Monitoring data passing through a Cisco router
#1
Can one monitor the data content passing through a Cisco router much in the same way you'd SPAN a port on a Cisco switch?
If so, how is this done? Just a high-level outline will be fine.
Cheers!
If so, how is this done? Just a high-level outline will be fine.
Cheers!
#5
Scooby Regular
#6
Netflow is used mainly as it implies for monitoring flows. Source/Destination and Bandwidth. Often by Subnet rather than host addresses - for example for monitoring traffic usage between large parts of a company, between ISPs etc etc.
If you want to look in more detail at individual packets careful use of debug ip packet and access lists can help. It is extremely easy to overwhelm the router though. Some platforms (e.g. Cat 6K/MSFCs) hardware switch all but the initial packets so the routing engine wont see them. Forcing it to software switch every packet, so they can be inspected, can result in huge performance hits (to the point the network becomes unusable). Of course on low-use networks you may be get what you need this way
In short there is no way to "span" a router interface like you would a swicth port and copy all packets to a sniffer. If its a LAN port the best route is to simply span the source switch port if possible. In-line probes are also available for most LAN types. For true sniffing of a WAN port you'll need either a suitable in-line probe or something like the Agilent Advisor with relevant interfaces. Not Cheap, though I believe they can be hired.
Deano
[Edited by dsmith - 6/23/2003 9:45:18 PM]
If you want to look in more detail at individual packets careful use of debug ip packet and access lists can help. It is extremely easy to overwhelm the router though. Some platforms (e.g. Cat 6K/MSFCs) hardware switch all but the initial packets so the routing engine wont see them. Forcing it to software switch every packet, so they can be inspected, can result in huge performance hits (to the point the network becomes unusable). Of course on low-use networks you may be get what you need this way
In short there is no way to "span" a router interface like you would a swicth port and copy all packets to a sniffer. If its a LAN port the best route is to simply span the source switch port if possible. In-line probes are also available for most LAN types. For true sniffing of a WAN port you'll need either a suitable in-line probe or something like the Agilent Advisor with relevant interfaces. Not Cheap, though I believe they can be hired.
Deano
[Edited by dsmith - 6/23/2003 9:45:18 PM]
#7
Scooby Regular
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
or just cheat and shove a hub and crossover cable in?
We do this when having to use our fluke to sniff packets on our routers.. (ok well our networks team do..)
David
We do this when having to use our fluke to sniff packets on our routers.. (ok well our networks team do..)
David
Trending Topics
#8
or just cheat and shove a hub and crossover cable in?
dsmith -- I'm sure you know, but lots of Cisco boxes fall over due to the performance hit when you attempt to fast switch (route first packet, switch the rest). In fact if you want to get close to rated capacity then dCEF is the only way to do it -- it maintains a separate set of CEF tables that are populated from the routing table. IIRC the only CEF that GSRs do is dCEF.
[Edited by carl - 6/23/2003 11:05:23 PM]
#10
I was indeed generalising fast switching with all other hardware switching types as getting in the way if your attempting to debug packets.
Cat6k pushes it so far into hardware that snmp stats for vlan interfaces are woefully inaccurate.
Deano
Cat6k pushes it so far into hardware that snmp stats for vlan interfaces are woefully inaccurate.
Deano
Thread
Thread Starter
Forum
Replies
Last Post
Sam Witwicky
Engine Management and ECU Remapping
17
13 November 2015 10:49 AM