ā09-20-2012 01:31 PM - edited ā03-07-2019 09:00 AM
hi ,
i would like to ask a question about production isp network
the topology is as show:
isp company has a registered pulbic ips , assume x.x.x.x/y
PSTN==>Backhauling link<===Routerx==============Gateway ===> two internet source
on the gateway router , there is 2 internet sources using BGP .
on the gateway router i performed policy with route map to route my public registerd ips between two internet sources .
im sure about the ACL and the route map i performed .
the problem is im douubting a strange traffiic which is matched by route map ,
i mean that all my ips was matched by 2 statements in the route map , and the 3rd statement of the route map is to permit any
the isseu is at the 3rd clause of route map which is permit any , im noting alot of matching !!!!!!!!
why that match occured !!!!
i mean all my ips should be matched either statement 1 or statement 2 and be forwarded to the internet ,
so why another thing not from my ips was matched ????
this is my issue ,
i will post the routemap in the gateway router whuch im performing :
as u see below , im sure that access list zz & yy covers all my public registred ips .
why the sequence 100 of route map is matching a large traffic?? which is in red color
note that there is a default route on Routerx to router Gateway
could the ISP is transferring a traffic from backhauling link and routed throough my gateway router????
my question is how to see the ips matched by the sequence 100 of the route map without affecting the router cpu and hanging it up ??
as menyioned before , this is an ISP router ???
=========================================
Gateway#sh route-map cisco
route-map cisco, permit, sequence 20
Match clauses:
ip address (access-lists): yyy
Set clauses:
ip next-hop 10.160.150.3
Policy routing matches: 511299833 packets, 75552692 bytes
route-map cisco, permit, sequence 30
Match clauses:
ip address (access-lists): zzz
Set clauses:
ip next-hop x.x.x.x
Policy routing matches: 1161185917 packets, 4175011881 bytes
route-map cisco, permit, sequence 100
Match clauses:
Set clauses:
Policy routing matches: 68370545 packets, 55093601 bytesc
================================================
regards
ā09-20-2012 04:45 PM
Interesting situation. Using access-list logging /debugs is going to definitely peg the CPU. I would use netflow on the incoming interface on the gateway with the top-talkers option maybe to identify what are the sources sending the traffic. However, you will have to manually check the traffic sources involved and find out if there are any other than the two networks matched in the route-map statements.
If this gateway is already taking a lot of traffic, consider using netflow somewhere in your LAN leading to the gateway to see if you see any suspicious traffic sources.
Hope this helps.
ā09-21-2012 07:30 AM
hi ,
thanks for ur reply ,
how to enable net flow on the gateway router ?
regards
ā09-21-2012 07:34 AM
The command to enable netflow on the interface is
'ip flow ingress' - captures ingress traffic for an interface
'ip flow egress' - captures egress traffic for an interface
Make sure CEF is turned on globally and on the interfaces. Netflow needs CEF to be ON
You can collect the top BW consumers using netflow top talkers feature.
You can refer this link - http://blog.alwaysthenetwork.com/tutorials/netflow-top-talkers/
Hope this helps.
ā09-21-2012 07:41 AM
hi ,
im just wondering , does this method safe ???
i mean if i enabled it and put size of 100 , could it do any mistakes ??
im using production network , and any mistake will put the system down .
regards
ā09-21-2012 07:58 AM
Netflow statistics collection just adds to a bit of CPU usage. Check what is the current utilization of the CPU and then add this feature. It might anywhere between 10-30% CPU normally.
ā09-21-2012 08:03 AM
it seems , i cant test it now , i will test it in another time when cpu is normal , and give u a reply with result
thanks alot
regards
ā09-22-2012 01:08 AM
hi , i tested it ,
but it no longer get any data of source interface 0/1
i want the interface traffic in to be seen , but it only gave me the interface 0/2 with top 200 talker .
i typed ip flow ingreee & engree under 0/1 , so how to see all traffic with ips under only 0/1 interface ????
regards
ā09-22-2012 01:57 AM
hi ,
could this issue is because using something like hotspot shiled or something like proxy which will chage the ip ???
regards
ā09-22-2012 02:02 AM
hi , i removed traffix egrees , which will monitor the output traffi c, and i can only see only my registred ips .
it is limited only to 200 ips, and i want to see more than
assume i want to see 5000 ips ,
i mean i just want to capture for about 10 seconds and stop the service ,
can i do it without halting the cpu >???
regards
ā09-22-2012 05:45 AM
Hi Ahmed,
All that you will have to do is enable the command 'ip flow ingress' on all the LAN facing interfaces.
You can increase the number of entries collected using ip flow-cache entries
command - http://www.cisco.com/en/US/docs/ios/12_1/switch/configuration/guide/xcdnfc.html#wp1000960
You would see the stored entries in 'show ip cache flow' command.
ā09-22-2012 09:26 AM
hi , i could estimate the other traffic , its from private ips :
========================================================
Gateway#sh ip cache flow | exclude 212.244
IP packet size distribution (969241412 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .753 .029 .036 .009 .003 .009 .003 .003 .002 .002 .002 .004 .003 .004
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.003 .002 .003 .020 .100 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 4456704 bytes
65083 active, 453 inactive, 51471635 added
56909640 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 533256 bytes
0 active, 16384 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 6475 0.0 14 46 0.0 6.5 32.6
TCP-FTP 9038 0.0 3 50 0.0 4.8 29.5
TCP-FTPD 87 0.0 71 141 0.0 26.6 33.6
TCP-WWW 25225793 5.8 26 182 153.2 8.7 29.8
TCP-SMTP 1735379 0.4 7 105 2.8 6.6 29.4
TCP-X 4100 0.0 2 76 0.0 1.1 23.2
TCP-BGP 392 0.0 17 78 0.0 48.9 18.5
TCP-NNTP 3 0.0 5 53 0.0 0.8 32.1
TCP-Frag 1 0.0 16 76 0.0 39.8 37.1
TCP-other 11097259 2.5 17 233 45.5 10.4 29.4
UDP-DNS 4858114 1.1 1 71 1.2 0.4 35.4
UDP-NTP 24906 0.0 1 75 0.0 5.6 34.2
UDP-TFTP 11 0.0 1 171 0.0 2.8 35.2
UDP-Frag 943 0.0 184 700 0.0 61.8 22.7
UDP-other 8283620 1.9 10 201 20.8 4.5 33.2
ICMP 157253 0.0 5 195 0.1 9.5 30.8
IPv6INIP 3071 0.0 5 121 0.0 14.1 26.1
GRE 103 0.0 3727 107 0.0 246.4 16.0
IP-other 1 0.0 1 68 0.0 0.0 20.4
Total: 51406549 11.9 18 192 224.0 7.5 30.8
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Gi0/1 192.168.0.4 Gi0/3.11 71.76.201.81 06 F0D4 E124 1
Gi0/1 192.168.1.8 Gi0/3.11 92.123.137.177 06 C1AB 01BB 1
Gi0/1 192.168.0.2 Gi0/3.11 99.192.50.42 06 C56D 6F8F 1
Gi0/1 192.168.1.2 Gi0/3.11 94.245.117.47 06 C1C0 0050 1
Gi0/1 192.168.1.2 Gi0/3.11 94.245.117.47 06 C1C1 0050 1
Gi0/1 192.168.0.5 Gi0/3.11 94.245.117.47 06 C241 0050 1
Gi0/1 192.168.1.2 Gi0/3.11 74.125.132.104 06 C18D 0050 1
Gi0/1 192.168.1.2 Gi0/3.11 74.125.132.104 06 C18E 0050 1
Gi0/1 192.168.1.2 Gi0/3.11 94.245.121.179 06 C1E3 0050 1
Gi0/1 192.168.1.2 Gi0/3.11 94.245.121.179 06 C1E4 0050 1
Gi0/1 192.168.1.2 Gi0/3.11 173.203.98.230 06 C1A5 0050 6
Gi0/1 192.168.0.3 Gi0/3.11 173.194.78.106 06 EB71 01BB 1
Gi0/1 192.168.1.2 Gi0/3.11 173.236.52.21 06 C193 0050 1
Gi0/1 192.168.1.2 Gi0/3.11 173.236.52.21 06 C192 0050 1
Gi0/1 192.168.1.2 Gi0/3.11 173.236.52.21 06 C194 0050 1
Gi0/1 192.168.1.4 Gi0/3.11 207.210.99.42 06 0E23 0050 1
Gi0/1 192.168.1.4 Gi0/3.11 207.210.99.42 06 0E20 0050 1
Gi0/1 192.168.1.4 Gi0/3.11 207.210.99.42 06 0E21 0050 1
Gi0/1 192.168.0.3 Gi0/3.11 67.222.111.118 06 E53E 01BB 1
Gi0/1 192.168.1.4 Gi0/3.11 23.21.161.142 06 0E2B 0050 1
Gi0/1 192.168.1.4 Gi0/3.11 69.171.228.70 06 10E0 0050 1
Gi0/1 192.168.1.4 Gi0/3.11 69.171.228.70 06 10DF 0050 1
Gi0/1 192.168.0.5 Gi0/3.11 212.143.22.63 06 C04B 0050 3
Gi0/1 192.168.1.2 Gi0/3.11 92.123.139.139 06 C20E 0050 1
Gi0/1 192.168.1.2 Gi0/3.11 92.123.139.139 06 C20F 0050 1
i need only one thing now ,
i want to estimate the BW that is being dissipated as these private ips enter the interface Gi0/1 ??????/
another question , how does there ips created , im just give my cutomers a public ips , so how those ips created ????????????
regards
ā09-22-2012 10:04 AM
I dont see there is an option with netflow to see real time bandwidth usage. However, with netflow top-talkers feature I remember that one can sort using the 'no of packets' or 'no of bytes' which could give us some idea.
However, now that we know that there are private IP traffic being received, you can either
- use access-list to block these traffic to avoid unwanted BW utilization (or)
- track the host sending the traffic by checking the device one by one if it has any ARP entries for the 192.168. subnets.
Once you find the router having ARP entries for this, you should be able to easily track down to the host connected to some switch.
Let me know how this goes
ā09-22-2012 10:50 AM
plz look at the route map , as see the last clause of route map ...........there are alot of matches !!!
doesnt my idea right ??
u didint answer me , could this ips from vpn or something like hotspot shield programs ?????
i will try to find the cache and give u a reply ,
regards
ā09-23-2012 07:57 AM
Comments inline
Ahmed M Alzaeem wrote:
plz look at the route map , as see the last clause of route map ...........there are alot of matches !!!
doesnt my idea right ??
u didint answer me , could this ips from vpn or something like hotspot shield programs ?????
>>>>>>> Seriously, I dont have an answer for this.. You will have more idea about your environment and can some idead about what could cause this. But you can identify the hosts sending the traffic by the method i suggested.Were you able to find anything?
i will try to find the cache and give u a reply ,
regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide