The RITE Stuff, CCIE 10.04
What does RITE and the v4 CCIE blueprint have in common? Section 10.04 :) If you are new to RITE, or would like to know more about it, read on.
Router IP Traffic Export, (RITE), allows the forwarding of unaltered IP packets from a router interface to memory or to a specific MAC address on a locally attached network. A likely candidate being the MAC address of a network analyzer or Intrusion Detection System.
As an example, lets configure RITE on R2. Setting it up is simple. We first create a profile, and apply that profile to an interface. But what if we don't want to export all of the traffic? No problem. We can also filter to specify exactly which traffic should be captured and exported, and we can even specify a smaller sample of the overall traffic flow if desired.
In this example, we will create an access-list that only matches if the source traffic is from R5’s loopback 0 address of 150.1.5.5
R2:
ip access-list extended FROM-R5
permit ip host 150.1.5.5 any
Next lets create a simple profile, (we will call this one “R5”), and specify the interface where we will export the packets to, as well as the MAC address that is reachable locally by R2. We will also leverage the access-list to filter on what may be captured, as well as a sampling rate of 1 in every 5 packets, (20%).
R2:
ip traffic-export profile R5
interface FastEthernet0/0
incoming access-list FROM-R5
mac-address 0123.4567.89ab
incoming sample one-in-every 5
exit
Next we will apply the profile to the interface which will be receiving the packets sourced from R5 loopback 0.
R2
interface Serial0/0
ip traffic-export apply R5
Turning on debugging will assist in seeing the activity behind the scene.
R2:
debug ip traffic-export events
Next, we generate some traffic, sourced from R5 loopback 0. This traffic does pass through the serial 0/0 interface of R2.
R5:
R5#show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM up up
Serial0/0 unassigned YES NVRAM administratively down down
FastEthernet0/1 136.1.45.5 YES NVRAM up up
Serial0/1 unassigned YES NVRAM administratively down down
Loopback0 150.1.5.5 YES NVRAM up upR5#
R5#ping 150.1.2.2 repeat 50 source loopback 0Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.5.5
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (50/50), round-trip min/avg/max = 4/12/32 ms
R5#
Back to R2, to see the results of the debug.
R2#RITE: exported input packet # 1
RITE: exported input packet # 2
RITE: exported input packet # 3
RITE: exported input packet # 4
RITE: exported input packet # 5
RITE: exported input packet # 6
RITE: exported input packet # 7
RITE: exported input packet # 8
RITE: exported input packet # 9
RITE: exported input packet # 10R2#
Now lets look at some of the statistics.
R2#show ip traffic-export
Router IP Traffic Export Parameters
Monitored Interface Serial0/0
Export Interface FastEthernet0/0
Destination MAC address 0123.4567.89ab
bi-directional traffic export is off
Input IP Traffic Export Information Packets/Bytes Exported 10/1000
Packets Dropped 43
Sampling Rate one-in-every 5 packets
Access List FROM-R5 [named extended IP]
Profile R5 is Active
R2#
Out of the 50 pings, 10 of them were exported, due to the profile we created. The packets dropped reflect packets that were not exported, including 40 from R5, and 3 other packets that did not match the ACL in the profile.
Keep up the great studies, and good luck!