There are so many hosts on this LAN that it really wouldn't be practable to look at all the hosts. We are try get rid of a router that is providing a gateway for some hosts. This router used to be the incoming interface from our other sites, and for some reason, many years ago, people configured devices, mostly printers, with this as their gateway. It is in the same subnet of our largest LAN - a /22 mask. We could just turn it off and wait for calls but, this probably wouldn't be the most responsible. As far as an access-list is be concerned, could you provide a sample?

Thanks, Pat.

Hi,

let's say using

access-list 100 permit ip any any log-input

applied as inbound on your router LAN interface.

It might log any incoming packet with the source IP address to your router syslog.

If doesn't work, it would even be possible to create an ACL with host entries per each suspicious host.

Like

access-list 10 permit host 10.1.0.1

access-list 10 permit host 10.1.0.2

...

access-list 10 permit host 10.1.3.254

access-list 10 permit any

for a case of your LAN using 10.1.0.0/22 subnet, e.g.

Sh access-list 10 would then display matching numbers for each host address.

Or some more sophisticated combination of both based on your LAN knowlegde (I moght be sure some IP ranges are not used, e.g.).

HTH,

Milan

Thanks Milan I wil give it a shot.

Milan,

If I do the later access-list, that would be a lot of typing. But, if I were to do it, would an access-list of that size be taxing on the router and slow traffic down?

Also, would the "show access-list 10' show the hits of devices that are using .9 as their gateway, even if most of them are printers and they won't be doing any arp requests themselves or sending any data to other VLANs?

If I use the former access-list, which seems a little more elegant, what commands would I need to get the logged info to a location. At the momnt our equipment is configured just as logging ip address. The ip address is our Solarwinds server. Would that be enough and what severity do I need to set the logging to to get the access-lists hits?

Thanks, Pat.

Hi Patric,

well, 1000 lines for a /22 subnet.

It could be generated by some script though?

I'm not sure what's the maximum number of an ACL entries supported by particular router models.

Of course, if the devices are not sending any data, no ACL can help. But no chance to identify such a device on the router definitely!

On the other hand, the former ACL would fill your syslog with a message for each packet received by the router, so I'd be afraid of overloading your router CPU in a case of many devices matching the ACL.

So far I understood there were only some remains of old devices, i.e., just several of them possibly?

If not, I'd be careful and test in your lab first!

If it might be many devices, I'd either try the later ACL with several host entries only (plus permit ip any any in the end) and after identifying/changing the devices I'd continue with another subset of host entries.

Or there might be a totaly diffrerent idea used:

What about configuring a SPAN port on a switch to which your router is connected to and mirror all traffic sent to the router from your LAN to another port on the switch? Connecting a PC with Wireshark running would give you an opportunity to indetify all PCs sending data to the router without disturbing your router/LAN/Syslog server at all.

BR,

Milan