Exracting source and destination ip address for all packets tag as AF3xx

Hi guys,

 

   Is there a way to determine the source and destination address (if possible port as well) for all packets tag as AF3XX.

 

Problem: I am seeing that on my production router there's AF3XX being receive but I don't know where it is coming from especially what is the ip address of those packets. This makes my problem cause it consume my bandwidth. I check all my routers and config and there's marking of AF3xx on all of my routers.

 

Can you guys hekp me out how to decipher this problem. Is there a way on the router to isolate this problem and the ip address?

 

Kin Regards

Comments

  • If you have one central router you can use netflow export and then e.g. netflow analyzer to see which source-host pair is matched to AF3X. Of course you can export from all your edge routers also, but if you have plenty of them, it may become quite time consuming to configure them all to export netflow info.

    If you use access-lists to match traffic to be marked with AF3X on the edge, you can of course use logging option with the ACL.

     

  •  Jent,

        Actually I don't need to create a separate class-map for AF3xx because I said before I can see on my router that it is matching the AF3xx traffic. My only problem is identyfing what are the source and destination address of those packets that match the AF3xx tag. Matching AF3xx will give me a any any match and the problem is how can I identify the source and destination from those packets?

     

    Renan

     

  • <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">





    Well, you could use a sniffer/filter to help with this....



    Or



    access-list 101 permit ip any any dscp 26 log

    access-list 101 permit ip any any dscp 28 log

    access-list 101 permit ip any any dscp 30 log

    access-list 101 permit ip any any



    Apply it to an inbound interface now.  Not impeding traffic flow, but
    logging matches.



    Or, leave off the last line of the ACL but use it for "debug ip packet
    101 detail" for live.






     



    Scott Morris, CCIEx4
    (R&S/ISP-Dial/Security/Service Provider) #4713,

    JNCIE-M #153, JNCIS-ER, CISSP, et al.

    CCSI #21903, JNCI-M, JNCI-ER

    [email protected]



    Internetwork Expert, Inc.

    http://www.InternetworkExpert.com

    Toll Free: 877-224-8987

    Outside US: 775-826-4344



    Knowledge is power.

    Power corrupts.

    Study hard and be Eeeeviiiil......






    Renan wrote:

    Hi guys,

     

       Is there a way to determine the source and destination address
    (if possible port as well) for all packets tag as AF3XX.

     

    Problem: I am seeing that on my production router there's AF3XX
    being receive but I don't know where it is coming from especially what
    is the ip address of those packets. This makes my problem cause it
    consume my bandwidth. I check all my routers and config and there's
    marking of AF3xx on all of my routers.

     

    Can you guys hekp me out how to decipher this problem. Is there a
    way on the router to isolate this problem and the ip address?

     

    Kin Regards







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • Thanks Scott,

       that's do the trick..

     

Sign In or Register to comment.