Debugging to see traffic? 2

[CorbinMyMan]

I'm somewhat new to the cisco scene, but I can move my way around the IOS command interface. I'm have a question about debuggin: I want to go in and see the traffic coming into and out of the router. Mainly because we use to have a machine outside the network act as an outside dns server, but it is no longer required, but I'm still having traffic (not sure if its incoming or outgoing) looking for that dns servers' ip, even though every thing shouldn't. I realized this when the internet on this network would get really slow, and everytime it did i did a SHOW IP ARP in the console, and it shows the cisco waiting for a reply from the old DNS server's ip address. Here's the SHOW IP ARP results:

Protocol Address Age (min) Hardware Addr Type Interface
Internet x.x.x.209 - mac.address.1 ARPA FastEthernet0/0
Internet x.x.x.211 233 mac.address.2 ARPA FastEthernet0/0
Internet x.x.x.210 0 mac.address.2 ARPA FastEthernet0/0
Internet x.x.x.213 0 Incomplete ARPA

the .213 address is the old DNS server that I shut down because we don't need it anymore.

I just need to setup debugging so I can see where this traffic is coming from, whether it be a workstation inside the network, or an address outside.

I searched for the topic, but i coudln't find anything that monitors traffic.

Thanks guys!!

 

[jneiberger]

Draw out a quick text diagram of your network? I would need to get a better feel for where the traffic is originating, where it's going, and what devices are physically in that path.

 

[CorbinMyMan]

ok ...

T1 Circuit --> Cisco --> Firewall --> NetGear Switch

The T1 Circuit is going into the WIC card of the Cisco.
The FastEthernet Port of the cisco is connected to the Firewalls WAN port.
The Firwall LAN port of course goes to the NetGear Switch.

Is that sufficient enough? Thanks!!

 

[jneiberger]

I think so. Is the errant traffic entering throguh the T1 and going out toward the Firewall? If so, you can apply your access list incoming on the serial interface or outgoing on the fast ethernet interface.

 

[CorbinMyMan]

Yes it has no choice but to go to the firewall i believe...

I'll set it up to apply when outgoing to FE. If that gives me issues i'll do it in coming on SERIAL.

Wish me luck! Thanks!

 

[CorbinMyMan]

Hmm i tried using the access-group command but its unavailable... I went to the config for the interface, and even just back to enable and config mode but nothing... In the interface, the only option is access-expression...

 

[CorbinMyMan]

ahh found it

ip access-group 101 out

 

[CorbinMyMan]

Ok here's where i'm at:

access list is created...and associated to FastEthernet 0/0 out

is that all i have to do?
I'm running debug right now to see if any more packets are trying to get forwarded to .212

will keep you posted! THANKS AGAIN!!

 

[jneiberger]

Keep in mind that you may still see packets incoming to your router when you turn on debugging. However, they will be dropped by the access list and not processed further.

Sorry about the typo on the ip access-group command.

 

[CorbinMyMan]

lol no prob

if i'm correct, i need to save this running-config to the startup-config right?

I think i'm still catching lag from the net, but i'm gonna let it run and see what happens...

any other suggestions would be great

 

[jneiberger]

Yep, you need to save the config or you'll lose your changes if the router reboots.

 

[CorbinMyMan]

Ok i fixed oen problem where our INTERNAL dns server was trying to forward to the OLD outside dns server, after taking that out, the net is faster and better than ever!!!

Thanks agian for everything! this has been quite a learning experience and I'm glad it happened.

 

[Fatty99]

I see you resolved your problem.
Just to add something, if u just wanna know source/destination ip adresses, u could also use ip accounting.

for example
config t
int fa0/0
ip accouting outpackets.

show ip accounting

This will show source + destination ip adresses of outgoing packets on fa0/0 interface.

grtz Fatty

 

[Fatty99]

oops --> correction

it is -->

ip accounting output-packets