Saturday, February 22, 2020

Router IP Traffic Export (RITE)

Router IP Traffic Export (RITE) which is also known as IP Traffic Export is useful to export IP packets to an interface or VLAN of choice. This is very useful when you have an IDS (Intrusion Detection System) and want to inspect your traffic.
RITE is similar to SPAN on the Cisco Catalyst Switches. In this tutorial I will explain how to configure RITE so you can export your IP packets.
This is the topology I will use:
Cisco RITE Configuration example lab
At the bottom we have a router that will simulate a client device that is accessing the Internet. On the right side you see a router called “IDS” which simulates our Intrusion Detection System. Whenever the client accesses the Internet, the router in the middle called “RITE” will export the IP packets towards the IDS. Let’s start with the configuration.

Configuration

When you configure Router IP Traffic Export you have to specify a name:
RITE(config)#ip traffic-export profile MY_RITE
RITE(conf-rite)#
This takes you to the main RITE configuration. There are a couple of options here:
RITE(conf-rite)#?
IP traffic export profile configuration commands
  bidirectional  Enable bidirectional traffic export
  exit           Exit from ip traffic export profile sub mode
  incoming       Configure incoming IP traffic export
  interface      Specify outgoing interface for exporting traffic
  mac-address    Specify ethernet address of destination host
  no             Negate or set default values of a command
  outgoing       Configure outgoing IP traffic export
First I will specify the interface where we want to export the IP packets to, this will be FastEthernet 0/1 that is connected to the IDS:
RITE(conf-rite)#interface fastEthernet 0/1
If there are multiple devices behind the outgoing interface then you should configure a destination MAC address. We’ll have to check the MAC address of the IDS first:
IDS#show interfaces fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up 
  Hardware is Gt96k FE, address is c204.3bcc.0000
And we’ll configure it in the RITE configuration:
RITE(conf-rite)#mac-address c204.3bcc.0000
You can choose if you want to export inbound, outbound or both directions…I’ll pick both:
RITE(conf-rite)#bidirectional
Instead of copying all IP packets we can also configuring sampling. This means that you will only export 1 out of X number of packets. Here’s an example:
RITE(conf-rite)#incoming sample one-in-every 5
RITE(conf-rite)#outgoing sample one-in-every 5
Only 1 out of 5 IP packets will now be exported. The configuration is ready but we still have the RITE profile on the interface where we want to capture traffic:
RITE(config)#interface FastEthernet 1/0
RITE(config-if)#ip traffic-export apply MY_RITE
This will capture traffic from the interface that is connected to the client. On your console you’ll see something like this:
RITE#
%RITE-5-ACTIVATE: Activated IP traffic export on interface FastEthernet1/0
That’s all there is to it. Only thing left to do is verify if it’s working…

Verification

To test RITE I’ll enable a debug on the IDS router so we can see all incoming packets:
IDS#debug ip packet 
IP packet debugging is on
Now we’ll generate some packets from the client and if everything is configured correctly, some of these packets will be forwarded to the IDS router:
CLIENT#ping networklessons.com repeat 20

Type escape sequence to abort.
Sending 20, 100-byte ICMP Echos to 95.85.36.216, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!
Success rate is 95 percent (19/20), round-trip min/avg/max = 8/14/28 ms
This is what we see on the IDS router:
IDS#
IP: s=192.168.12.2 (FastEthernet1/0), d=95.85.36.216, len 100, unroutable
Above you see an IP packet from the client towards the Internet that was forwarded to the IDS. Another method to verify our work is to use a show command on the router that is configured for RITE:
RITE#show ip traffic-export 
Router IP Traffic Export Parameters
Monitored Interface  FastEthernet1/0
 Export Interface  FastEthernet0/1
 Destination MAC address c204.3bcc.0000
 bi-directional traffic export is on
Output IP Traffic Export Information Packets/Bytes Exported    3/300
 Packets Dropped           16
 Sampling Rate             one-in-every 5 packets
 No Access List configured
Input IP Traffic Export Information Packets/Bytes Exported    4/400
 Packets Dropped           16
 Sampling Rate             one-in-every 5 packets
 No Access List configured
 Profile MY_RITE is Active
Here you can see that some packets have been forwarded. That’s all there is to it!
hostname CLIENT
!
ip cef
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
!
end
hostname IDS
!
ip cef
!
interface FastEthernet0/0
 ip address 192.168.13.3 255.255.255.0
!
end
hostname RITE
!
ip traffic-export profile MY_RITE
  interface FastEthernet0/1
  bidirectional
  mac-address c204.3bcc.0000
  incoming sample one-in-every 5
  outgoing sample one-in-every 5
!
ip cef
!
interface FastEthernet0/1
 ip address 192.168.13.1 255.255.255.0
!
interface FastEthernet1/0
 ip address 192.168.12.1 255.255.255.0
 ip traffic-export apply MY_RITE
!
end
I hope that this tutorial has been useful to you. If you enjoyed it please share it with your colleagues or leave a comment.
at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)