cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1189
Views
15
Helpful
14
Replies

Question about traffic estimation in ISP company

Dr.X
Level 2
Level 2

hi ,

i would like to ask a question about production isp network

the topology is as show:

isp company has a registered pulbic ips , assume x.x.x.x/y

PSTN==>Backhauling link<===Routerx==============Gateway  ===> two internet source

on the gateway router , there is  2 internet sources using BGP .

on the gateway router i performed policy with route map to route my public  registerd ips  between two internet sources .

im sure about the ACL and the route map i performed .

the problem is im douubting a strange traffiic which is matched by route map ,

i mean that all my ips was matched by 2 statements in the route map , and the 3rd statement of the route map is to permit any

the isseu is at the 3rd clause of route map which is permit any , im noting alot of matching !!!!!!!!

why that match occured !!!!

i mean all my ips should be matched either statement 1 or statement 2 and be forwarded to the internet ,

so why another thing not from my ips was matched ????

this is my issue ,

i will post the routemap in the gateway router whuch im performing :

as u see below , im sure that access list zz & yy covers all my public registred ips .

why the sequence 100 of route map is matching a large traffic?? which is in red color

note that there is a default route on Routerx   to router Gateway

could the ISP is  transferring a traffic from backhauling link  and routed throough my gateway router????

my question is how to see the ips matched by the sequence 100 of the route map without affecting the router cpu  and hanging it up ??

as menyioned before , this is an ISP router ???

=========================================

Gateway#sh route-map cisco

route-map cisco, permit, sequence 20

  Match clauses:

    ip address (access-lists): yyy

  Set clauses:

    ip next-hop 10.160.150.3

  Policy routing matches: 511299833 packets, 75552692 bytes

route-map cisco, permit, sequence 30

  Match clauses:

    ip address (access-lists): zzz

  Set clauses:

    ip next-hop x.x.x.x

  Policy routing matches: 1161185917 packets, 4175011881 bytes

route-map cisco, permit, sequence 100

  Match clauses:

  Set clauses:

  Policy routing matches: 68370545 packets, 55093601 bytesc

================================================

regards

14 Replies 14

skarthic
Cisco Employee
Cisco Employee

Interesting situation. Using access-list logging /debugs is going to definitely peg the CPU. I would use netflow on the incoming interface on the gateway with the top-talkers option maybe to identify what are the sources sending the traffic. However, you will have to manually check the traffic sources involved and find out if there are any other than the two networks matched in the route-map statements.

If this gateway is already taking a lot of traffic, consider using netflow somewhere in your LAN leading to the gateway to see if you see any suspicious traffic sources.

Hope this helps.

hi  ,

thanks  for ur reply ,

how to enable net flow on the gateway router ?

regards

skarthic
Cisco Employee
Cisco Employee

The command to enable netflow on the interface is

'ip flow ingress' - captures ingress traffic for an interface

'ip flow egress' - captures egress traffic for an interface

Make sure CEF is turned on globally and on the interfaces. Netflow needs CEF to be ON

You can collect the top BW consumers using netflow top talkers feature.

You can refer this link - http://blog.alwaysthenetwork.com/tutorials/netflow-top-talkers/

Hope this helps.

hi ,

im just wondering ,  does this method safe ???

i mean if i enabled it and put size of 100 , could it do any mistakes ??

im using production network , and any mistake will put the system down .

regards

skarthic
Cisco Employee
Cisco Employee

Netflow statistics collection just adds to a bit of CPU usage. Check what is the current utilization of the CPU and then add this feature. It might anywhere between 10-30% CPU normally.

it seems , i cant test it now , i will test it in another time  when cpu is normal , and give u a reply with result

thanks alot

regards

hi , i tested it ,

but it no longer get any data of source interface 0/1

i want the interface traffic in to be seen , but it only gave me the interface 0/2 with top 200  talker .

i typed ip flow ingreee & engree under 0/1 , so how to see all traffic with ips under only 0/1 interface ????

regards

hi ,

could this issue is because using something like hotspot shiled or something like proxy which will chage the ip  ???

regards

hi , i removed traffix egrees , which will monitor the output traffi c, and i can only see only my registred ips .

it is limited only to 200  ips, and i want to see more than

assume i want to see 5000 ips ,

i mean i just want to capture for about 10 seconds and stop the service ,

can i do it  without halting the cpu >???

regards

skarthic
Cisco Employee
Cisco Employee

Hi Ahmed,

All that you will have to do is enable the command 'ip flow ingress' on all the LAN facing interfaces.

You can increase the number of entries collected using ip flow-cache entries
command -  http://www.cisco.com/en/US/docs/ios/12_1/switch/configuration/guide/xcdnfc.html#wp1000960

You would see the stored entries in 'show ip cache flow' command.

hi , i could estimate the other traffic , its from private ips :

========================================================

Gateway#sh ip cache flow | exclude 212.244

IP packet size distribution (969241412 total packets):

   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480

   .000 .753 .029 .036 .009 .003 .009 .003 .003 .002 .002 .002 .004 .003 .004

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608

   .003 .002 .003 .020 .100 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes

  65083 active, 453 inactive, 51471635 added

  56909640 ager polls, 0 flow alloc failures

  Active flows timeout in 30 minutes

  Inactive flows timeout in 15 seconds

IP Sub Flow Cache, 533256 bytes

  0 active, 16384 inactive, 0 added, 0 added to flow

  0 alloc failures, 0 force free

  1 chunk, 1 chunk added

  last clearing of statistics never

Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)

--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow

TCP-Telnet        6475      0.0        14    46      0.0       6.5      32.6

TCP-FTP           9038      0.0         3    50      0.0       4.8      29.5

TCP-FTPD            87      0.0        71   141      0.0      26.6      33.6

TCP-WWW       25225793      5.8        26   182    153.2       8.7      29.8

TCP-SMTP       1735379      0.4         7   105      2.8       6.6      29.4

TCP-X             4100      0.0         2    76      0.0       1.1      23.2

TCP-BGP            392      0.0        17    78      0.0      48.9      18.5

TCP-NNTP             3      0.0         5    53      0.0       0.8      32.1

TCP-Frag             1      0.0        16    76      0.0      39.8      37.1

TCP-other     11097259      2.5        17   233     45.5      10.4      29.4

UDP-DNS        4858114      1.1         1    71      1.2       0.4      35.4

UDP-NTP          24906      0.0         1    75      0.0       5.6      34.2

UDP-TFTP            11      0.0         1   171      0.0       2.8      35.2

UDP-Frag           943      0.0       184   700      0.0      61.8      22.7

UDP-other      8283620      1.9        10   201     20.8       4.5      33.2

ICMP            157253      0.0         5   195      0.1       9.5      30.8

IPv6INIP          3071      0.0         5   121      0.0      14.1      26.1

GRE                103      0.0      3727   107      0.0     246.4      16.0

IP-other             1      0.0         1    68      0.0       0.0      20.4

Total:        51406549     11.9        18   192    224.0       7.5      30.8

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts

Gi0/1         192.168.0.4     Gi0/3.11      71.76.201.81    06 F0D4 E124     1

Gi0/1         192.168.1.8     Gi0/3.11      92.123.137.177  06 C1AB 01BB     1

Gi0/1         192.168.0.2     Gi0/3.11      99.192.50.42    06 C56D 6F8F     1

Gi0/1         192.168.1.2     Gi0/3.11      94.245.117.47   06 C1C0 0050     1

Gi0/1         192.168.1.2     Gi0/3.11      94.245.117.47   06 C1C1 0050     1

Gi0/1         192.168.0.5     Gi0/3.11      94.245.117.47   06 C241 0050     1

Gi0/1         192.168.1.2     Gi0/3.11      74.125.132.104  06 C18D 0050     1

Gi0/1         192.168.1.2     Gi0/3.11      74.125.132.104  06 C18E 0050     1

Gi0/1         192.168.1.2     Gi0/3.11      94.245.121.179  06 C1E3 0050     1

Gi0/1         192.168.1.2     Gi0/3.11      94.245.121.179  06 C1E4 0050     1

Gi0/1         192.168.1.2     Gi0/3.11      173.203.98.230  06 C1A5 0050     6

Gi0/1         192.168.0.3     Gi0/3.11      173.194.78.106  06 EB71 01BB     1

Gi0/1         192.168.1.2     Gi0/3.11      173.236.52.21   06 C193 0050     1

Gi0/1         192.168.1.2     Gi0/3.11      173.236.52.21   06 C192 0050     1

Gi0/1         192.168.1.2     Gi0/3.11      173.236.52.21   06 C194 0050     1

Gi0/1         192.168.1.4     Gi0/3.11      207.210.99.42   06 0E23 0050     1

Gi0/1         192.168.1.4     Gi0/3.11      207.210.99.42   06 0E20 0050     1

Gi0/1         192.168.1.4     Gi0/3.11      207.210.99.42   06 0E21 0050     1

Gi0/1         192.168.0.3     Gi0/3.11      67.222.111.118  06 E53E 01BB     1

Gi0/1         192.168.1.4     Gi0/3.11      23.21.161.142   06 0E2B 0050     1

Gi0/1         192.168.1.4     Gi0/3.11      69.171.228.70   06 10E0 0050     1

Gi0/1         192.168.1.4     Gi0/3.11      69.171.228.70   06 10DF 0050     1

Gi0/1         192.168.0.5     Gi0/3.11      212.143.22.63   06 C04B 0050     3

Gi0/1         192.168.1.2     Gi0/3.11      92.123.139.139  06 C20E 0050     1

Gi0/1         192.168.1.2     Gi0/3.11      92.123.139.139  06 C20F 0050     1

i need only one thing now ,

i want to estimate the BW that is being dissipated as these private ips enter the interface Gi0/1 ??????/

another question , how does there ips created , im just give my cutomers a public ips , so how those ips created ????????????

regards

skarthic
Cisco Employee
Cisco Employee

I dont see there is an option with netflow to see real time bandwidth usage. However, with netflow top-talkers feature I remember that one can sort using the 'no of packets' or 'no of bytes' which could give us some idea.

However, now that we know that there are private IP traffic being received, you can either

- use access-list to block these traffic to avoid unwanted BW utilization (or)

- track the host sending the traffic by checking the device one by one if it has any ARP entries for the 192.168. subnets.

Once you find the router having ARP entries for this, you should be able to easily track down to the host connected to some switch.

Let me know how this goes

plz look at  the route map , as see the last clause of route map  ...........there are alot of matches !!!

doesnt my idea right ??

u didint answer me , could this ips from vpn or something like hotspot shield programs ?????

i will try to find the cache and give u a reply  ,

regards

skarthic
Cisco Employee
Cisco Employee

         Comments inline  

Ahmed M Alzaeem wrote:

plz look at  the route map , as see the last clause of route map  ...........there are alot of matches !!!

doesnt my idea right ??

u didint answer me , could this ips from vpn or something like hotspot shield programs ?????

>>>>>>> Seriously, I dont have an answer for this.. You will have more idea about your environment and can some idead about what could cause this.  But you can identify the hosts sending the traffic by the method i suggested.Were you able to find anything?

i will try to find the cache and give u a reply  ,

regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco