Dec
28

What does RITE and the v4 CCIE blueprint have in common? Section 10.04 :) If you are new to RITE, or would like to know more about it, read on.

Router IP Traffic Export, (RITE), allows the forwarding of unaltered IP packets from a router interface to memory or to a specific MAC address on a locally attached network. A likely candidate being the MAC address of a network analyzer or Intrusion Detection System.

As an example, lets configure RITE on R2. Setting it up is simple. We first create a profile, and apply that profile to an interface. But what if we don’t want to export all of the traffic? No problem. We can also filter to specify exactly which traffic should be captured and exported, and we can even specify a smaller sample of the overall traffic flow if desired.

In this example, we will create an access-list that only matches if the source traffic is from R5’s loopback 0 address of 150.1.5.5

R2:

ip access-list extended FROM-R5
 permit ip host 150.1.5.5 any

Next lets create a simple profile, (we will call this one “R5”), and specify the interface where we will export the packets to, as well as the MAC address that is reachable locally by R2. We will also leverage the access-list to filter on what may be captured, as well as a sampling rate of 1 in every 5 packets, (20%).

R2:

ip traffic-export profile R5
  interface FastEthernet0/0
  incoming access-list FROM-R5
  mac-address 0123.4567.89ab
  incoming sample one-in-every 5
  exit

Next we will apply the profile to the interface which will be receiving the packets sourced from R5 loopback 0.

R2

interface Serial0/0
 ip traffic-export apply R5

Turning on debugging will assist in seeing the activity behind the scene.

R2:

debug ip traffic-export events

Next, we generate some traffic, sourced from R5 loopback 0. This traffic does pass through the serial 0/0 interface of R2.

R5:

R5#show ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  up                    up
Serial0/0                  unassigned      YES NVRAM  administratively down down
FastEthernet0/1            136.1.45.5      YES NVRAM  up                    up
Serial0/1                  unassigned      YES NVRAM  administratively down down
Loopback0                  150.1.5.5       YES NVRAM  up                    up      

R5#
R5#ping 150.1.2.2 repeat 50 source loopback 0

Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.5.5
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (50/50), round-trip min/avg/max = 4/12/32 ms
R5#

Back to R2, to see the results of the debug.

R2#RITE: exported input packet # 1
RITE: exported input packet # 2
RITE: exported input packet # 3
RITE: exported input packet # 4
RITE: exported input packet # 5
RITE: exported input packet # 6
RITE: exported input packet # 7
RITE: exported input packet # 8
RITE: exported input packet # 9
RITE: exported input packet # 10

R2#

Now lets look at some of the statistics.

R2#show ip traffic-export
Router IP Traffic Export Parameters
Monitored Interface		Serial0/0
	Export Interface		FastEthernet0/0
	Destination MAC address 0123.4567.89ab
	bi-directional traffic export is off
Input IP Traffic Export Information	Packets/Bytes Exported    10/1000
	Packets Dropped           43
	Sampling Rate             one-in-every 5 packets
	Access List        FROM-R5 [named extended IP]
	Profile R5 is Active
R2#

Out of the 50 pings, 10 of them were exported, due to the profile we created. The packets dropped reflect packets that were not exported, including 40 from R5, and 3 other packets that did not match the ACL in the profile.

Keep up the great studies, and good luck!


You can leave a response, or trackback from your own site.

20 Responses to “The RITE Stuff, CCIE 10.04”

 
  1. Net_OG says:

    Thanks.

    Where is this documented in the Config Guide?

    I found this: http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html

    I know I cannot count on that being available when I sit or the exam, but I could not find it after a quick search….. (wait a sec)

    Okay instead of being Lazy I used the master index: http://www.cisco.com/en/US/partner/docs/ios/security/command/reference/sec_i3.html#wp1059026

  2. Net_OG says:

    ooops, thanks Keith Barker! I really appreciate the post.

  3. Net_OG says:

    One last thing….

    why not use SPAN? I think that is a key concept to differentiate RITE from wrong…. ‘er SPAN.

    I will let you cover that… Master-san

  4. Razvan says:

    Thanks Keith! I think this would be good for the security track as well..

  5. Youssef says:

    Thanks Keith for this intro of RITE.

    Net8OG you can find it in the config guide under security-> Securing User Services :

    http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_ip_traff_export_ps6441_TSD_Products_Configuration_Guide_Chapter.html

    HTH

  6. routsec says:

    Hi Keith,

    This is very good material. Keep up the good work.

  7. sys says:

    I guess that the main difference with SPAN is that you can copy the Serial interface (IP) traffic :)

  8. @Net_OG: I can see a few benefits to RITE:

    1) there’s no such thing as SPAN on a router :-)

    2) using an ACL to closely define what traffic gets mirrored would be very useful on a high-bandwidth link if (for example) you’re only wanting to monitor certain traffic with your IPS.

  9. Andrew Dempsey says:

    Real world maybe you don’t have access login or otherwise to the switches or they don’t support span. Maybe they are non Cisco gasp. Also could be you want to capture the traffic at the router as that is the place in the traffic flow you wish to troubleshoot.

  10. CiscoGeek says:

    hi,
    this is really good. but in our network my IPS or IDS device is connected to a switch where switch it doesn’t learn the MAC address of the device so in that case it may be very dangerous to network.
    may be a static MAC entry on the port where the device is connected would be very good to have.

    thanks
    Cisco Geek

  11. ned says:

    nice article. thx. is there any more details for example typically sniffers do not advertise a mac-address so how would this feature work in that case. usually sniffer interfaces are in promiscuous mode which means that it listens to any traffic on the segment however the traffic needs to be sent to it which usually is only broadcast traffic. will that make a difference

  12. Ive never seen this before and tries to understand when/why to use RITE. Isnt this almost the same as span (monitor session)? Or what the difference? Can I use either span or RITE with a sniffer like wireshark?

  13. But since the destination is a mac-address (rather than a destination if/vlan as when using span), does that mean that all packets are modified with a new destination l2-address?

  14. Net_OG says:

    @Jimmy Larsson SPAN does not exits on the Routing platforms. That is the key difference between RITE and SPAN.

  15. Jalakam Pradeep says:

    hi Keith Barker,

    Really it is a very good post,I have a confusion in this as you were pinging 50 packets and all the packets were succesful with out any drop.Is the packet being exported to fa0/0 is a copy of ping.(once in every 5).
    Thanks 4 ur reply in advance.

  16. Christian Biasibetti says:

    Thank you Keith, a drop in the sea … but fresh water! Very nice, thanks again

  17. Mario Ruiz says:

    It is my understanding that RITE will be used on a router and SPAN and its variations on switches. I also believe a key difference is that the router will export IP packets from various/multiple LAN/WAN interfaces to a VLAN/LAN. Beyond this, how is this useful in the real world?

  18. Juan says:

    Great post Keith! Thanks a lot for the excellent material!

  19. Paulo Roque says:

    There is another similar and better (in my opinion) feature in IOS 12.4(20)T.
    It’s called EPC (Embedded Packet Capture). It´s not included in the Lab blueprint, but it is better than RITE for troubleshooting, although RITE is better suited to traffic account or IPS application.
    It permits to store packets in the more standard pcap format locally on a user defined buffer. The buffer can be examined locally or even exported to any remote IP location (contrast this to only local mac-address option of RITE) via tftp, ftp, http, etc protocol. It’s also easier to start and stop the capture (no config modification required).
    Here is a very complete good reference:
    http://ccie-in-3-months.blogspot.com/2008/07/embedded-packet-capture-how-to-make.html

 

Leave a Reply

Categories

CCIE Bloggers