan

Richard Burts · ‎07-14-2007

Narayan

The show access-list command will show only the number of hits not the individual destinations, as you point out. But the log-input in the access list will create records in syslog and these records will show the individual destination addresses. So the access-list as suggested by Edison will accomplish the objective.

I do agree with you that using NetFlow (preferred) or IP accounting would be alternatives to accomplish this with lower overhead on the router.

HTH

Rick

HTH

Rick

Edison Ortiz · ‎07-14-2007

Thanks Rick for explaining my suggestion. While Netflow provides the information needed, let's not forget that feature is very new to IOS (12.3.(11)T and later), therefore we can't assume the OP is running the latest and greatest code out there :)

Richard Burts · ‎07-14-2007

Edison

I am not sure where you came up with NetFlow being new and introduced in 12.3(11)T. For example I have a 1721 running 12.2 mainline which is successfully running NetFlow:

flow_1721#sh ver

Cisco Internetwork Operating System Software

IOS (tm) C1700 Software (C1700-SY-M), Version 12.2(28), RELEASE SOFTWARE (fc5)

interface Serial0

ip route-cache flow

flow_1721#sh ip cache flow

IP packet size distribution (35312591 total packets):

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480

.000 .222 .028 .004 .108 .059 .006 .003 .002 .002 .000 .000 .001 .001 .001

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608

.001 .000 .000 .200 .351 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes

0 active, 4096 inactive, 1615965 added

25277987 ager polls, 0 flow alloc failures

Active flows timeout in 30 minutes

Inactive flows timeout in 15 seconds

last clearing of statistics never

[edit]

I found this interesting quote:

Almost all Cisco devices support NetFlow since its introduction in the 11.1 train of Cisco IOS Software and because of this, NetFlow is most likely available in any devices in the network.

at this link:

http://www.cisco.com/en/US/products/ps6601/products_white_paper0900aecd80406232.shtml

HTH

Rick

HTH

Rick

Edison Ortiz · ‎07-14-2007

Rick,

I was thinking mostly about ip flow egress which would help the OP tremendously and it says here:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hnf_r/nfl_a1h.htm#wp1304257

that was introduced on 12.3(11)T train.

Keep in mind, ip route-cache flow only examines incoming packets, not outgoing packets so it must be placed at the ingress interface, not the egress interface - in order to accomplish what the OP is after.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hisw_r/ips_a1h.htm#wp1160847

And as you stated correctly, the 'flow' option was added to ip route-cache on the 11.1 train.