In this article we will discuss the Router IP Traffic Export (RITE) feature that you can configure on Cisco routers to export packets to a remote destination where a network analyser is placed to monitor the traffic passing through the routers.
The packets can be exported to a network analyser or IDS for further inspection or accounting.
CCNA Training – Resources (Intense)
Let’s see the benefits:
-
It can be configured on a router.
-
It can export traffic received and sent from/to a WAN interface.
-
It allows granularity by specifying what type of traffic can be exported and by specifying sampling.
There are a few limitations on how this feature can be used:
-
The feature is available only to software-based routers.
-
The device where the traffic is exported must be in the same L2 domain as the device from where the data is exported.
-
The interface towards the device to which the data is exported must be Ethernet.
The steps to use the feature are:
-
Configure the profile by specifying the MAC address of the device where the packets will be exported and the interface over which the traffic will be exported.
-
Optionally, granularity can be used by specifying the sampling and the type of traffic.
-
Apply the profile to the interface from where the traffic will be exported.
So let’s start by taking a look at the topology.
The RITE profile will be attached on the interface F0/0 towards PC_1 and we will export packets entering and/or leaving the interface.
We will export the traffic flowing between PC_1 and PC_2:
root@PC_1:~# ping -c 5 10.10.12.100 PING 10.10.12.100 (10.10.12.100): 56 data bytes 64 bytes from 10.10.12.100: seq=0 ttl=63 time=18.149 ms 64 bytes from 10.10.12.100: seq=1 ttl=63 time=15.169 ms 64 bytes from 10.10.12.100: seq=2 ttl=63 time=16.266 ms 64 bytes from 10.10.12.100: seq=3 ttl=63 time=20.271 ms 64 bytes from 10.10.12.100: seq=4 ttl=63 time=19.073 ms --- 10.10.12.100 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 15.169/17.785/20.271 ms root@PC_1:~#
As mentioned, you will need the MAC address of the device where the traffic will be exported. The fastest method is to check the ARP table of the router:
R1#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.10.11.1 - ca01.3155.0008 ARPA FastEthernet0/0 Internet 10.10.11.100 0 0000.abfa.bd00 ARPA FastEthernet0/0 Internet 10.10.12.1 - ca01.3155.0006 ARPA FastEthernet0/1 Internet 10.10.12.100 0 0000.ab25.0800 ARPA FastEthernet0/1 Internet 10.10.100.1 - ca01.3155.001c ARPA FastEthernet1/0 Internet 10.10.100.100 0 2a9b.7697.5f23 ARPA FastEthernet1/0 R1#
Now, let’s configure RITE. You will need to specify under traffic-export profile the interface over which the traffic will be exported and the MAC address to which the exported traffic should be sent. Then you apply the profile to the interface that is being monitored:
R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#ip traffic-export profile RITE R1(conf-rite)#interface FastEthernet1/0 R1(conf-rite)#mac-address 2a9b.7697.5f23 R1(conf-rite)#exit R1(config)#interface FastEthernet0/0 R1(config-if)#ip traffic-export apply RITE R1(config-if)#end *Sep 16 21:00:37.505: %RITE-5-ACTIVATE: Activated IP traffic export on interface FastEthernet0/0 R1(config-if)#end R1#
Because we didn’t specify the direction of the traffic that is being exported, only the incoming/input direction will be monitored by default. This means that we will export only five packets (the ICMP requests because they are on the input direction of F0/0):
R1#show ip traffic-export Router IP Traffic Export Parameters Monitored Interface FastEthernet0/0 Export Interface FastEthernet1/0 Destination MAC address 2a9b.7697.5f23 bi-directional traffic export is off Input IP Traffic Export Information Packets/Bytes Exported 5/420 Packets Dropped 0 Sampling Rate one-in-every 1 packets No Access List configured Profile RITE is Active R1#
And this can be seen as well on the packet capture from the device where the export is done:
Let’s change the profile and capture the bidirectional traffic:
R1#show running-config | section ip traffic-export profile ip traffic-export profile RITE interface FastEthernet1/0 bidirectional mac-address 2a9b.7697.5f23 R1#
Again, after a test with five ICMP packets, we can see that we exported five packets of input (the ICMP requests from PC_1 to PC_2) and 5 packets of output (the ICMP replies from PC_2 to PC_1):
R1#show ip traffic-export Router IP Traffic Export Parameters Monitored Interface FastEthernet0/0 Export Interface FastEthernet1/0 Destination MAC address 2a9b.7697.5f23 bi-directional traffic export is on Output IP Traffic Export Information Packets/Bytes Exported 5/420 Packets Dropped 0 Sampling Rate one-in-every 1 packets No Access List configured Input IP Traffic Export Information Packets/Bytes Exported 5/420 Packets Dropped 0 Sampling Rate one-in-every 1 packets No Access List configured Profile RITE is Active R1#
This can again be seen on the packet capture from the network analyser host:
Now, let’s be more restrictive. We can use RITE to export samples from specific types of traffic.
In this case we want to export only one packet out of five ICMP packets sent from PC_1 to PC_2.
For this, we will create an access-list that will match the ICMP traffic sent from PC_1 to PC_2:
R1#show ip access-lists
Extended IP access list 101
10 permit icmp host 10.10.11.100 host 10.10.12.100
R1#
And then we reference it under profile configuration along with the sampling configuration:
R1(config)#ip traffic-export profile RITE R1(conf-rite)#incoming access-list 101 R1(conf-rite)#incoming sample one-in-every 5 R1(conf-rite)#end R1#
Let’s send ten ICMP packets from PC_1 to PC_2:
root@PC_1:~# ping -c 10 10.10.12.100 PING 10.10.12.100 (10.10.12.100): 56 data bytes 64 bytes from 10.10.12.100: seq=0 ttl=63 time=82.652 ms 64 bytes from 10.10.12.100: seq=1 ttl=63 time=15.164 ms 64 bytes from 10.10.12.100: seq=2 ttl=63 time=14.273 ms 64 bytes from 10.10.12.100: seq=3 ttl=63 time=17.044 ms 64 bytes from 10.10.12.100: seq=4 ttl=63 time=16.289 ms 64 bytes from 10.10.12.100: seq=5 ttl=63 time=13.240 ms 64 bytes from 10.10.12.100: seq=6 ttl=63 time=20.225 ms 64 bytes from 10.10.12.100: seq=7 ttl=63 time=17.190 ms 64 bytes from 10.10.12.100: seq=8 ttl=63 time=22.091 ms 64 bytes from 10.10.12.100: seq=9 ttl=63 time=15.391 ms --- 10.10.12.100 ping statistics --- 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max = 13.240/23.355/82.652 ms root@PC_1:~#
And then connect through SSH from PC_1 to PC_2:
root@PC_1:~# ssh root@10.10.12.100 root@10.10.12.100's password: root@PC_2:~#
Based on our new profile configuration, we should see only two ICMP packets (the two ICMP requests from PC_1 to PC_2). The access-list has two matches:
R1#show ip access-lists
Extended IP access list 101
10 permit icmp host 10.10.11.100 host 10.10.12.100 (2 matches)
R1#
And the stats show that we exported only two packets and dropped another 30. The dropped packets are the other 8 ICMP requests, the 10 ICMP replies and the SSH packets:
R1#show ip traffic-export Router IP Traffic Export Parameters Monitored Interface FastEthernet0/0 Export Interface FastEthernet1/0 Destination MAC address 2a9b.7697.5f23 bi-directional traffic export is off Input IP Traffic Export Information Packets/Bytes Exported 2/168 Packets Dropped 30 Sampling Rate one-in-every 5 packets Access List 101 [extended IP] Profile RITE is Active R1#
By checking the packet capture from the network analyser, we will see only two ICMP packets as expected:
You can enable debugging to see when exporting is done. This was enabled during the previous test:
R1#debug ip traffic-export events IP Traffic Export Events debugging is on R1# R1#RITE: exported input packet # 1 R1#RITE: exported input packet # 2 R1#
And this is almost everything about the Router IP Traffic Export feature.
In this article we discussed the utility of the feature, how to configure it and how to check the statistics to see if it’s working properly or not.
References:
CCNA Practice Exams
Security+ Practice Exam
CISSP Practice Exams
PMP Practice Exams
Network+ Practice Exam
