[c-nsp] Monitoring Null0 interface
Dan Lockwood
dlockwood at shastacoe.org
Tue Apr 19 19:42:55 EDT 2005
You actually can configure NetFlow to be of use in this scenario.
Configure NetFlow like you normally would on each of your interfaces.
When a packet is caught by an ACL the ifIndex for the next hop is zero.
You can then simply run a report that shows you what matches ifIndex =
0.
Dan
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kim Onnel
Sent: Tuesday, April 19, 2005 7:50 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Monitoring Null0 interface
Hi,
For a mid-sized ISP, on the main internet gateway, we have routes to
Null0 for unused subnets(to be inserted to the routing table -> BGP
table) and other Null0 routes tagged for blackholing,
I managed to setup an MRTG graph for the PPS as suggested by someone on
the list before, to be able to view worms/port scans, the graphs shows a
constant traffic on the interface, below are the numbers for
today:
Max packets 100.1 kpkts/sec Average packets
89.7 kpkts/sec
Current packets 0.0 pkts/sec
Max packets 73.1 kpkts/sec Average packets 9805.0
pkts/sec
Current packets 0.0 pkts/sec
Numbers for the Whole week :
Max packets 202.0 kpkts/sec Average packets
90.9 kpkts/sec
Current packets 85.1 kpkts/sec
Max packets 172.6 kpkts/sec Average packets
11.6 kpkts/sec
Current packets 7466.0 pkts/sec
Ok, so i know there are worms now, this is a 7600 switch, how do i go
next, i cant configure it for netflow for example, to be able to see
such traffic, the only configuration i have on the interface right now
is below:
7600#sh run int null0
!
interface Null0
no ip unreachables
end
Any ideas ?
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list