-
Cisco IOS Security Configuration Guide: Securing User Services, Release 12.4T
-
Securing User Services Overview
-
Autosecure
- Authentication, Authorization, and Accounting (AAA)
-
Security Server Protocols
-
RADIUS
-
Configuring RADIUS
-
AAA Dead-Server Detection
-
AAA-SERVER-MIB Set Operation
-
ACL Default Direction
-
Attribute Screening for Access Requests
-
Enable Multilink PPP via RADIUS for Preauthentication User
-
Enhanced Test Command
-
Framed-Route in RADIUS Accounting
-
Offload Server Accounting Enhancement
-
Per VRF AAA
-
RFC-2867 RADIUS Tunnel Accounting
-
RADIUS Attribute Screening
-
RADIUS Centralized Filter Management
-
RADIUS Debug Enhancements
-
RADIUS Logical Line ID
-
RADIUS NAS-IP-Address Attribute Configurability
-
RADIUS Route Download
-
RADIUS Server Load Balancing
-
RADIUS Support of 56-Bit Acct Session-Id
-
RADIUS Tunnel Preference for Load Balancing and Fail-Over
-
RADIUS Server Reorder on Failure
-
Tunnel Authentication via RADIUS on Tunnel Terminator
-
RADIUS Interim Update at Call Connect
-
Define Interface Policy-Map AV Pairs AAA
-
- TACACS+
-
RADIUS
-
RADIUS and TACACS+ Attributes
-
RADIUS Attributes
-
RADIUS Attributes Overview and RADIUS IETF Attributes
-
RADIUS Vendor-Proprietary Attributes
-
Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values
-
Connect-Info RADIUS Attribute 77
-
Encrypted Vendor Specific Attributes
-
Local AAA Server
-
Per-User QoS via AAA Policy Name
-
RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level
-
RADIUS Attribute 8 (Framed-IP-Address) in Access Requests
-
RADIUS Attribute 82: Tunnel Assignment ID
-
RADIUS Attribute 104
-
RADIUS Progress Codes
-
RADIUS Timeout Set During Pre-Authentication
-
RADIUS Tunnel Attribute Extensions
-
V.92 Reporting Using RADIUS Attribute v.92-info
-
RADIUS Attribute 66 (Tunnel-Client-Endpoint) Enhancements
-
- TACACS+ Attributes
-
RADIUS Attributes
- Secure Shell (SSH)
-
Cisco IOS Login Enhancements (Login Block)
-
Cisco IOS Resilient Configuration
-
Image Verification
-
IP Source Tracker
-
Role-Based CLI Access
- User Security Configuration
-
Configuring Kerberos
-
Lawful Intercept Architecture
-
Table Of Contents
Restrictions for IP Traffic Export
Information About IP Traffic Export
IP Traffic Export Functionality Benefits
IP Traffic Export Profiles Overview
Displaying IP Traffic Export Configuration Data
Configuration Examples for IP Traffic Export
Exporting IP Traffic Configuration: Example
Feature Information for IP Traffic Export
IP Traffic Export
First Published: October 24, 2003Last Updated: Month 25, 2009The IP Traffic Export feature allows users to configure their router to export IP packets that are received on multiple, simultaneous WAN or LAN interfaces. The unaltered IP packets are exported on a single LAN or VLAN interface, thereby, easing deployment of protocol analyzers and monitoring devices.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for IP Traffic Export" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Contents
•
Restrictions for IP Traffic Export
•
•
•
Restrictions for IP Traffic Export
Platform Restriction
IP traffic export is intended only for software switching platforms; distributed architectures are not supported.
IP Packet Forwarding Performance Impact
When IP traffic export is enabled, a delay is incurred on the outbound interface when packets are captured and transmitted across the interface. Performance delays increase with the increased number of interfaces that are monitored and the increased number of destination hosts.
Exported Traffic Limitation
•
•
Information About IP Traffic Export
The following sections describe how IP traffic is exported:
•
Simplified IDS Deployment
Without the ability to export IP traffic, the Intrusion Detection System (IDS) probe must be inline with the network device to monitor traffic flow. IP traffic export eliminates the probe placement limitation, allowing users to place an IDS probe in any location within their network or direct all exported traffic to a VLAN that is dedicated for network monitoring. Allowing users to choose the optimal location of their IDS probe reduces processing burdens.
Also, because packet processing that was once performed on the network device can now be performed away from the network device, the need to enable IDS with the Cisco IOS software can be elimintaed.
IP Traffic Export Functionality Benefits
Users can configure their router to perform the following tasks:
•
•
•
How to Use IP Traffic Export
This section contains the following procedures:
•
•
Configuring IP Traffic Export
Use this task to configure IP traffic export profiles, which enable IP traffic to be exported on an ingress interface and allow you to specify profile attributes, such as the outgoing interface for exporting traffic.
Note
IP Traffic Export Profiles Overview
All packet export configurations are specified via IP traffic export profiles, which consist of IP-traffic-export-related command-line interfaces (CLIs) that control various attributes for both incoming and outgoing exported IP traffic. You can configure a router with multiple IP traffic export profiles. (Each profile must have a different name.) You can apply different profiles on different interfaces.
The two different IP traffic export profiles are as follows:
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
Troubleshooting Tips
Creating an IP Traffic Export Profile
The interface and mac-address commands are required to successfully create a profile. If these commands are not issued, you will receive the following profile incomplete message if the show running config command is issued:
ip traffic-export profile newone! No outgoing interface configured! No destination mac-address configuredApplying an IP Traffic Export Profile to an interface
The following system logging messages should appear immediately after you activate and deactivate a profile from an interface (via the ip traffic-export apply profile command):
•
%RITE-5-ACTIVATE: Activated IP traffic export on interface FastEthernet 0/0.•
%RITE-5-DEACTIVATE: Deactivated IP traffic export on interface FastEthernet 0/0.If you attempt to apply an incomplete profile to an interface, you will receive the following message:
Router(config-if)# ip traffic-export apply newoneRITE: profile newone has missing outgoing interfaceWhat to Do Next
After you have configured a profile and enabled the profile on an ingress interface, you can monitor IP traffic exporting events and verify your profile configurations. To complete these steps, refer to the following task ""Displaying IP Traffic Export Configuration Data" section."
Displaying IP Traffic Export Configuration Data
This task allows you to verify IP traffic export parameters such as the monitored ingress interface, which is where the IP traffic is exported, and outgoing and incoming IP packet information, such as configured ACLs. You can also use this task to monitor packets that are captured and then transmitted across an interface to a destination host. Use this optional task to help you troubleshoot any problems with your exported IP traffic configurations.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Examples
The following sample output from the show ip traffic-export command is for the profile "one." This example is for a single, configured interface. If multiple interfaces are configured, the information shown below is displayed for each interface.
Router# show ip traffic-exportRouter IP Traffic Export Parameters
Monitored Interface FastEthernet0/0
Export Interface FastEthernet0/1
Destination MAC address 0030.7131.abfc
bi-directional traffic export is off
Input IP Traffic Export Information Packets/Bytes Exported 0/0
Packets Dropped 0
Sampling Rate one-in-every 1 packets
No Access List configuredProfile one is ActiveConfiguration Examples for IP Traffic Export
This section includes the following configuration example:
•
Exporting IP Traffic Configuration: Example
Figure 1 and the following sample output from the show running-config command illustrate how to configure Router 2 to export the incoming traffic from Router 1 to IDS:
Router2# show running-configBuilding configuration...Current configuration :2349 bytes! Last configuration change at 20:35:39 UTC Wed Oct 8 2003! NVRAM config last updated at 20:35:39 UTC Wed Oct 8 2003!version 12.3service timestamps debug uptimeservice timestamps log uptimeno service password-encryptionservice internalservice udp-small-servers!hostname rite-3745!boot system flash:c3745-js-mz.123-1.8.PI2dno logging consoleenable password lab!no aaa new-modelip subnet-zero!no ip domain lookup!ip cef!ip traffic-export profile my_riteinterface FastEthernet1/0mac-address 6666.6666.3333!interface FastEthernet0/0ip address 10.0.0.94 255.255.255.0duplex autospeed auto!interface FastEthernet0/1ip address 10.1.1.2 255.255.255.0duplex autospeed autoip traffic-export apply my_rite!interface FastEthernet1/0ip address 10.1.3.2 255.255.255.0no ip redirectsno cdp enable!interface FastEthernet1/1ip address 10.1.2.2 255.255.255.0duplex autospeed auto!router ospf 100log-adjacency-changesnetwork 10.1.0.0 0.0.255.255 area 0!ip http serverip classless!snmp-server engineID local 0000000902000004C1C59140snmp-server community public ROsnmp-server enable traps tty!control-plane!dial-peer cor custom!gateway!line con 0exec-timeout 0 0stopbits 1line aux 0line vty 0 4password lablogin!ntp clock-period 17175608ntp server 10.0.0.2!endAdditional References
The following sections provide references related to the IP Traffic Export feature.
Related Documents
Configuring IDS
"Configuring Cisco IOS Firewall Intrusion Detection System" feature module.
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Feature Information for IP Traffic Export
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Note
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2003-2009 Cisco Systems, Inc. All rights reserved.
